HK1057122B - Data processing apparatus and data processing method - Google Patents

Description

Data processing apparatus and data processing method

Technical Field

The present invention relates to a data processing apparatus, a data processing method, and in particular, to a method and apparatus for verifying whether data constituting data content is valid (i.e., checking whether data is falsified) and a method for giving a verification value, and to an apparatus and method capable of enhancing security by generating respective different keys required for an encryption process using master keys corresponding to their respective keys. Further, the present invention can provide a structure that can exclude illegal use of content data, or, more particularly, to an apparatus and method that can identify an illegal reproduction device and illegally use the content. Further, the present invention relates to an apparatus and method capable of easily setting content to be usable only by a data processing apparatus using content data, and setting content data to be usable also by other processing apparatuses, based on information specific to the data processing apparatus. Furthermore, the invention relates to a method, a device and a verification value giving method for verifying the validity of data composing data content, i.e. verifying the presence or absence of tampering.

Further, the present invention relates to a data processing apparatus, a content data generating method, and a data processing method that can realize a content data structure in which an encryption process is applied to data including one of sound information, image information, and program data, the data is provided to a content user along with various header information, and the content user performs a reproduction, execution, or storage process in a recording apparatus, so as to provide and use the content data with high security management in a structure.

Further, the present invention relates to a data processing apparatus, a data processing method, and a content data generating method for providing a structure capable of efficiently performing a reproduction processing procedure in the case where data content is compressed sound data, image data, and the like, and particularly, a data processing apparatus, a data processing method, and a content data generating method for forming a structure for content data in which compressed data and an expansion processing program are combined, and an applicable expansion processing program is retrieved and extracted based on header information of the compressed data content in which the applied expansion processing program is stored as the header information, thereby performing the reproduction processing procedure.

Further, the present invention relates to a structure and method for reproducing various contents such as sound, images, games or programs, which can be used in a recording and reproducing apparatus owned by a user through a recording medium such as a DVD or a CD or a wired or wireless communication means such as CATV, the internet or satellite communication, and which can store the contents in an exclusive recording apparatus such as a memory card, a hard disk or a CD-R, so that a structure can be realized which can impose a use limit desired by a content distributor and provide security when using the contents stored in the recording apparatus, so that the distributed contents are not illegally used by a third party other than a legitimate user.

Background

Description of the related Art

Data such as game programs, sound data, image data, or document programs (hereinafter these will be referred to as "contents") are currently distributed through a network such as the internet or through a distributable storage medium such as a DVD or a CD. These distributed contents may be stored in a recording device such as a memory card or a hard disk, which is connectable with a recording and reproducing device such as a Personal Computer (PC) or a game apparatus owned by a user, so that the contents can be reproduced from a storage medium once stored.

The main components of a memory card used in a general information device such as a video game device or a PC include: a connection device for controlling the operation; a connector for connecting with a slot connected with the connecting device and formed on the information equipment; a non-volatile memory connected to the control device for storing data and other content. The nonvolatile memory provided in the memory card includes an EEPROM, a flash memory, or the like.

Various contents such as data or programs stored in a memory card, which can be reproduced from an information apparatus main body or from a display, a speaker or the like connected to the main body, are called from a nonvolatile memory in accordance with a user command from the information apparatus main body serving as a reproduction apparatus such as a game apparatus or a PC or in accordance with a user command supplied through a connected input device.

Various software contents such as game programs, music data, or image data generally have distribution rights held by their creators or sellers. Therefore, in distributing such contents, a structure is generally used which can impose a special use restriction, that is, which allows only a legitimate user to use the software, thereby making it possible to prevent illegal copying or the like, that is, in consideration of security.

One method of implementing the use restriction of the user is a process for encrypting distributed contents. The above-described process includes means for distributing a plurality of kinds of encrypted contents such as sound data, image data, or game programs, for example, via the internet and decrypting the distributed encrypted contents for a person who is confirmed to be a legitimate user, the means corresponding to the structure for applying the decryption key.

The encrypted data may be returned to the decrypted data (plain text) available through the decryption process according to a predetermined program. Such data encryption and decryption methods that use an encryption key for the information encryption process while using a decryption key for the decryption process are generally known.

There are various types of methods of data encryption and decryption using an encryption key and a decryption key, one example being referred to as a shared key cryptosystem. The common key cryptosystem uses a common encryption key for data encryption process and a common decryption key for data decryption process, and informs a legitimate user of these common keys for use in encryption and decryption processes, while denying data access to an illegitimate user without a key. A representative example of such a cryptographic system is DES (data encryption standard).

The encryption and decryption keys for use in the encryption and decryption processes may be obtained, for example, by applying a one-way function such as a hash function from a password or similar content. A one-way function has difficulty determining its input from its output. For example, a password decided by a user is used as input to apply a one-way function to generate encryption and decryption keys from the output of the function. It is substantially impossible to determine the password of the original data as the key based on the encryption and decryption keys thus obtained.

Furthermore, the method called "public key cryptosystem" uses different algorithms for the encryption key based process for encryption and the decryption key based process for decryption. Public key cryptography uses a public key that can be used by non-designated users, and thus, the encrypted document for a particular user can be decrypted using the public key issued by that particular user. Documents encrypted with a public key can only be decrypted with a key corresponding to the public key used for the decryption process. Since the key is owned by the individual who has issued the public key, documents encrypted with the public key can only be decrypted by the individual who has the key. A representative public key cryptosystem is RSA (Rivest-shamir-Adleman) encryption.

Using such a cryptographic system may enable encrypted content to be decrypted only to legitimate users. A general content distribution structure using such a cryptographic system is briefly described below with reference to fig. 1.

Fig. 1 shows an example of a structure in which a reproducing apparatus 10 such as a PC (personal computer) or a game device reproduces a program, sound or video data or the like (content) obtained from a data providing apparatus such as a DVD, a CD30 or the internet 40, wherein the data obtained from the DVD, the CD30, the internet 40 or the like is stored in a storage apparatus 20 such as a floppy disk, a memory card, a hard disk or the like.

Content such as a program, sound, or video data is provided to a user having the reproduction apparatus 10. A legitimate user obtains encrypted data and key data, which is an encryption and decryption key.

The reproduction apparatus 10 has a CPU12 to reproduce input data by the reproduction processing section 14. The reproduction processing section 14 decrypts the encrypted data to reproduce the supplied program and contents such as sound or image data.

The legitimate user saves contents such as programs and data in the storage device 20 to reuse the provided programs. The reproduction apparatus 10 has a save processing section 13 for executing the above-described content save process. The save processing section 13 encrypts and saves data so as to prevent the data stored in the storage device 20 from being illegally used.

The content is encrypted with a content encryption key. The save processing section 13 encrypts the content using the content encryption key, and then stores the encrypted content in the storage section 21 of the storage device 20 such as an FD (flexible disk), a memory card, or a hard disk.

In order to obtain and reproduce the stored content from the storage device 20, the user obtains the encrypted data from the storage device 20 and causes the reproduction processing section 14 of the reproduction device 10 to perform a decryption process with the content decryption key, i.e., the decryption key, so as to obtain and reproduce the decrypted data from the encrypted data.

According to a typical example of the structure shown in fig. 1, stored contents are encrypted in a storage device 20 such as a floppy disk or a memory card, and thus, the contents cannot be read externally. However, when a floppy disk is to be reproduced by a reproduction apparatus of another information device such as a PC or a game device, reproduction is not possible unless the reproduction apparatus has the same content key, i.e., the same decryption key for decrypting encrypted content. Therefore, in order to realize a form usable to a plurality of information apparatuses, a common decryption key must be provided to the user.

However, the use of the common content encryption key means that the encryption processing key is issued to the user who does not have a legitimate license with a high possibility in a confusing manner. Therefore, it is impossible to prevent a user who does not have a legitimate license from illegally using content, and it is difficult to refuse illegal use in a PC, a game device, or the like that does not have a legitimate license.

In the event that key information is leaked from one of the devices, the use of a common content encryption key and decryption key can corrupt the overall system utilizing the keys.

Further, in an environment where the above-described common key is used, it is possible to easily copy, for example, contents formed on a certain PC and saved in a storage device such as a memory card or a floppy disk onto another floppy disk. Therefore, it is possible to use a usage form of the copied floppy disk instead of the original content, and therefore, a large amount of copied content available to an information device such as a game device or a PC may be formed or tampered with.

A method is generally used which includes verifying an integrity check value in content data to check the validity of the data, i.e., whether any data is tampered, and then causes a recording and reproducing apparatus to compare an integrity check value generated based on the data to be verified with an integrity check value contained in the content data to verify the data.

However, the integrity check value for the data content is typically generated for the entire data, and to compare this integrity check value generated for the entire data, an integrity check value generated for the entire data to be checked is required. For example, if an integrity check value ICV is to be determined using a Message Authentication Code (MAC) generated in DES-CBC mode, the DES CBC procedure must be performed on the entire data. This amount of computation increases linearly with the length of the data, thereby reducing processing efficiency in a disadvantageous manner.

Disclosure of Invention

The present invention has been made to solve the above-mentioned problems in the conventional art, and as a first object of the present invention, it is to provide a data processing apparatus and method and a data verification value giving method which can efficiently confirm the validity of data and can efficiently perform a download process for a recording apparatus performed after verification, a reproduction process performed after verification, and other processes, and further, a program providing medium for use with the above-mentioned apparatus and method.

Further, as a technique that can be used to limit the use of content data to authorized users, various encryption processing procedures such as data encryption, data decryption, data verification, signature processing, and the like can be used. However, performing these kinds of encryption processes requires common secret information such as key information for encrypting and decrypting content data or an authentication key for authentication to be shared between two devices, i.e., devices between which content data is transferred, or devices between which authentication processing is performed.

Therefore, in the case where key data as shared secret information is leaked from one of the two devices, content encrypted data using the above-mentioned shared key information can be decrypted by an unauthorized third party, so that the content can be illegally used. The same is true for the case where the authentication key is compromised, which results in the device being authenticated without permission. Therefore, revealing the key threatens the entire system.

The present invention is to solve the above problems. A second object of the present invention is to provide a data processing apparatus, a data processing system, and a data processing method with enhanced security in an encryption process. The data processing apparatus of the present invention does not store in the storage section the respective keys necessary for performing encryption processing procedures such as data encryption, data decryption, data verification, authentication processing, and signature processing, but stores the master key so as to generate the above-described respective keys in the storage section, and causes the encryption processing section to generate the necessary respective keys from the master key and the apparatus or data.

Further, a certain degree of security can be maintained by encrypting the content data. However, in the case of reading out each encryption key stored in the memory by illegally reading out the memory, key data or the like is leaked and copied to the recorder/reproducer without any authorized permission, and the content can be illegally used using the copied key information.

It is a third object of the present invention to provide a data processing apparatus, a data processing method, and a content data generating method in a form that can reject illegal use, i.e., a structure that can recognize an illegal reproducer and does not allow the recognized reproducer to perform, for example, reproduction and download of content data.

Further, a technique that can limit the use of content data to authorized users includes performing encryption processing with a predetermined encryption key such as signature processing. However, the conventional encryption process using signatures generally has a signature key common to all entities using contents in the system, which allows different devices to use common contents, which has a problem of causing illegal copying of contents.

Content encrypted with a unique password may be stored but stolen, or the same encrypted content may be decrypted by entering the same password by different reproduction devices, but it is not easy to have a conventional security structure to implement a system that can recognize one reproduction device so as to allow only the reproduction device to use the content.

The present invention has been made to solve the above-mentioned problems of the prior art, and a fourth object of the present invention is to provide a data processing apparatus and a data processing method which can allow only a specific data processing apparatus to reproduce contents by selectively using a device-specific key specific to the data processing apparatus and a system-common key common to other data processing apparatuses in accordance with a content use restriction.

Further, there is a method of encrypting content data as a method of restricting the use of the content data to authorized users. However, there are a plurality of content data such as sound information, image information, and program data, and there are a plurality of contents such as a case where all content data needs to be encrypted and a case where a part needs encryption processing and a part does not need encryption processing to be mixed.

Applying the uniform encryption processing to these contents may result in unnecessary decryption processing in the content reproduction processing or may result in an adverse environment in terms of processing efficiency and processing speed. For example, in the case of data such as music data for which real-time reproduction is critical, it should have a content data structure that can apply the decryption process at high speed.

The present invention addresses these problems. It is a fifth object of the present invention to provide a data processing apparatus, a content data generating method, and a data processing method which can be applied to a plurality of content data structures corresponding to types of content data, i.e., different data formats corresponding to contents, and which can generate and process content data having high security and easy to use in reproduction, execution, and the like.

Further, it is necessary to output the decrypted sound data, image data, and the like to the AV output section for reproduction. Currently, many types of content are compressed and stored in storage media or distributed for many times. Therefore, the compressed data must be expanded before reproduction. For example, if the sound data is compressed in the MP-3 manner, the sound data is decrypted with an MP3 decoder for output. If the content data is image data compressed in an MP-3 manner, sound data is expanded with an MPEG2 decoder for output.

However, since there are a variety of compression processing procedures and expansion processing programs, even if compressed data is provided by a content provider through a medium or a network, it is impossible to reproduce the data with a reproducing apparatus that does not have a compatible expansion program.

It is a sixth object of the present invention to provide a structure for efficiently performing a reproduction processing procedure of compressed data, that is, a data processing apparatus, a data processing method, and a content data generating method for efficiently performing a reproduction processing procedure in the case where content is compressed sound data, image data, or the like.

The above and other objects of the present invention can be achieved by providing a data processing apparatus and a data processing method.

The first aspect of the present invention is: data processing apparatus for processing content data provided by a recording or communication medium, characterized in that the apparatus comprises: a password translation processing section for performing password translation processing on the content data; and a control section for controlling the password translation processing section, the password translation processing section being configured to: a partial integrity check value for a partial data set including one or more partial data obtained by the content data composing part into a plurality of parts can be generated as an integrity check value; comparing the generated integrity check values to verify the portion of data; generating an intermediate integrity check value from a partial integrity check value set data string containing at least one or more partial integrity check values; and using the generated intermediate integrity check value to verify all of the plurality of partial data sets corresponding to the plurality of partial integrity check values constituting the partial integrity check value set.

Furthermore, an embodiment of the data processing apparatus of the present invention is characterized in that the partial integrity check value is generated by the cryptographic translation process using a partial check value supplied thereto so that partial data to be checked is used as a message, the intermediate integrity check value is generated by the cryptographic translation process using a global check value generation key supplied thereto so that a partial integrity check value set data string to be checked is used as a message, and the cryptographic translation process is configured to be able to store the partial integrity check value generation value and the global integrity check value generation key.

Further, an embodiment of the data processing apparatus of the present invention is characterized in that the cryptographic translation process has a plurality of types of partial verification value generation keys corresponding to the generated partial integrity check value.

Furthermore, an embodiment of the data processing apparatus of the present invention is characterized in that the cryptographic process is a DES cryptographic process, and the cryptographic process section is configured to be able to execute the DES cryptographic process.

Further, an embodiment of the data processing apparatus of the present invention is characterized in that as the partial integrity check value of the message, a Message Authentication Code (MAC) generated with partial data to be checked in the DES-CBC mode, and as the intermediate value of the message, a Message Authentication Code (MAC) generated with a partial integrity check value set data string to be checked in the DES-CBC mode, and the password translation processing section is configured to be able to execute the DES password translation processing procedure in the DES-CBC mode.

Further, an embodiment of the data processing apparatus according to the present invention is characterized in that, in the configuration of the crypto-translation processing based on the DES-CBC mode in the crypto-translation processing section, the triple DES is applied to only a part of the message string to be processed.

Further, an embodiment of the data processing apparatus of the present invention is characterized in that the data processing apparatus has a signature key, and the password translation processing section is configured to use a value generated from the aforementioned intermediate value by applying a translation processing procedure by a signature password as a comparison value for data verification.

Further, an embodiment of the data processing apparatus of the present invention is characterized in that the data processing apparatus has a plurality of different signing keys as the signing key, and the cryptographic translation processing section is configured to use one of the plurality of different signing keys selected according to the position of the content data for the cryptographic translation processing for the intermediate integrity check value so as to obtain the comparison value for data verification.

Furthermore, an embodiment of the data processing device of the invention is characterized in that the data processing device has a common signature common to all entities of the system for performing the data verification process and a device-specific signature specific to each device performing the data verification process.

Furthermore, an embodiment of the data processing apparatus of the present invention is characterized in that the partial integrity check value includes one or more header integrity check values generated for internal header data partially constituting data and one or more content integrity check values generated for content block data partially constituting data, the cryptographic translation process being configured to: one or more header integrity check values for the partial data sets in the internal header data can be generated to perform the comparison process; generating one or more content integrity check values for the partial data sets in the internal content portion data to perform the comparison process; and generating a total integrity check value based on all the generated header part integrity check values and content integrity check values so as to perform a comparison process, thereby verifying the data.

Further, an embodiment of the data processing device of the invention is characterized in that the partial integrity check value comprises one or more header integrity check values generated for internal header data partially constituting the data, the cryptographic translation process being configured to: one or more header integrity check values for the partial data sets in the internal header data can be generated to perform the comparison process; and generating an overall integrity check value from the generated one or more header part integrity check values and from content block data constituting a part of the data to perform a comparison process to verify the data.

Furthermore, an embodiment of the data processing apparatus of the present invention is characterized in that the apparatus further includes a recording device for storing the data confirmed by the password translation processing section.

Further, an embodiment of the data processing device of the present invention is characterized in that the control section is configured not to establish the comparison if the partial integrity check value is to be compared in the process performed by the password translation processing section, and the control section suspends the process for storing the data in the recording device.

Furthermore, an embodiment of the data processing apparatus of the present invention is characterized in that the apparatus further comprises a reproduction procedure processing section for reproducing the data confirmed by the password translation processing section.

Further, an embodiment of the data processing apparatus of the present invention is characterized in that if the partial integrity check values are to be compared in the process performed by the password translation processing section, the comparison is not established, and the control section suspends the reproduction process in the reproduction processing section.

Furthermore, an embodiment of the data processing apparatus of the present invention is characterized in that the apparatus includes control means for comparing only the header integrity check value among the data in the process of comparing the section integrity check values performed by the cryptographic translation processing section, and transferring the data for which the comparison of the header integrity check value has been performed to the reproduction processing section for reproduction.

Moreover, a second aspect of the present invention is a data processing apparatus for processing content data provided by a recording or communication medium, characterized by comprising: a password translation processing section for performing password translation processing on the content data; and a control section for controlling the password translation processing section, the password translation processing section being configured to: if the data to be authenticated is encrypted, the integrity check value for the data to be authenticated can be generated from the data by applying a crypto-translation process to the signature data based on the arithmetic operation result obtained by performing the arithmetic operation process on the decrypted data obtained by performing the decryption process on the encrypted data.

Furthermore, an embodiment of the data processing apparatus of the present invention is characterized in that the arithmetic operation process includes performing an exclusive or operation on decrypted data, which is obtained by decrypting the encrypted data, every predetermined byte.

Further, a third embodiment of the present invention is a data processing method for processing content data provided via a recording or communication medium, the method being characterized in that the method: a partial integrity check value for a partial data set including one or more partial data obtained by the content data composing part into a plurality of parts can be generated as an integrity check value; comparing the generated integrity check values to verify the portion of data; generating an intermediate integrity check value from a partial integrity check value set data string containing at least one or more partial integrity check values; and using the generated intermediate integrity check value to verify all of the plurality of partial data sets corresponding to the plurality of partial integrity check values constituting the partial integrity check value set.

Furthermore, an embodiment of the data processing method of the invention is characterized in that the partial integrity check value is generated by the cryptographic translation process using the partial check value supplied to it for generating the key for using the partial data to be checked as a message, and the intermediate integrity check value is generated by the cryptographic translation process using the partial check value supplied to it for generating the key for using the partial integrity check value set data string to be checked as a message.

Furthermore, an embodiment of the data processing method of the present invention is characterized in that the integrity check value is generated by applying a different type of partial check value part corresponding to the generated partial integrity check value.

Furthermore, an embodiment of the data processing method of the invention is characterized in that the cryptographic translation process is a DES cryptographic translation process.

Furthermore, an embodiment of the data processing method of the invention is characterized in that the partial integrity check value as a message is a Message Authentication Code (MAC) generated with the partial data to be checked in the DES-CBC mode, and the intermediate value as a message is a Message Authentication Code (MAC) generated with the partial integrity check value set data string to be checked in the DES-CBC mode.

In addition, an embodiment of the data processing method of the present invention is characterized in that a value generated from the aforementioned intermediate value by applying the translation process by the signing key is used as the comparison value for data verification.

Furthermore, an embodiment of the data processing method of the invention is characterized in that different signing keys are applied to the cryptographic translation process for the intermediate integrity check value depending on the location of the content data in order to obtain a comparison value for data verification.

Further, an embodiment of the data processing method of the present invention is characterized in that a common signing key common to all entities of the system for performing the data verification process or a device-specific signing key specific to each device performing the data verification process is selected and used as the signing key according to the location of the content data.

Further, an embodiment of the data processing method according to the present invention is characterized in that the partial integrity check value includes one or more header integrity check values generated for internal header data partially constituting the data and one or more content integrity check values generated for internal content data partially constituting the data, and the data verification processing: one or more header integrity check values for the partial data sets in the internal header data can be generated to perform the comparison process; generating one or more content integrity check values for the partial data sets in the internal content portion data to perform the comparison process; and generating a total integrity check value from all the generated header part integrity check values and content integrity check values to perform a comparison process to verify the data.

Further, an embodiment of the data processing method of the present invention is characterized in that the partial integrity check value contains one or more header integrity check values generated for internal header data partially constituting data, and the data verification processing procedure includes: one or more header integrity check values for the partial data sets in the internal header data can be generated to perform the comparison process; and generating an overall integrity check value from the generated one or more header part integrity check values and from content block data constituting a part of the data to perform a comparison process to verify the data.

An embodiment of the data processing method according to the invention is furthermore characterized in that the method further comprises a process for storing, which stores the validated data after verification of the data.

Furthermore, an embodiment of the data processing method of the invention is characterized in that if it is in the process for comparing the partial integrity check values, the comparison is not established, and control is made to suspend the process for storing data in the recording apparatus.

Furthermore, an embodiment of the data processing method of the invention is characterized in that the method further comprises a reproduction process for reproducing the data after the data validation.

Further, an embodiment of the data processing method of the present invention is characterized in that if in the process for comparing the partial integrity check values, the comparison is not established, and control is performed so as to suspend the reproduction process performed in the reproduction processing section.

Further, an embodiment of the data processing method of the present invention is characterized in that the method compares only the header integrity check value among the data and transfers the data for which the comparison of the header integrity check value has been performed to the reproduction processing section for reproduction in the process for comparing the section integrity check values.

Moreover, a fourth aspect of the present invention is a data processing method for processing content data provided by a recording or communication medium, characterized in that the method: if the data to be verified is encrypted, performing an arithmetic operation process on decrypted data obtained by decrypting the encrypted data; a cryptographic translation process is applied to the data based on the arithmetic operation result obtained by the arithmetic operation process to generate an integrity check value for the data to be authenticated.

Furthermore, an embodiment of the data processing method of the present invention is characterized in that the arithmetic operation process includes performing an exclusive or operation on decrypted data, which is obtained by decrypting the encrypted data, every predetermined byte.

Also, a fifth aspect of the present invention is a data verification value giving method for a data verification process, characterized in that the method: giving, as an integrity check value, a partial integrity check value for a partial data set including one or more partial data obtained by the content data composing part into a plurality of parts; and assigning an intermediate integrity check value to the data to be authenticated, the intermediate integrity check value being used to authenticate a partial integrity check value set data string comprising at least one or more partial integrity check values.

Furthermore, an embodiment of the data authentication value presenting method of the present invention is characterized in that the partial integrity check value is generated by the cryptographic translation process using the partial check value supplied thereto to generate the key so that the partial data to be checked is used as a message, and the intermediate integrity check value is generated by the cryptographic translation process using the global check value supplied thereto to generate the key so that the partial integrity check value set data string to be checked is used as a message.

Furthermore, an embodiment of the data processing device of the invention is characterized in that the partial integrity check value is generated by applying a different type of partial check value generation key corresponding to the generated partial integrity check value.

Furthermore, an embodiment of the data authentication value presenting method of the present invention is characterized in that said cryptographic process is a DES cryptographic process.

Furthermore, an embodiment of the data verification value giving method of the present invention is characterized in that the partial integrity check value is a Message Authentication Code (MAC) generated as a message with partial data to be checked in the DES-CBC mode, and the intermediate value is a Message Authentication Code (MAC) generated as a message with a partial integrity check value set data string to be checked in the DES-CBC mode.

In addition, an embodiment of the data verification value presenting method of the present invention is characterized in that a value generated from the intermediate value by applying a cryptographic translation process with the signing key is usable as the comparison value for data verification.

Further, an embodiment of the data verification value presenting method of the present invention is characterized in that different signing keys are applied to the cryptographic translation process for the intermediate integrity check value depending on the location of the content data, so as to obtain a comparison value for data verification.

Further, an embodiment of the data verification value giving method of the present invention is characterized in that a common signature common to all entities of the system for performing the data verification process and a device-specific signature specific to each device performing the data verification process are selected and used as signature keys according to the location of the content data.

Furthermore, an embodiment of the method of providing a data verification value according to the invention is characterized in that the partial integrity check value comprises one or more header integrity check values for internal header data partially constituting the data and one or more content integrity check values for internal content data partially constituting the data, the method being arranged to generate a global integrity check value for all header integrity check values and content integrity check values for verifying the data.

Further, an embodiment of the data verification value presenting method of the invention is characterized in that said partial integrity check value comprises one or more header integrity check values for internal header data partially constituting the data, said method being configured to generate an overall integrity check value for the one or more header integrity check values and content block data partially constituting the data for verifying the data.

Furthermore, a sixth aspect of the present invention is a program providing medium for providing a computer program for executing a data authentication process on a computer system so as to authenticate that data is valid, said program providing medium being characterized in that said computer program comprises the steps of: performing a comparison process using a partial integrity check value generated as an integrity check value for a partial data set containing one or more partial data obtained by dividing data into a plurality of parts; and verifying all of the plurality of partial data sets corresponding to the plurality of partial integrity check values constituting the set of partial integrity check values with an intermediate integrity check value based on a set of partial integrity check values obtained by combining the plurality of partial integrity check values together.

A seventh aspect of the present invention is a data processing apparatus comprising: an encryption processing section that performs encryption processing of at least one of data encryption, data decryption, data verification, authentication processing, and signature processing; and a storage section that stores a master key so as to generate a key for encryption processing, the apparatus being characterized in that the above-mentioned encryption processing section is configured to be able to generate respective keys necessary for performing encryption processing from the master key and identification data of the apparatus or data subjected to encryption processing.

According to another embodiment of the data processing apparatus of the present invention, the data processing apparatus is a data processing apparatus which performs an encryption process on transmission data through a recording medium or a communication medium, the apparatus being characterized in that the above-mentioned storage section stores an issuance key generation master key Mkdis so as to generate an issuance key Kdis for performing an encryption process on the transmission data, the encryption processing section performing an encryption process based on the above-mentioned issuance key generation master key Mkdis stored in the storage section and a data identifier which is identification data of the transmission data and generating a transmission data issuance key Kdis.

Further, according to another embodiment of the data processing apparatus of the present invention, which is a data processing apparatus that performs authentication processing on an externally connected apparatus to/from which data is transferred, the data processing apparatus is characterized in that the aforementioned storage section stores an authentication key generation master key Mkake for generating an authentication key Kake of the externally connected apparatus, and the encryption processing section performs encryption processing based on the authentication key generation master key stored in the storage section and an identifier of the externally connected apparatus that is identification data of the externally connected apparatus and generates the authentication key Kake of the externally connected apparatus.

Further, according to still another embodiment of the data processing apparatus of the present invention, the data processing apparatus is a data processing apparatus which performs a signing process on data, the data processing apparatus being characterized in that the aforementioned storage section stores a signing key generation master key Mkdev for generating a data processing apparatus signing key Kdev of the data processing apparatus, and the encryption processing section performs an encryption process on the basis of the signing key generation master key Mkdev stored in the storage section and an identifier of the data processing apparatus which is identification data of the data processing apparatus and generates a data processing apparatus signing key kd ev of the data processing apparatus.

Further, according to still another embodiment of the data processing device of the present invention, the individual key generation processing that generates the individual key necessary to perform the encryption processing from the master key and the identification data of the device or data subjected to the encryption processing is an encryption processing that uses at least a part of the identification data of the device or data subjected to the encryption processing as a message and the master key as an encryption key.

Furthermore, in accordance with yet another embodiment of the data processing device of the present invention, the encryption process is an encryption process using a DES algorithm.

Still further, an eighth aspect of the present invention is a data processing system configured by a plurality of data processing apparatuses, the system being characterized in that each of the plurality of data processing apparatuses has a common master key to generate a key for an encryption process of at least one of data encryption, data decryption, data verification, authentication process, and signature process, and each of the plurality of data processing apparatuses generates a common individual key necessary for executing the encryption process based on the master key and identification data of an apparatus or data subjected to the encryption process.

Further, according to another embodiment of the data processing system of the present invention, the plurality of data processing apparatuses described above are configured with a content data providing apparatus that provides content data and a content data using apparatus that uses the content data, the content data providing apparatus and the content data using apparatus having distribution key generation master keys, to generate a content data distribution key for encrypting the circulating content data between the content data providing apparatus and the content data using apparatus, the content data providing apparatus generates a content data distribution key from a distribution key generation master key and a content identifier that is an identifier of the provided content data and performs an encryption process on the content data, the content data using apparatus generates a content data distribution key from a distribution key generation master key and a content identifier that is an identifier of the supplied content data and performs decryption processing on the content data.

Still further, in accordance with another embodiment of the data processing system of the present invention, the content data providing apparatus has a plurality of different distribution key generation master keys to generate a plurality of different content data distribution keys, generates a plurality of different content data distribution keys from the aforementioned plurality of distribution key generation master keys and content identifiers, performs encryption processing with the generated plurality of distribution keys, and generates a plurality of types of encrypted content data, the content data using apparatus has at least one of the plurality of different distribution key generation master keys possessed by the aforementioned content data providing apparatus to generate a master key and makes only the encrypted content data decodable by a distribution key generated by generating a master key with the same distribution key as a distribution key generation master key possessed by a unique apparatus.

Further, according to another embodiment of the data processing system of the present invention, each of the plurality of data processing apparatuses stores an identical content key generation master key to generate a content key to be supplied to a content data encryption process, the data processing apparatus a, which is one of the plurality of data processing apparatuses, stores content data encrypted by generating a master key from the content key and a content key generated by a device identifier of the data processing apparatus a in a storage medium, and the different data processing apparatus B generates a content key from the same content key generation master key and the device identifier of the data processing apparatus a and performs a decryption process on encrypted content data stored in the storage medium by the data processing apparatus a from the generated content key.

Further, according to another embodiment of the data processing system of the present invention, the plurality of data processing apparatuses are configured by a master apparatus and a slave apparatus subjected to authentication processing by the master apparatus, the master apparatus and the slave apparatus each having an authentication key generation master key for performing authentication processing between the master apparatus and the slave apparatus, the slave apparatus generating an authentication key based on the authentication key and a slave apparatus identifier which is an identifier of the slave apparatus and storing it in a memory of the slave apparatus, the master apparatus generating an authentication key based on the authentication key and a slave apparatus identifier which is an identifier of the slave apparatus and performing the authentication processing.

Further, a ninth aspect of the present invention is a data processing method which executes an encryption process of at least one of data encryption, data decryption, data verification, authentication processing, and signature processing, the method comprising: a key generation step of generating a common individual key necessary for performing encryption processing from a master key for generating a key used for encryption processing and identification data of a device or data subjected to encryption processing; and an encryption processing step of performing encryption processing based on the device key generated in the key generation step.

Further, according to another embodiment of the data processing method of the present invention, the data processing performed by the data processing method is to perform encryption processing on transmission data passing through a storage medium or a communication medium, the key generation step is an issuance key generation step that performs encryption processing on the transmission data based on an issuance key Mkdis for generating an issuance key Kdis for use in the encryption processing on the transmission data and a data identifier that is transmission data identification data, and the encryption processing step is a step that performs encryption processing on the transmission data based on the issuance key Kdis generated in the issuance key generation step.

Further, according to another embodiment of the data processing method of the present invention, the data processing performed by the data processing method is authentication processing to/from an externally connected apparatus to which data is transferred, the key generation step is an authentication key generation step of performing encryption processing based on an authentication key generation master key Mkake for generating an authentication key Kake of the externally connected apparatus and an identifier of the externally connected apparatus which is identification data of the externally connected apparatus and generating an authentication key Kake of the externally connected apparatus, and the encryption processing step is a step of performing authentication processing to the externally connected apparatus based on the authentication key Kake generated in the above authentication key generation step.

Further, according to another embodiment of the data processing method of the present invention, the data processing process performed by the data processing apparatus is a signing process on data, the key generation step is a signing key generation step of performing an encryption process on the basis of a signing key generation master key Mkdev for generating a data processing apparatus signing key Kdev of the data processing apparatus and an identifier of the data processing apparatus which is identification data of the data processing apparatus and generating a data processing apparatus signing key Kdev of the data processing apparatus, and the encryption process step is a step of performing a signing process on data on the basis of an authentication key Kdev generated in the above-described authentication key generation step.

Further, according to another embodiment of the data processing method of the present invention, the key generation step is an encryption process that uses at least a part of identification data of the device or data subjected to the encryption process as a message and uses a master key as an encryption key.

Further, according to another embodiment of the data processing method of the present invention, the encryption process is an encryption process using a DES algorithm.

Further, another embodiment of the present invention is a data processing method in a data processing system including a content data providing apparatus that provides content data and a content data using apparatus that uses the content data, the method being characterized in that the content data providing apparatus generates a content data distribution key for generating a content data distribution key for use in encryption processing on the content data and performs encryption processing on the content data from a distribution key generation master key for generating a content data distribution key for use in encryption processing on the content data and a content identifier that is an identifier of the provided content data, and the content data using apparatus generates the content data distribution key from the distribution key generation master key and the content identifier that is the identifier of the provided content data and performs decryption processing on the content data.

In accordance with still another aspect of the data processing method of the present invention, the content data providing apparatus has a plurality of different distribution key generation master keys to generate a plurality of different content data distribution keys, generates a plurality of different content data distribution keys from the aforementioned plurality of distribution key generation master keys and content identifiers, performs encryption processing with the generated plurality of distribution keys, and generates a plurality of types of encrypted content data, the content data using apparatus has at least one distribution key generation master key of the plurality of different distribution key generation master keys possessed by the aforementioned content data providing apparatus and decrypts only the encrypted content data by a distribution key generated by the same distribution key generation master key serving as the distribution key generation master key possessed by the unique apparatus.

Furthermore, an eleventh aspect of the present invention is a data processing method in a data processing system, the method comprising the steps of: storing, by a data processing apparatus A which is one of the plurality of data processing apparatuses, content data encrypted with a content key generated from a content key generation master key for generating a content key for use in encryption processing of the content data and a device identifier of the data processing apparatus A in a storage medium; generating, by a different data processing apparatus B, a content key identical to the content key from a content key identical to the data processing apparatus A and a device identifier of the data processing apparatus A; and decrypting the encrypted content data stored in the storage medium with the content key generated by the data processing apparatus B.

A twelfth aspect of the present invention is a data processing method in a data processing system including a master device and a slave device subjected to authentication processing by the master device, the method characterized in that the slave device generates an authentication key from an authentication key generation master key for generating an authentication key for performing authentication processing between the master device and the slave device and a slave device identifier which is an identifier of the slave device, and stores the generated authentication key in a memory of the slave device, the master device generates the authentication key from the authentication key and the slave device identifier which is an identifier of the slave device, and executes the authentication processing.

A thirteenth aspect of the present invention is a program providing medium that provides a computer program for executing an encryption process of at least one of data encryption, data decryption, data verification, authentication processing, and signature processing on a computer system, the computer program comprising: a key generation step of generating a common individual key necessary for performing encryption processing from a master key for generating a key used for encryption processing and identification data of a device or data subjected to encryption processing; and an encryption processing step of performing encryption processing based on the device key generated in the key generation step.

A fourteenth aspect of the present invention is a data processing apparatus that processes content data supplied from a storage medium or a communication medium, characterized by comprising: a storage section that stores a data processing apparatus identifier; a list verification section that extracts an illegal device list included in the content data and executes the list entry and the data processing device identifier stored in the storage section; and a control section that stops at least one of processes of reproducing the content data or processes stored in the recording device when a result of the comparison process in the comparison processing section shows that the illegal device list includes information matching the data processing identification.

According to another embodiment of the data processing device of the present invention, the list verification section includes an encryption processing section that performs encryption processing on the content data, the encryption processing section verifies presence or absence of falsification in the illegal device list based on a check value of the illegal device list included in the content data and performs the comparison processing only when the verification indicates no falsification.

Further, still another embodiment of the data processing device of the present invention includes an illegal device list check value generation key, characterized in that the encryption processing section performs encryption processing for applying the illegal device list check value generation key to illegal device list structure data to be verified, generating an illegal device list check value, performing comparison between the illegal device list check value and an illegal device list check value included in the content data, thereby verifying presence or absence of tampering in the illegal device list.

Further, according to still another embodiment of the data processing device of the present invention, the list verification section includes an encryption processing section that performs an encryption process on the content data, the encryption processing section performs a decryption process on an encrypted illegal device list included in the content data, and performs a comparison process on an illegal device list resulting from the above decryption process.

Further, according to still another embodiment of the data processing device of the present invention, the list verification section includes an encryption processing section that performs mutual authentication processing on the recording devices to/from which the content data is transferred, the encryption processing section extracts an encrypted illegal device list included in the content data, and performs comparison with the data processing device identifier stored in the storage section in a case where authentication of the recording device is formed by the mutual authentication processing performed by the encryption processing section

A fifteenth aspect of the present invention is a data processing method of processing content data supplied from a storage medium or a communication medium, the method comprising: a list extraction step of extracting an illegal device list included in the content data; a comparison processing step of performing comparison between the items included in the list extracted in the list extraction step and the data processing apparatus identification stored in the storage section in the data processing apparatus; and a step of stopping at least one of processes of reproducing the content data or processes stored in the recording device when a result of the comparison process in the comparison processing section shows that the illegal device list includes information matching the data processing identification.

Further, according to another embodiment of the data processing method of the present invention, the data processing method further includes a verification step of verifying presence or absence of tampering in the illegal device list based on a check value of the illegal device list included in the content data, and the comparison processing step performs the comparison processing only when the verification step indicates no tampering.

Further, according to still another embodiment of the data processing method of the present invention, the verifying step includes the steps of: performing an encryption process to apply an illegal device list check value generation key to illegal device list structure data to be verified; and performing a comparison between the illegal device list check value and the illegal device list check value included in the content data, thereby verifying the presence or absence of tampering in the illegal device list.

In addition, according to still another embodiment of the data processing method of the present invention, the method further includes a decryption step of performing decryption processing on an encrypted list of illegal devices included in the content data, and the comparison processing step performs comparison processing on the list of illegal devices resulting from the above decryption processing.

In addition, according to still another embodiment of the data processing method of the present invention, the method further includes a mutual authentication processing step of performing mutual authentication processing on the recording apparatuses to/from which the content data is transferred, and the comparison processing step performs comparison processing in a case where authentication of the recording apparatuses is formed by the mutual authentication processing performed by the encryption processing step.

A sixteenth aspect of the present invention is a content data generating method of generating content data supplied from a storage medium or a communication medium to a plurality of recorders/reproducers, the method being characterized in that an illegal device list whose component data includes an identifier of the recorder/reproducer is stored as header information of the content data, the illegal device list being excluded from using the content data.

Further, according to another aspect of the content data generation method of the present invention, an illegal device list check value used for tamper checking an illegal device list is also stored as header information of the content data.

Further, according to still another aspect of the content data generation method of the present invention, the illegal device list is encrypted and stored in header information of the content data.

Further, a seventeenth aspect of the present invention is a program providing medium that provides a computer program that causes a computer system to execute processing of content data provided from a storage medium or a communication medium, characterized in that the computer program includes: a list extraction step of extracting an illegal device list included in the content data; a comparison processing step of performing comparison between the items included in the list extracted in the list extraction step and the data processing apparatus identifiers stored in the storage section in the data processing apparatus; and a step of stopping at least one of processes of reproducing the content data or processes stored in the recording device when a result of the comparison process in the comparison processing section shows that the illegal device list includes information matching the data processing identification.

An eighteenth aspect of the present invention is a data processing apparatus that processes content data provided via a recording or communication medium, the apparatus comprising: an encryption processing section that performs encryption processing on the content data; a control section for controlling the encryption processing section; a system shared key used for an encryption process in the encryption processing section, the system shared key being shared by other data processing apparatuses that use the content data; and at least one of a device-specific key specific to a data processing device used for an encryption process in the encryption processing section, or a device-specific identifier for generating the device-specific key, the data processing device being characterized in that the encryption processing section is configured to: the encryption process is performed by one of the application system common key or the device specific key according to the usage pattern of the content data.

Further, in another embodiment of the data processing apparatus of the present invention, the encryption processing section performs encryption processing by one of an application system common key or an apparatus specific key based on the usage restriction information included in the content data.

Still another embodiment of the data processing apparatus of the present invention includes a recording apparatus for recording content data, the data processing apparatus being characterized in that the above-mentioned encryption processing section generates data to be stored in the recording apparatus by performing encryption processing with a device-specific key for the content data when a usage restriction is imposed that the content data should be used only for the above-mentioned unique data processing apparatus, and generates data to be stored in the recording apparatus by performing encryption processing on the content data with a system-common key in a case where the content data is also usable for an apparatus other than the unique data processing apparatus.

Further, still another embodiment of the data processing apparatus of the present invention includes a signature key Kdev specific to the data processing apparatus and a system signature key Keys common to a plurality of data processing apparatuses, the data processing device is characterized in that the encryption processing section generates a device-specific check value by applying a device-specific signing key kdev to an encryption process of the content data when the content data is stored in a recording device to which the content data should be used only for the unique data processing device, and generates a population check value by applying a system signature key keys to an encryption process of the content data when the content data is stored in a recording apparatus with a device available also other than the unique data processing apparatus, also, the control section controls to store one of the device-specific check value or the overall check value generated by the encryption processing section in the recording device together with the content data.

Still another embodiment of the data processing apparatus of the present invention includes a signature key Kdev specific to the data processing apparatus and a system signature key Keys common to a plurality of data processing apparatuses, the data processing apparatus being characterized in that the above-mentioned encryption processing section generates a device-specific check value to apply the device-specific signature key Kdev to the content data and perform a comparison process on the generated device-specific check value when a restriction is imposed that the content data should be used only for the use of the above-mentioned unique data processing apparatus, and generates a total check value by applying the system signature key Keys to the encryption process of the content data when the content data that is also usable for an apparatus other than the unique data processing apparatus is reproduced, and also performs a comparison process on the generated total check value, and only when the comparison with the device-specific check value is made or when the comparison with the total check value is made, the control unit generates reproducible decrypted data by continuing to process the content data by the encryption processing unit.

Further, a further embodiment of the data processing apparatus of the present invention includes a recording data processing apparatus signing key master key Mkdev and a data processing apparatus identifier IDdev, and is characterized in that the aforementioned encryption processing section generates a signing key Kdev serving as a data processing apparatus-specific key by an encryption processing process from the recording data processing apparatus signing key master key Mkdev and the data processing apparatus identifier IDdev.

Further, in still another embodiment of the data processing apparatus of the present invention, the encryption processing section generates the signing key Kdev by applying the recording-data-processing-apparatus signing-key master key Mkdev to DES encryption processing of the data processing apparatus identifier IDdev.

Further, in still another embodiment of the data processing apparatus of the present invention, the encryption processing section generates an intermediate integrity check value by performing encryption processing on the content data and performs encryption processing of applying the data processing apparatus specific key or the system common key to the intermediate integrity check value.

Further, in a further embodiment of the data processing apparatus of the present invention, the encryption processing section generates the partial integrity check value by performing encryption processing on a partial data set including at least one partial data item obtained by dividing the content data into a plurality of parts and generates the intermediate integrity check value by performing encryption processing on a partial integrity check value set data string including the generated partial integrity check value.

A nineteenth aspect of the present invention is a data processing method of processing content data supplied via a recording medium or a communication medium, the method being characterized in that one of an encryption processing system common key common to other data processing apparatuses using the content data or a device specific key specific to the data processing apparatus is selected in accordance with a usage mode of the content data, and encryption processing is performed by applying the selected encryption processing key to the content data.

Further, another embodiment of the data processing method of the present invention is characterized in that the encryption processing key selection step is a step of: the selection is made according to the usage restriction information contained in the content data.

Further, still another embodiment of the data processing method of the present invention is characterized in that the processing procedure of storing the content data in the recording apparatus generates data to be stored in the recording apparatus by performing an encryption process of applying a device-specific key to the content data when a usage restriction is imposed that the content data should be used only for the above-mentioned unique data processing apparatus, and generates data to be stored in the recording apparatus by performing an encryption process of the content data with a system common key in a case where the content data is also usable for apparatuses other than the unique data processing apparatus.

Still another embodiment of the data processing method of the present invention is characterized in that, when the aforementioned content data is stored in a recording apparatus to which content data should be applied only to the aforementioned unique data processing apparatus, the process of recording the content data to the recording apparatus generates a device-specific check value by applying the device-specific signature key kdev to the encryption process of the content data, and generates an overall check value by applying the system signature key keys to the encryption process of the content data when the content data is stored in the recording apparatus with a device that is also usable in addition to the unique data processing apparatus, and one of the generated device-specific check value or the overall check value is stored in the recording apparatus together with the content data.

Still another embodiment of the data processing method of the present invention is characterized in that, in reproducing content data to which a usage restriction that the content data should be used only for the above-described unique data processing apparatus is applied, the content data reproduction processing procedure generates a device-specific check value by applying the device-specific signature key Kdev to an encryption process of the content data and performs a comparison process on the generated device-specific check value, and in reproducing content data that can also be used for devices other than the unique data processing apparatus, generates a total check value by applying the system signature key keys to an encryption process of the content data, and also performs a comparison process on the generated total check value, and the reproduced content data is reproduced only when a comparison with the device-specific check value is made or when a comparison with the total check value is made.

Furthermore, another embodiment of the data processing method of the present invention further comprises the steps of: a signing key Kdev serving as a key specific to the data processing apparatus is generated by an encryption processing procedure from the data processing apparatus signing key master key Mkdev and the data processing apparatus identifier IDdev.

Further, in still another embodiment of the data processing method of the present invention, the signature key Kdev generating step is a step of: the signing key Kdev is generated by applying the data processing device signing key master key Mkdev to DES encryption processing of the data processing device identifier IDdev.

Furthermore, the data processing method of the present invention further includes the steps of: the method is characterized in that an encryption process of applying the data processing apparatus-specific key or the system common key to the intermediate integrity check value is performed.

Still another embodiment of the data processing method according to the present invention is characterized in that the method further generates a partial integrity check value by performing encryption processing on a partial data set including at least one partial data item obtained by dividing the content data into a plurality of parts and generates an intermediate integrity check value by performing encryption processing on a partial integrity check value set data string including the generated partial integrity check value.

A twentieth aspect of the present invention is a program providing medium that provides a computer program for causing a computer system to execute data processing of content data provided via a storage medium or a communication medium, the computer program comprising the steps of: one of an encryption processing system common key common to other data processing apparatuses using the content data or a device-specific key specific to the data processing apparatus is selected in accordance with the usage pattern of the content data, and encryption processing for applying the selected encryption processing key to the content data is performed.

A twenty-first aspect of the present invention is a data processing apparatus that processes content data provided via a recording or communication medium, the apparatus comprising: an encryption processing section that performs encryption processing on the content data; a control section for controlling the encryption processing section; the data processing unit is characterized in that the encryption processing unit is configured to: a content check value in a content block data unit included in data to be verified is generated, comparison of the generated content check values is performed, and thereby verification processing of validity of each content block data in the data is performed.

Still another embodiment of the data processing apparatus of the present invention includes a content check value generation key and is characterized in that the encryption processing section generates a content intermediate value from a piece of content to be authenticated and generates a content check value by performing an encryption processing procedure of applying the content check value generation key to the content intermediate value.

Further, another embodiment of the data processing apparatus of the present invention is characterized in that the encryption processing section generates the content intermediate value by performing predetermined operation processing on the entire decryption information obtained by performing decryption processing on the content block data in units of a predetermined number of bytes when the content block data to be verified is encrypted, and the encryption processing section generates the content intermediate value by performing predetermined operation processing on the entire content block data in units of a predetermined number of bytes when the content block data to be verified is not encrypted.

In addition, a still further embodiment of the data processing apparatus of the present invention is characterized in that the predetermined operation processing applied to the intermediate integrity check value generation processing procedure by the encryption processing section is an exclusive or operation.

In another embodiment of the data processing apparatus according to the present invention, the encryption processing unit has a CBC-mode encryption processing configuration and a decryption process applied to the content median generation process when the content block data to be verified is a CBC-mode decryption process.

Further, another embodiment of the data processing apparatus according to the present invention is characterized in that the encryption processing in the CBC mode by the encryption processing section is a configuration in which the common key encryption processing is applied to only a part of the message string to be processed a plurality of times.

Still another embodiment of the data processing apparatus according to the present invention is characterized in that, when the content block data includes a plurality of parts and some of the parts included in the content block data are to be verified, the encryption processing section generates a content check value based on the parts to be verified, performs comparison processing on the generated content check value, and thereby performs verification processing on validity in a unit of the content block data in the data.

Further, another embodiment of the data processing apparatus of the present invention is characterized in that, when the content block data comprises a plurality of parts and a part is to be verified, the encryption processing section generates a data check value by performing encryption processing that applies a content check value generation key to such a value, the value is obtained by xoring the entire decryption information in units of a predetermined number of bytes, and the decryption information is obtained by performing decryption processing on the portion to be authenticated in the case of encrypting the portion to be authenticated, and the encryption processing section generates a data check value by performing encryption processing that applies a content check value generation key to such a value, the value is obtained by exclusive-oring the entire portion to be verified in a predetermined number of byte units without encrypting the portion to be verified.

Still another embodiment of the data processing apparatus of the present invention is characterized in that, when the content block data includes a plurality of parts and there are a plurality of parts to be authenticated, the encryption processing section uses, as the content check value, a result obtained by performing encryption processing that applies the content check value generation key to the link data of the part check value obtained by performing encryption processing that uses the content check value generation key for each part.

Still another embodiment of the data processing apparatus of the present invention is characterized in that the encryption processing section further includes a recording device for storing content data including content block data whose validity has been verified.

In addition, a further embodiment of the data processing apparatus of the present invention is characterized in that the control section stops storing into the recording apparatus when the comparison of the content check values in the encryption processing section is not made during the comparison processing.

Still another embodiment of the data processing apparatus of the present invention is characterized in that the encryption processing section further includes a reproduction processing section for reproducing the data whose validity has been verified.

Further, another embodiment of the data processing apparatus of the present invention is characterized in that the control section stops the reproduction processing in the reproduction processing section when the comparison of the content check values in the encryption processing section is not made during the comparison processing.

A twenty-second aspect of the present invention is a data processing method of processing content data supplied via a recording medium or a communication medium, characterized by generating an integrity check value content check value in a content block data unit to be verified included in the data, performing a comparison of the generated content check values, thereby performing verification processing of validity in the content block data unit in the data.

Still further, another embodiment of the data processing method of the present invention is characterized in that a content intermediate value is generated from the content block data to be verified and a content check value is generated by performing an encryption process of applying a content check value generation key to the generated content intermediate value.

Further, another embodiment of the data processing method of the present invention is characterized in that, in encrypting the content block data to be authenticated, a content intermediate value is generated by performing predetermined operation processing on the entire decryption information obtained by performing decryption processing on the content block data in units of a predetermined number of bytes, and in that, in not encrypting the content block data to be authenticated, the content intermediate value is generated by performing predetermined operation processing on the entire content block data in units of a predetermined number of bytes.

In addition, a further embodiment of the data processing method according to the invention is characterized in that the predetermined operation process applied to the intermediate integrity check value generation process is an exclusive or operation.

Still another embodiment of the data processing method according to the present invention is characterized in that, in the content intermediate value generation processing, the decryption processing applied to the content intermediate value generation processing at the time of performing encryption processing on content block data to be verified is decryption processing in the CBC mode.

Still another embodiment of the data processing method of the present invention is characterized in that in the encryption processing structure in the CBC mode, the common key encryption processing is applied to only a part of the message string to be processed a plurality of times.

Still another embodiment of the data processing method of the present invention is characterized in that, when the content block data includes a plurality of parts and some of the parts included in the content block data are to be verified, a content check value is generated based on the parts to be verified, and a comparison process for the generated content check value is performed, thereby performing a verification process for validity in a unit of the content block data in the data.

Further, another embodiment of the data processing method of the present invention is characterized in that, when the content block data includes a plurality of parts and a part is to be verified, the data check value is generated by performing an encryption process that applies a content check value generation key to such value, the value is obtained by xoring the entire decryption information in units of a predetermined number of bytes, and the decryption information is obtained by performing decryption processing on the portion to be authenticated in the case of encrypting the portion to be authenticated, and generates a data check value by performing an encryption process that applies a content check value generation key to such a value, the value is obtained by exclusive-oring the entire portion to be verified in a predetermined number of byte units without encrypting the portion to be verified.

Still further, another embodiment of the data processing method of the present invention is characterized in that, when the content block data contains a plurality of parts and there are a plurality of parts to be authenticated, a result obtained by performing an encryption process that applies a content check value generation key to link data of a part check value obtained by performing an encryption process that uses the content check value generation key for each part is used as the content check value.

Further, still another embodiment of the data processing method of the present invention further includes the step of storing content data including content block data whose validity has been verified.

In addition, a further embodiment of the data processing method of the present invention is characterized in that the control section stops storing into the recording apparatus when the comparison is not made for the content check values during the comparison processing.

Further, another embodiment of the data processing method of the present invention further includes the step of reproducing the data whose validity has been verified.

Further, another embodiment of the data processing method of the present invention is characterized in that the reproduction process is stopped when the comparison is not made for the content check values during the comparison process.

A twenty-third aspect of the present invention is a content data verification value assignment method for content data verification processing, characterized by generating a content check value of a unit of content block data to be verified, and assigning the generated content check value to content data containing the content block data to be verified.

Still further, another embodiment of the content data verification value assignment method of the present invention is characterized in that the content check value is generated by using content block data to be checked as a message through encryption processing of applying a content check value generation key.

Still another embodiment of the content data verification value assignment method of the present invention is characterized in that the content check value is generated by generating a content intermediate value from the content block data to be verified and performing an encryption process of applying a content check value generation key to the content intermediate value.

Further, still another embodiment of the content data verification value assignment method of the present invention is characterized in that the content check value is generated by performing encryption processing on content block data to be verified in the CBC mode.

Still another embodiment of the content data verification value assignment method of the present invention is characterized in that the encryption processing structure in the CBC mode is a structure in which a common key encryption processing is applied to only a part of a message string to be processed a plurality of times.

Still another embodiment of the content data verification value assignment method of the present invention is characterized in that, when the content block data contains a plurality of parts and some of the parts included in the content block data are to be verified, a content check value is generated based on the parts to be verified and the generated content check value is assigned to the content data containing the content block data to be verified.

Still another embodiment of the content data verification value assignment method of the present invention is characterized in that, when the content block data includes a plurality of parts and a part is to be verified, a content check value is generated by performing encryption processing that applies a content check value generation key to a value obtained by exclusive-oring the entire decryption information in units of a predetermined number of bytes, the decryption information being obtained by performing decryption processing on the part to be verified in the case of encrypting the part to be verified, and a content check value is generated by performing encryption processing that applies a content check value generation key to a value obtained by exclusive-or operating the entire part to be verified in units of a predetermined number of bytes without encrypting the part to be verified, and assigning the generated content check value to content data containing content block data to be verified.

Further, another embodiment of the content data verification value assignment method of the present invention is characterized in that, when the content block data contains a plurality of parts and there are a plurality of parts to be verified, a result obtained by performing an encryption process of applying a content check value generation key to link data of part check values obtained by performing an encryption process of using the content check value generation key for the parts is used as the content check value, and the generated content check value is assigned to the content data containing the content block data to be verified.

A twenty-fourth aspect of the present invention is a program providing medium that provides a computer program for performing data processing on content data provided via a recording medium or a communication medium, the computer program comprising the steps of: the content check value in the content block data unit to be verified included in the data is generated, comparison of the generated content check value is performed, and thereby verification processing of validity in the content block data unit in the data is performed.

A twenty-fifth aspect of the present invention is a data processing apparatus for executing a process of generating storage data for a recording apparatus of content data having: a plurality of blocks of content, wherein at least a portion of the blocks of data are encrypted; and a header section that stores information on the content block, the data processing apparatus being characterized in that, in a case where the content data as a storage target in the recording apparatus is constituted by data stored in the header section that is encryption key data Kdis [ Kcon ], the data processing apparatus has a structure for performing a process of extracting the encryption key data Kdis [ Kcon ] from the header section and performing a decryption process to generate decryption data Kcon, generating new encryption key data ksks [ Kcon ] applied to the encryption process by the encryption key Kstr and storing the new encryption key data Kstr [ Kcon ] into the header section of the content data, and applying a different encryption key ks to the generated decryption data Kcon to perform the encryption process, the encryption key data Kdis [ Kcon ] being the encryption key Kcon applied to the content block of the encryption process by the encryption key Kdis,

A twenty-sixth aspect of the present invention is a data processing apparatus for executing a process of generating storage data for a recording apparatus of content data having: a plurality of blocks of content, wherein at least a portion of the blocks of data are encrypted; and a header section that stores information on the content block, the data processing apparatus being characterized in that, in a case where a data block included in content data as a storage target of the recording apparatus is constituted by content encrypted with an encryption key Kblc and encryption key data Kcon [ Kblc ] encrypted with the encryption key Kcon and has a structure that stores encryption key data Kdis [ Kcon ] that is an encryption key Kcon applied to the encryption process by an encryption key Kdis in the header section, the data processing apparatus has a structure for performing a process of extracting the encryption key data Kdis [ Kcon ] from the header section and performing a decryption process to generate decryption data Kcon, generating encryption key data Kstr [ Kcon ] that is applied to the encryption process by an encryption key Kstr and storing the encryption key data ks [ Kcon ] into the header section of the content data, And applying a different encryption key Kstr to the generated decrypted data Kcon to perform encryption processing.

Furthermore, a twenty-seventh aspect of the present invention is a data processing apparatus for executing a process of generating storage data for a recording apparatus of content data having: a plurality of blocks of content, wherein at least a portion of the blocks of data are encrypted; and a header section that stores information on the content block, the data processing apparatus being characterized in that, in a case where a data block included in content data as a storage object of the recording apparatus is constituted by content encrypted with an encryption key Kblc and encryption key data Kdis [ Kblc ] encrypted with an encryption key Kdis, the data processing apparatus has a configuration for performing a process of extracting the encryption key data Kdis [ Kblc ] from the header section and performing a decryption process to generate decrypted data Kblc, generating encrypted key data ks tr [ Kblc ] applied to the encryption process by the encryption key Kstr and storing the encrypted key data ks tr [ Kblc ] into the header section of the content data, and applying a different encryption key Kstr to the generated decrypted data Kblc to perform the encryption process.

Further, a twenty-eighth aspect of the present invention is a content data generating method for generating content data, the method comprising: connecting a plurality of content blocks composed of data including at least any one of sound information, image information, and program data; applying an encryption process to at least a part of the content blocks included in the plurality of content blocks by the encryption key Kcon; generating encryption key data Kdis [ Kcon ] which is an encryption key Kcon applied to an encryption process performed by the encryption key Kdis, and storing the encryption key Kdis in a header section of the content data; and generating content data including the plurality of content blocks and the header.

Further, an embodiment of the content data generation method of the present invention is characterized in that the method further includes a process of: generating block information including identification information of the content data, a data length of the content data, usage policy information including a data type of the content data, a data length of the content block, and presence or absence of an encryption process; and storing the block information in the header section.

Furthermore, an embodiment of a content data generation method according to the present invention is characterized in that the content data generation method includes: a process of generating a part check value from a part of the information including the header and storing the part check value in the header; and generating a total check value based on the partial check values and storing the total check value in the header part.

Also, an embodiment of the content data generation method of the present invention is characterized in that the partial check value generation processing procedure and the total check value generation processing procedure apply and execute a DES encryption processing algorithm in a case where data that is an object of check is used as a message and a check value generation key is used as an encryption key.

Further, an embodiment of the content data generation method of the present invention is characterized in that the content data generation method further applies encryption processing to the block information by the encryption key Kbit and stores encryption key data Kdis [ Kbit ] which is the encryption key Kbit generated with the encryption key Kdis into the header section.

Further, an embodiment of the content data generation method according to the present invention is characterized in that each of a plurality of the content blocks is generated to share a fixed data length.

Further, an embodiment of the content data generation method of the present invention is characterized in that each of the plurality of blocks in the content block is generated in a structure in which the encrypted data part and the unencrypted data part are regularly arranged.

A twenty-ninth aspect of the present invention is a content data generation method for generating content data, the method comprising: connecting a plurality of content blocks including at least any one of sound information, image information, and program data; forming at least a part of the plurality of content blocks with an encryption data section and a set of encryption key data Kcon [ Kblc ], the encryption data section being data including at least any one of sound information, image information, and program data for each encryption key Kblc, and the encryption key data Kcon [ Kblc ] being an encryption key Kblc of an encryption data section applied to an encryption process performed by the encryption key Kcon; generating encryption key data Kdis [ Kcon ] which is an encryption key Kcon applied to an encryption process performed by an encryption key Kdis, and storing the generated check value encryption key data Kdis [ Kcon ] in a header of the content data; and generating content data including the plurality of content blocks and the header.

A thirty-first aspect of the present invention is a content data generating method for generating content data, the method comprising: connecting a plurality of content blocks including at least any one of sound information, image information, and program data; forming at least a part of the plurality of content blocks with an encryption data section and a set of encryption key data Kdis [ Kblc ], the encryption data section being data including at least any one of sound information, image information, and program data for each encryption key Kblc, and the encryption key data Kdis [ Kblc ] being an encryption key Kblc of an encryption data section applied to an encryption process performed by an encryption key Kdis; and generating content data including the plurality of content blocks and the header.

A thirty-first aspect of the present invention is a data processing method for executing a process for storing content data in a recording apparatus, the content data having: a plurality of blocks of content, wherein at least a portion of the blocks of data are encrypted; and a header section storing information relating to the content block, the method comprising: in the case where the content data as a recording apparatus storage object is constituted by data stored in a header part, which is encryption key data Kdis [ Kcon ] that is an encryption key Kcon applied to a content block of an encryption processor by an encryption key Kdis, extracting the encryption key data Kdis [ Kcon ] from the header part and performing decryption processing to generate decryption data Kcon; generating new encryption key data Kstr [ Kcon ] that can be applied to the encryption processing procedure by the encryption key Kstr by applying a different encryption key Kstr to the generated decryption data Kcon to perform the decryption processing; and storing the generated encryption key data Kstr [ KconJ into a header of the content data and storing the header into the recording apparatus together with the plurality of content blocks.

A thirty-second aspect of the present invention is a data processing method for executing a process for storing content data in a recording apparatus, the content data having: a plurality of blocks of content, wherein at least a portion of the blocks of data are encrypted; and a header section storing information relating to the content block, the method comprising: in the case where a block of data included in content data as a storage object of a recording apparatus is composed of content encrypted with an encryption key Kblc and encryption key data Kcon [ Kblc ] encrypted with an encryption key Kcon and has a structure in which encryption key data Kdis [ Kcon ] that is an encryption key Kcon applied to an encryption process by an encryption key Kdis is stored in a header section, the encryption key data Kdis [ Kcon ] is extracted from the header section and a decryption process is performed to generate decryption data Kcon; generating encryption key data Kstr [ Kcon ] that is applied to the encryption processing by the encryption key Kstr by applying a different encryption key Kstr to the generated decryption data Kcon to perform decryption processing; and storing the generated encryption key data Kstr [ Kcon ] into a header of the content data and storing the header into the recording apparatus together with the plurality of content blocks.

Further, a thirty-third aspect of the present invention is a data processing method for executing a process of storing content data in a recording apparatus, the content data having: a plurality of blocks of content, wherein at least a portion of the blocks of data are encrypted; and a header section storing information relating to the content block, the method comprising: in the case where a block of data included in content data as a recording device storage object is composed of content encrypted with an encryption key Kblc and encryption key data Kdis [ Kblc ] encrypted with an encryption key Kdis, extracting the encryption key data Kdis [ Kblc ] from the header portion and performing decryption processing on the encryption key Kblc to generate decrypted data Kblc; generating encryption key data Kstr [ Kblc ] applied to the encryption processing procedure by the encryption key Kstr by applying a different encryption key Kstr to the generated decryption data Kblc to perform decryption processing; and storing the generated encryption key data Kstr [ Kblc ] into a header portion of the content data and storing the header portion into the recording apparatus together with the plurality of content blocks.

A thirty-fourth aspect of the present invention is a program providing medium for providing a computer program capable of executing a generation processing procedure of: storing data into a recording apparatus of content data having: a plurality of blocks of content, wherein at least a portion of the blocks of data are encrypted; and a header section storing information about the content block to be executed on the computer system, the program providing medium being characterized in that the computer program includes: in the case where the content data as a storage object in the recording apparatus is constituted by data stored in the header section that is encryption key data Kdis [ Kcon ], the encryption key data Kdis [ Kcon ] is extracted from the header section and decryption processing is performed to generate decryption data Kcon; generating new encryption key data Kstr [ Kcon ] applied to the encryption processing procedure by the encryption key Kstr by applying a different encryption key Kstr to the generated decryption data Kcon to perform decryption processing; and storing the generated encryption key data Kstr [ Kcon ] into a header section of the content data, and the encryption key data Kdis [ Kcon ] is an encryption key Kcon applied to the content block subjected to the encryption processing by the encryption key Kdis.

A thirty-fifth aspect of the present invention is a data processing apparatus for performing reproduction processing of content data provided from a storage medium or a communication medium, the data processing apparatus characterized by comprising: a content data analysis section for performing content data analysis of content data including compressed content and an expansion processing program of the compressed content and performing extraction processing of the compressed content and the expansion processing program from the content data; an extension processing section for performing extension processing of the content data included in the content data with an extension processing program included in the content data obtained as a result of the analysis by the content data analyzing section.

Furthermore, in an embodiment of the data processing apparatus of the present invention, the data processing apparatus is characterized by further comprising: a data storage section for storing compressed contents extracted by the data analysis section; and a program storage section for storing the expansion processing program extracted by the content data analysis section, and the apparatus is characterized in that the expansion processing section has a structure for performing expansion processing on the compressed content stored in the data storage section by applying the expansion processing program stored in the program storage section to the compressed content.

Further, in an embodiment of the data processing apparatus of the present invention, the data processing apparatus is characterized in that the aforementioned content data analysis section has a structure for obtaining structure information of the content data based on header information included in the content data and analyzing the content data.

Furthermore, in an embodiment of the data processing apparatus of the present invention, the data processing apparatus is characterized in that reproduction priority information of the compressed content is included in the header information, and if there are a plurality of compressed contents which are objects of the expansion processing process by the expansion processing section, the expansion processing section has a structure for performing the content expansion processing in order of priority on the basis of the priority information in the header information obtained in the content data analysis section.

Also, in an embodiment of the data processing apparatus of the present invention, the data processing apparatus is characterized by comprising: display means for displaying information of compressed content that is an object of the expansion processing; and an input means for inputting reproduced content identification data selected from the content information displayed on the display means, and the apparatus is characterized in that the expansion processing section has a structure that performs expansion processing on the compressed content corresponding to the identification data based on the reproduced content identification data input from the input means.

In addition, a thirty-sixth aspect of the present invention is a data processing apparatus for performing reproduction processing of content data provided from a storage medium or a communication medium, the data processing apparatus characterized by comprising: a content data analyzing section for receiving content data including compressed content or an expansion processing program to discriminate whether the content data has compressed content or an expansion processing program based on header information included in the received content data, and at the same time, if the content data has compressed content, obtaining a type of compression processing program applied to the compressed content based on the header information of the content data, and if the content data has an expansion processing program, obtaining a type of expansion processing program based on the header information of the content data; an expansion processing section for performing expansion processing of the compressed content, the apparatus being characterized in that the expansion processing section has a configuration for selecting an expansion processing program of a type suitable for the compression processing program of the compressed content analyzed by the content data analyzing section based on the type of the expansion processing program analyzed by the content data analyzing section and performing the expansion processing with the selected expansion processing program.

Furthermore, in an embodiment of the data processing apparatus of the present invention, the data processing apparatus is characterized by further comprising: a data storage section for storing compressed contents extracted by the data analysis section; and a program storage section for storing the expansion processing program extracted by the content data analysis section, and the apparatus is characterized in that the expansion processing section has a structure for performing expansion processing on the compressed content stored in the data storage section by applying the expansion processing program stored in the program storage section to the compressed content.

Furthermore, in an embodiment of the data processing apparatus of the present invention, the data processing apparatus is characterized in that reproduction priority information of the compressed content is included in the header information, and if there are a plurality of compressed contents that are objects of the expansion processing procedure, the content expansion processing in the expansion processing section has a structure for performing the content expansion processing in order of priority on the basis of the priority information in the header information obtained in the content data analysis section.

Also, in an embodiment of the data processing apparatus of the present invention, the data processing apparatus is characterized by comprising: a retrieval means for retrieving the extended processing program, said apparatus being characterized in that said retrieval means has a structure for retrieving the extended processing program of a type suitable for the compressed processing program of the compressed content analyzed by the content data analysis section, and the program storage means is accessible as an object of the retrieval by the data processing apparatus.

Furthermore, in an embodiment of the data processing apparatus of the present invention, the data processing apparatus is characterized by comprising: display means for displaying information of compressed content that is an object of the expansion processing; and an input means for inputting reproduced content identification data selected from the content information displayed on the display means, and the apparatus is characterized in that the expansion processing section has a structure that performs expansion processing on the compressed content corresponding to the identification data based on the reproduced content identification data input from the input means.

A thirty-seventh aspect of the present invention is a data processing method for performing reproduction processing of content data provided from a storage medium or a communication medium, the data processing method characterized by comprising: a content data analysis step of performing content data analysis of content data including compressed content and an expansion processing program of the compressed content and performing extraction processing of the compressed content and the expansion processing program from the content data; an extension processing step of performing extension processing of the content data included in the content data with an extension processing program included in the content data obtained as a result of the analysis by the content data analysis section.

Furthermore, in an embodiment of the data processing method according to the present invention, the data processing method further includes: a data storage step of storing compressed contents extracted by the data analysis section; and a program storage step of storing the expansion processing program extracted by the content data analysis section, and the method is characterized in that the expansion processing section has a structure for performing expansion processing on the compressed content stored in the data storage step by applying the expansion processing program stored in the program storage step to the compressed content.

Furthermore, in an embodiment of the data processing method of the present invention, the data processing method is characterized in that the aforementioned content data step obtains structure information of the content data based on header information included in the content data and analyzes the content data.

Furthermore, in an embodiment of the data processing method of the present invention, the data processing method is characterized in that reproduction priority information of the compressed content is included in the header information, and if there are a plurality of compressed contents that are objects of the expansion processing process by the expansion processing section, the expansion processing step performs the content expansion processing in order of priority based on the priority information in the header information obtained in the content data analysis step.

Further, in an embodiment of the data processing method of the present invention, the data processing method is characterized by comprising: a display step of displaying information of compressed content that is an object of the expansion processing on a display device; and an input step of inputting reproduction content identification data selected from the content information displayed on the display device, and the method is characterized in that the expansion processing step performs expansion processing on the compressed content corresponding to the identification data based on the reproduction content identification data input from the input step.

In addition, a thirty-eighth aspect of the present invention is a data processing method for performing reproduction processing of content data provided from a storage medium or a communication medium, the data processing method characterized by comprising: a content data analyzing step of receiving content data including compressed content or an expansion processing program to discriminate whether the content data has compressed content or an expansion processing program based on header information included in the received content data, and at the same time, if the content data has compressed content, obtaining a type of compression processing program applied to the compressed content based on the header information of the content data, and if the content data has an expansion processing program, obtaining a type of expansion processing program based on the header information of the content data; a selection step of selecting an extension processing program of a type of a compression processing program suitable for the compressed content analyzed in the content data analysis step, based on the type of the extension processing program analyzed in the content data analysis step; and an extension processing step of executing extension processing with the extension processing program selected in the selection step.

Furthermore, in an embodiment of the data processing method according to the present invention, the data processing method further includes: a data storage step of storing compressed contents extracted by the data analysis section; and a program storage step of storing the extension processing program extracted by the content data analysis section, and the method is characterized in that the extension processing step performs extension processing on the compressed content stored in the data storage step section by applying the extension processing program stored in the program storage step to the compressed content.

Furthermore, in an embodiment of the data processing method of the present invention, the data processing method is characterized in that reproduction priority information of the compressed content is included in the header information, and if there are a plurality of compressed contents that are objects of the expansion processing procedure, the expansion processing step performs the content expansion processing in order of priority based on the priority information in the header information obtained in the content data analyzing step.

Further, in an embodiment of the data processing method of the present invention, the data processing method is characterized by comprising: a retrieval step of retrieving an extended handler, the method being characterized in that the retrieval step retrieves an extended handler of a type of a compressed handler suitable for the compressed content analyzed by the content data analysis step, and the program storage means is accessible by the data processing apparatus as an object of the retrieval.

Furthermore, in an embodiment of the data processing method of the present invention, the data processing method includes: a display step of displaying information of compressed contents which are objects of the expansion processing; and an input step of inputting reproduction content identification data selected from the content information displayed on the display device, and the method is characterized in that the expansion processing step performs expansion processing on the compressed content corresponding to the identification data based on the reproduction content identification data input from the input device.

Further, a thirty-ninth aspect of the present invention is a content data generating method of performing a generating process on content data supplied from a storage medium or a communication medium, the method being characterized by generating the content data in which a compressed content and an expansion processing program of the compressed content are combined.

In an embodiment of the content data generating method according to the present invention, the content data generating method is characterized by adding structure information of the content data to header information of the content data.

Further, in one embodiment of the content data generation method of the present invention, the content data generation method is characterized in that reproduction priority information of the content included in the content data is taken as header information of the content data.

Still further, a forty-first aspect of the present invention is a content data generating method of performing a generating process on content data supplied from a storage medium or a communication medium, the method being characterized by generating the content data in which one type of content data for identifying whether the content data has compressed content or an expansion processing program is added as header information, if the content data has compressed content, one type of compression processing program applied to the compressed content is added as the header information, and if the content data has an expansion processing program, one type of expansion processing program is added as the header information.

Further, in one embodiment of the content data generation method of the present invention, the content data generation method is characterized in that reproduction priority information of the content included in the content data is taken as header information of the content data.

Furthermore, a forty-first aspect of the present invention is a program providing medium that provides a computer program for causing a computer system to execute a reproduction process of content data provided from a storage medium or a communication medium, the computer program comprising: a content data analysis step of performing content data analysis of content data including compressed content and an expansion processing program of the compressed content and performing extraction processing of the compressed content and the expansion processing program from the content data; an extension processing step of performing extension processing of the content data included in the content data with an extension processing program included in the content data obtained as a result of the analysis by the content data analysis section.

The program providing medium of the present invention is, for example, a medium that provides a computer program in a computer-readable form to a general-purpose computer system capable of executing various program codes. One form of the medium is a storage medium such as a CD, FD, or MO, or a transmission medium such as a network, but is not particularly limited.

Such a program providing medium defines a structural or functional cooperation relationship between the computer program and the providing medium so as to realize a predetermined function of the computer program on the computer system. In other words, cooperative operation is shown on the computer system by installing the computer program into the computer system with the providing medium, and operational effects similar to those of other aspects of the present invention can be obtained.

Other objects, features and advantages of the present invention will be described in detail and will be apparent from the following description of embodiments of the invention and the accompanying drawings.

As described above, according to the data processing apparatus and method and the data verification value giving method of the present invention, the partial integrity check value generated as the integrity check value is used in the comparison process to verify the partial data, the partial integrity check value being usable for the partial data set containing one or more partial data obtained by dividing the content data into a plurality of parts, and the partial integrity check value verification integrity check value used to verify the partial integrity check value set including a combination of a plurality of partial integrity check values is used in the comparison process to verify the entirety of the plurality of partial data sets corresponding to the plurality of partial integrity check values constituting the partial integrity check value set. Therefore, in comparison with a structure in which a single integrity check value is given to the entire content data, partial authentication can be performed, and the entire authentication process is efficient because the partial integrity check value is used.

In addition, according to the data processing apparatus and method and the data verification value giving method of the present invention, the verification process is performed depending on how the content data is used, for example, whether the data is downloaded or reproduced; for example, the verification process for portions of data that are unlikely to be tampered with may be omitted. Therefore, it is possible to perform effective verification on how data is used.

Further, the data processing apparatus and the data processing method of the present invention are configured in such a manner that: individual keys required to perform encryption processing such as data encryption, data decryption, data verification, authentication processing, and signature processing are not stored in the storage section, but, instead, master keys that generate these individual keys are stored in the storage section, an encryption processing section of the data processing apparatus extracts a master key corresponding to an individual key such as an encryption key and an authentication key from a storage section as needed, performs encryption processing to which a DES algorithm or the like is applied based on the extracted master key of the apparatus or data and identification data, and generates an individual key such as an encryption key and an authentication key, thus, the present invention can eliminate the possibility of leakage of the individual key itself from the storage section and improve the security of the cryptographic processing system, because obtaining the individual key requires a variety of information such as the individual key generation algorithm and information of the master key, the identification data of the device or the data. Moreover, even if an individual key is leaked for some reason, the range of the destruction is limited to the range of the individual key, which does not cause the entire system to crash.

Further, the data processing apparatus and the data processing method of the present invention are configured in such a manner that: sequentially generating individual keys based on the identification data of the devices or data eliminates the need to keep a list of keys for individual devices within the control device, thereby facilitating system control and increasing security.

In addition, according to the data processing device and the content data generation method of the present invention, illegal device identification data information is stored in content data, comparison between an illegal device list and a recorder/reproducer identifier attempting to use these content check value recorders/reproducers is performed before using the content with the recorders/reproducers, and, in the case where the comparison result shows that some items of the illegal device list match the recorder/reproducer identifier, subsequent processing such as content data decryption, download or reproduction processing or the like is stopped, and therefore, a reproducer or the like having an illegally obtained key can be prevented from illegally using the content.

In addition, the data processing device, the data processing method, and the content data generating method of the present invention adopt a structure that enables content data to include a check value for an illegal device list in the content data, thereby enabling tampering with the list itself to be prevented and providing a content data usage structure with improved security.

Furthermore, the data processing apparatus and the data processing method of the present invention enable data processing apparatuses such as a recorder/reproducer and a PC to store a device-specific key specific to the data processing apparatus and a system-common key common to other data processing apparatuses using content data, thereby enabling processing of content in accordance with content use restrictions. The data processing apparatus selectively uses the two keys according to the content use restriction. For example, in the case where the content is used only by the data processing apparatus, a key specific to the data processing apparatus is used, whereas in the case where the content is also usable by another system, a check value for the content data is generated and the comparison processing is performed with a system common key. The encrypted data can be decrypted and reproduced only when the comparison is made, so that processing can be performed in accordance with the use restriction of the content such as the content being used only for the data processing apparatus or the content being shared by the system.

Further, the data processing apparatus, the data processing method, and the content data verification value assignment method of the present invention are configured to be able to generate content check values of the content block data units, perform comparison processing on the generated content check values, generate content intermediate values from the content block data to be verified, and generate content check values by encryption processing that applies a content check value generation key, thereby being able to verify the entire data efficiently as compared with a usual processing procedure.

Further, the data processing apparatus, the data processing method, and the content data verification value assignment method of the present invention can perform verification in a content block unit in accordance with a download process procedure, a reproduction process procedure, and the like, with a simplified verification process procedure, thereby providing effective verification according to a usage pattern.

Further, since the data processing apparatus, the content data generating method, and the data processing method of the present invention have a structure that is equipped with a plurality of content blocks in content data and that is capable of performing encryption processing on each content block unit, and the data processing apparatus, the content data generating method, and the data processing method of the present invention also have a structure in which a key used for content encryption is further encrypted and stored in a header section, it is possible to have an arbitrary data structure that connects the blocks even if, for example, there are a plurality of content blocks and a block that requires encryption processing and a block that does not require encryption processing are mixed.

Further, according to the data processing device, the data processing system, and the data processing method of the present invention, by making the structure of the content block a regular structure, for example, a structure having a uniform data length or a structure in which the encrypted block and the non-encrypted (plain text) block are alternately arranged, the decryption process and the like of the content block can be quickly performed, and the encrypted content data corresponding to the content of the content data suitable for processing, for example, reproduction of music data and the like can be provided.

Also, the data processing apparatus, the data processing method, and the content data generating method can efficiently perform reproduction processing in the case where the content is compressed sound data, image data, or the like. That is, by making the structure of the content data a structure in which the compressed data and the expansion processing program are combined together, it is possible to perform the expansion processing in the reproduction processing apparatus and apply the expansion processing program belonging to the compressed content data to the expansion processing, and it is possible to avoid a case in which the expansion processing program does not exist in the reproduction processing apparatus and thus reproduction is not possible.

Further, according to the data processing device, the data processing method, and the content data generation apparatus, since the structure of the content data has a structure in which the reproduction processing device determines an extension processing program that can be applied to the compressed content data based on the header information, and the reproduction processing device also retrieves the applicable program from an accessible recording medium or the like, and performs the extension processing by making the content data a combination of the compressed data and a header storing the type of the compression processing program, or, if the content has a combination of the extension processing program, and the header storing the type of the program, the program retrieval processing does not need to be performed by the user, and thus, efficient reproduction processing can be performed.

Brief Description of Drawings

FIG. 1 is a diagram showing the structure of a conventional data processing system;

FIG. 2 is a diagram showing the configuration of a data processing apparatus to which the present invention is applied;

FIG. 3 is a diagram showing the configuration of a data processing apparatus to which the present invention is applied;

fig. 4 is a diagram showing a data format of content data on a medium or a communication path;

fig. 5 is a diagram showing a usage policy contained in a header of content data;

fig. 6 is a diagram showing block information contained in a header of content data;

fig. 7 is a diagram showing an electronic signature generation method with DES;

fig. 8 is a diagram showing an electronic signature generation method with triple DES;

fig. 9 is a diagram for explaining aspects of triple DES;

fig. 10 is a diagram showing an electronic signature generation method using the triple DES partially;

fig. 11 is a flowchart showing electronic signature generation;

fig. 12 is a flowchart showing electronic signature generation;

FIG. 13 is a diagram for explaining a mutual authentication processing sequence using a symmetric cryptographic translation technique;

fig. 14 is a diagram for explaining a public key certificate;

FIG. 15 is a view for explaining the mutual authentication processing sequence by the asymmetric cryptographic translation technique;

FIG. 16 is a diagram showing the flow of an encryption process with elliptic curve cryptography translation;

FIG. 17 is a diagram showing the flow of the decryption process with elliptic curve cryptographic translation;

fig. 18 is a diagram showing how data is saved on a recording and reproducing apparatus;

fig. 19 is a diagram showing how data is saved on a recording apparatus;

fig. 20 is a diagram showing a mutual authentication flow between the recording and reproducing apparatus and the recording apparatus;

fig. 21 is a diagram showing a relationship between master keys of a recording and reproducing apparatus and corresponding master keys of the recording apparatus;

fig. 22 is a diagram showing a flow of a content download process;

fig. 23 is a diagram for explaining generation of the integrity check value a: a map of the method of IVCa;

fig. 24 is a diagram for explaining generation of the integrity check value B: a map of the method of IVCa;

fig. 25 is a view for explaining generation of an overall integrity check value and integrity check values unique to the recording and reproducing apparatus;

fig. 26 is a diagram showing a format of content data stored in the recording apparatus (localization field 0);

fig. 27 is a diagram showing a format of content data stored in the recording apparatus (localization field 1);

fig. 28 is a diagram showing a flow of a content reproduction process;

fig. 29 is a diagram for explaining a method of executing a command by the recording apparatus;

fig. 30 is a diagram for explaining a method of the recording apparatus executing a command during content storage;

Fig. 31 is a diagram for explaining a method of the recording apparatus executing a command during content reproduction;

fig. 32 is a diagram for explaining the structure of the content data format type 0;

fig. 33 is a diagram for explaining the structure of the content data format type 1;

fig. 34 is a diagram for explaining the structure of the content data format type 2;

fig. 35 is a diagram for explaining the structure of the content data format type 3;

fig. 36 is a diagram for explaining a method of generating a content integrity check value IDVi for format type 0;

fig. 37 is a diagram for explaining a method of generating a content integrity check value IDVi for format type 1;

fig. 38 is a diagram for explaining the overall integrity check value for format types 2 and 3 and the integrity check value unique to the recording and reproducing apparatus;

fig. 39 is a diagram showing a procedure for downloading content of format type 0 or 1;

fig. 40 is a diagram showing a procedure for downloading content of format type 2;

fig. 41 is a diagram showing a procedure for downloading content of format type 3;

fig. 42 is a diagram showing a procedure for reproducing the content of format type 0;

fig. 43 is a diagram showing a procedure for reproducing the content of format type 1;

fig. 44 is a diagram showing a procedure for reproducing the content of format type 2;

Fig. 45 is a diagram showing a procedure for reproducing the content of format type 3;

fig. 46 is a diagram (1) for explaining a method in which a content generator and a content verifier generate integrity check values and perform verification using them;

FIG. 47 is a diagram (2) for explaining a method in which a content generator and a content verifier generate integrity check values and perform verification using them;

FIG. 48 is a diagram (3) for explaining a method in which a content generator and a content verifier generate integrity check values and perform verification using them;

fig. 49 is a diagram for explaining a method of individually generating a plurality of keys using a master key;

fig. 50 is a diagram (example 1) showing an example of a process performed by a content provider and a user and a method of individually generating a plurality of keys with a master key;

fig. 51 is a diagram (example 2) showing an example of a process performed by a content provider and a user and a method of individually generating a plurality of keys using a master key;

fig. 52 is a diagram for explaining a structure in which localization is performed with different master keys;

fig. 53 is a diagram (example 3) showing an example of a process performed by a content provider and a user and a method of individually generating a plurality of keys using a master key;

fig. 54 is a diagram (example 4) showing an example of a process performed by a content provider and a user and a method of individually generating a plurality of keys using a master key;

Fig. 55 is a diagram (example 5) showing an example of a process performed by a content provider and a user and a method of individually generating a plurality of keys using a master key;

fig. 56 is a diagram showing a flow of a process of storing a crypt translation key with triple DES applied using the single DES algorithm;

fig. 57 is a diagram showing a priority-based content reproduction flow (example 1);

fig. 58 is a diagram showing a priority-based content reproduction flow (example 2);

fig. 59 is a diagram showing a priority-based content reproduction flow (example 3);

fig. 60 is a diagram for explaining a configuration of executing a process of decrypting (decompressing) compressed data in the content reproduction process;

fig. 61 is a diagram showing an example of a content structure (example 1);

fig. 62 is a diagram of a reproduction flow in example 1 of a content structure;

fig. 63 is a diagram (example 2) showing an example of a content structure;

fig. 64 is a diagram of a reproduction flow in example 2 of a content structure;

fig. 65 is a diagram showing an example of a content structure (example 3);

fig. 66 is a diagram of a reproduction flow in example 3 of a content structure;

fig. 67 is a diagram showing an example of a content structure (example 4);

fig. 68 is a diagram of a reproduction flow in example 4 of a content structure;

FIG. 69 is a view for explaining generation and storage of save data;

FIG. 70 is a diagram showing a flow of an example (example 1) of a process of storing save data;

FIG. 71 is a view showing the structure of a data management file used in storing and reproducing save data (example 1);

FIG. 72 is a diagram showing a flow of an example (example 1) of a process of reproducing save data;

FIG. 73 is a diagram showing a flow of an example (example 2) of a store save data process;

FIG. 74 is a diagram showing a flow of an example (example 2) of a process of storing reproduction data;

FIG. 75 is a diagram showing the flow of an example of a store save data process (example 3);

fig. 76 is a diagram showing the structure of a data management file used in storing and reproducing save data ((example 2);

FIG. 77 is a diagram showing a flow of an example (example 3) of a process of reproducing save data;

FIG. 78 is a diagram showing the flow of an example of a store save data process (example 4);

FIG. 79 is a diagram showing a flow of an example (example 4) of a procedure of reproducing save data;

FIG. 80 is a diagram showing a flow of an example of a store save data process (example 5);

FIG. 81 is a view showing the structure of a data management file used in storing and reproducing save data ((example 3);

FIG. 82 is a diagram showing a flow of an example (example 5) of a process of reproducing save data;

FIG. 83 is a diagram showing a flow of an example of a store save data process (example 5);

fig. 84 is a diagram showing the structure of a data management file used in storing and reproducing save data ((example 4);

FIG. 85 is a diagram showing a flow of an example (example 6) of a process of reproducing save data;

fig. 86 is a diagram for explaining the structure of an invalid content excluding user (revocation);

FIG. 87 is a diagram showing the flow of a process (example 1) for eliminating invalid content users (revocation);

FIG. 88 is a diagram showing the flow of a process (example 2) for eliminating invalid content users (revocation);

FIG. 89 is a view for explaining the structure of a security chip (example 1);

FIG. 90 is a diagram showing a flow of a method for producing a security chip;

FIG. 91 is a view for explaining the structure of a security chip (example 2);

FIG. 92 is a diagram showing the flow of a process for writing data to the privacy chip (example 2);

FIG. 93 is a diagram showing the flow of a process for checking data written in a security chip;

best mode for carrying out the invention

The following describes embodiments of the present invention. The description proceeds in the following sequence of items:

(1) Structure of data processing apparatus

(2) Content data format

(3) Summary of cryptographic translation processing procedure applicable to data processing apparatus of the present invention

(4) Structure of data stored in recording and reproducing apparatus

(5) Structure of data stored in recording apparatus

(6) Mutual authentication processing procedure between recording and reproducing apparatus and recording apparatus

(6-1) outline of mutual authentication Process

(6-2) switching to a key block in a mutual authentication process

(7) Procedure for downloading from a recording and reproducing device to a recording device

(8) Process for reproducing information from a recording apparatus performed by a recording and reproducing apparatus

(9) Key exchange process after mutual authentication

(10) Multiple content data formats and download and reproduction procedures corresponding to each format

(11) Aspects of a process performed by a content provider for generating a check value (ICV)

(12) Key generation structure of cipher translation processing process based on master key

(13) Controlling the degree of password translation processing in the password translation processing process

(14) Program startup procedure based on priority in content data processing policy

(15) Content structure and reproduction (decompression) process

(16) A process for generating and storing save data in a recording apparatus and reproducing the save data from the recording apparatus

(17) Structure for eliminating (revoking) illegal device

(18) Structure of security chip and production method of security chip

(1) Structure of data processing apparatus

Fig. 2 shows a block diagram illustrating the general architecture of one embodiment of the data processing device of the present invention. The main components of the data processing structure are a recording and reproducing apparatus 300 and a recording apparatus 400.

The recording and reproducing apparatus 300 includes, for example, a Personal Computer (PC), a game apparatus, or the like. The recording and reproducing apparatus 300 has: a control section 301 for realizing a unified control including controlling communication between the recording and reproducing apparatus 300 and the recording apparatus 400 in the password translation process in the recording and reproducing apparatus 300; a recording and reproducing device password translation processing section 302 which is responsible for the entire password translation processing procedure; a recording device controller 303 for performing an authentication process with a recording device 400 to read and write data, the recording device 400 being connected to the above-mentioned recording and reproducing device; a reading section 304 for reading at least data from a medium 500 such as a DVD; and a communication section 305 for transmitting data to or receiving data from the outside, as shown in fig. 2.

The recording and reproducing device 300 downloads and reproduces content data to and from the recording device 400, which is controlled by the control section 301. The recording apparatus 400 is a storage medium that can be optimally attached to and detached from the recording and reproducing apparatus 300, such as a memory card, having an external memory 402 including a nonvolatile memory such as an EEPROM or a block erase memory, a hard disk, or a RAM with a battery.

The recording and reproducing apparatus 300 has: a reading section 304 as an interface; to which content data stored in a storage medium shown in the left end of fig. 2, i.e., a DVD, a CD, an FD, or an HDD, can be input; and a communication section 305 as an interface to which content data distributed from a network such as the internet can be input so as to receive content input from the outside.

The recording and reproducing device 300 has a password translation processing section 302 so as to execute an authentication process, an encryption and decryption process, a data verification process, and other processes at the time of downloading content data input to the recording device 400 from the outside through the reading section 304 or the communication section 306 or at the time of reproducing and executing content data from the recording device 400. The password translation processing unit 302 includes: a control unit 306 for controlling the entire password translation processing unit 302; an internal memory 307 which holds information such as a key used for a cryptographic translation process, the information being processed so that data can be prevented from being easily read from the outside; and an encryption/decryption section 308 for performing encryption and decryption processes, generating and verifying authentication data, generating random numbers, and the like.

When, for example, the recording device 400 is mounted in the recording and reproducing device 300 or performs an arbitration process, an integrity check value comparison process, and an encryption and decryption process for various processes such as mutual authentication between the encryption/decryption section 308 of the recording and reproducing device password translation processing section 302 and the encryption/decryption section 406 of the recording device password translation processing section 401, the control section 301 transmits an initialization command to the recording device 400 through the recording device controller 303. Each of these processes will be described in detail in the subsequent section.

The cryptographic translation processing section 302 performs an authentication process, an encryption and decryption process, a data verification process, and other processes as described above and has a cryptographic translation processing section control section 306, an internal memory 307, and an encryption/decryption section 308.

The password translation processing control section 306 controls the entire password translation processing procedures such as the authentication procedure and the encryption/decryption procedure performed by the recording and reproducing apparatus 300, the procedure of setting an authentication completion flag when the authentication procedure performed between the recording and reproducing apparatus 300 and the recording apparatus 400 has been completed, for example, the procedure of instructing to perform various procedures performed in the encryption/decryption section 308 of the recording and reproducing section password translation processing section 302, such as the download procedure and the procedure of generating the integrity check value of the reproduced content data, and the procedure of instructing to generate various key data.

As described in detail below, the internal memory 307 stores key data, identification data, and other data required for various processes such as a mutual authentication process, an integrity check value comparison process, and encryption and decryption processes performed in the recording and reproducing apparatus 300.

The encryption/decryption section 308 performs an authentication process, an encryption and decryption process, generation and verification of a predetermined integrity check value or electronic signature, verification of data, generation of a random number, and the like, with key data and the like stored in the internal memory 307 when downloading input content data from the outside to the recording apparatus 400 or reproducing and executing content data stored in the recording apparatus 400.

In this case, the recording and reproducing device crypt translation processing section 302 holds important information such as a crypt translation key and must be configured so that data cannot be easily read out from the outside. Therefore, the password interpretation processing section is configured as a tamper-resistant memory characterized by being capable of preventing external invalid reading because the memory includes a semiconductor chip which can substantially deny external access and has a multilayer structure, an internal memory switched between dummy layers made of aluminum or the like or provided on the lowest layer, and a narrow range of operating voltage and/or frequency. This structure will be described in detail below.

In addition to the password translation processing procedure, the recording and reproducing apparatus 300 includes a main Central Processing Unit (CPU)106, a RAM (random access memory) 107, a ROM (read only memory) 108, an AV processing section 109, an input interface 110, a PIO (parallel I/O) interface 111, and an SIO (serial I/O) interface 112.

A main Central Processing Unit (CPU)106, a RAM (random access memory) 107, a ROM (read only memory) 108 are components which serve as a control system of the main body of the recording and reproducing apparatus 300 and mainly serve as a reproduction processing section for reproducing data decrypted by the recording and reproducing apparatus password interpretation processing section 302. For example, a main Central Processing Unit (CPU)106 controls reproduction and execution of content such as outputting content data read out from the recording apparatus and decrypted to the AV processing section 109 under the control of the control section 301.

The RAM107 serves as a main storage memory for processes executed with the CPU106 and as a work area for these processes. The ROM108 stores basic programs for starting an OS or the like started by the CPU106 and other data.

The AV processing section 109 has data compression and decompression processing means, specifically, an MPEG2 decoder, ATRAC decoder, MP3 decoder, or the like to perform a process for outputting data to a data output device such as a display or speaker (not shown) mounted or connected to the recording and reproducing device main body.

The input interface 110 outputs input data from various connection input devices such as a controller, a keyboard, and a mouse to the main CPU 106. The main CPU106 performs processing in accordance with a command issued by the user through the controller in accordance with a game program or the like being executed.

The PIO (parallel I/O) interface 111 and the SIO (serial I/O) interface 112 serve as storage means for a memory card or a game box and as connection means for a portable electronic device or the like.

The main CPU106 also performs control while saving as save data, setting data, or the like for a game or the like being executed. In this process, the stored data is transferred to the control section 301, which enables the crypto-translation processing section 302 to perform the crypto-translation processing on the saved data as necessary, and then stores the encrypted data into the recording apparatus 400. These cryptographic translation processes will be described in detail below.

The recording apparatus 400 is a storage medium that can be optimally attached to and detached from the recording and reproducing apparatus 300, and includes, for example, a memory card. The recording apparatus 400 has a password translation processing section 401 and an external memory 402.

The recording device password translation processing section 401 performs a phase authentication process, an encryption and decryption process, a data verification process, and other processes between the recording and reproducing device 300 and the recording device 400 when downloading content data from the recording and reproducing device 300 or reproducing content data from the recording device 400 to the recording and reproducing device 300 and has a control section, an internal memory, an encryption/decryption section, and other means similar to the password translation processing section of the recording and reproducing device 300. Details are shown in fig. 3. The external memory 402 includes a nonvolatile memory including a block erase memory such as an EEPROM, a hard disk, or a RAM with a battery or the like, so as to store encrypted content data or the like.

Fig. 3 is a diagram schematically showing the structure of data input from a medium 500 and a communication device 600, the medium 500 and the communication device 600 being data providing means from which the data processing apparatus of the present invention receives data, and fig. 3 focuses on the structure of a recording and reproducing apparatus 300 that receives content input from the content providing device 500 or 600 and the structure for a password translation process in the recording apparatus 400.

The medium 500 is, for example, an optical disc medium, a magnetic tape medium, a semiconductor medium, or the like. The communication device 600 is a data communication device such as the internet, a cable or satellite communication device.

In fig. 3, the recording and reproducing apparatus 300 verifies data input from the medium 500 or the communication device 600, i.e., contents satisfying a predetermined format shown in fig. 3, and stores the verified contents in the recording apparatus 400.

As shown in the media 500 and communication device 600 sections, the content data has the following composition:

content ID: a content ID as a content data identifier.

A usage policy; the usage policy contains constituent information of the content data, such as the length of the header part and the content part constituting the content data, the format version, the content type indicating whether the content is a program or data, a localization field indicating whether the content is available only to a device downloading the content or to other devices.

Block information table: the block information table includes the number of content blocks, a block length, an encryption flag indicating the presence of encryption, and other content.

Key data: the key data includes an encryption key for encrypting the above-described block information table, a content key for encrypting a content block, and the like.

Content block: the content block includes program data, music or image data, or other data to be actually reproduced.

The content data will be described in detail below with reference to fig. 4 and subsequent drawings.

The content data is encrypted by a content key (hereinafter referred to as "Knon") and supplied from the medium 500 or the communication device 600 to the recording and reproducing apparatus 300. The content may be stored in an external storage of the recording apparatus 400 by the recording and reproducing apparatus 300.

For example, the recording apparatus 400 encrypts the content data contained in the data, a block information table contained as header information in the content data, and information relating to various keys such as the content key Kcon before storing them in the external memory 402 using a key (hereinafter referred to as "storage key" (Kstr)) stored in the internal memory 405 unique to it. In order to download content data from the recording and reproducing apparatus 300 to the recording apparatus 400 or to cause the recording and reproducing apparatus 300 to reproduce content data stored in the recording apparatus 400, a predetermined process such as mutual authentication between the apparatus and the content data encryption and decryption process is required. These processes will be described in detail below.

The recording device 400 has a password translation processing unit 401 and an external memory 402, and the password translation processing unit 401 has a control unit 403, a communication unit 404, an internal memory 405, an encryption/decryption unit 406, and an external memory control unit 407.

The recording apparatus 400 is responsible for the entire password translation process, controls the external memory 402, and includes: a recording device password translation processing section 401 for interpreting commands from the recording and reproducing device 300 and executing processing procedures; and an external memory 402 that holds contents and the like.

The recording device password translation processing unit 401 includes: a control section 403 for controlling the entire recording apparatus password translation processing section 401; a communication section 404 for transmitting data to the recording and reproducing device 300 and receiving data from the recording and reproducing device 300; an internal memory 405 holding information such as a key used for a cryptographic translation process and already processed to prevent easy reading of data from the outside; an encryption/decryption section 406 for performing encryption and decryption processes, generating and verifying authentication data, generating random numbers, and the like; and an external memory control section 407 for reading data from the external memory 402 and writing data to the external memory 402.

The control section 403 controls the entire password translation processing such as the authentication process and the encryption/decryption process performed by the recording apparatus 400, for example, a process of setting an authentication completion flag when the authentication process performed between the recording and reproducing apparatus 300 and the recording apparatus 400 has been completed, a process of instructing to perform various processes performed in the encryption/decryption section 406 of the password translation processing section 401, for example, a download process and a process for generating an integrity check value of reproduced content data, and a process of instructing to perform various processes for generating various kinds of key data.

The internal memory 405 includes a memory having a plurality of blocks to store a plurality of sets of key data, identification data or other data required for various processes such as a mutual authentication process, an integrity check value comparison process, and encryption and decryption processes performed by the recording apparatus 400 as described in detail below.

The internal memory 405 of the recording device password translation processing section 401 holds important information such as a password translation key similarly to the internal memory 307 of the aforementioned recording and reproducing device password translation processing section 302, and therefore must be configured so that the data thereof cannot be easily read from the outside. Therefore, the password interpretation processing section 401 of the recording and reproducing device 400 is characterized in that the external invalid reading can be prevented because it includes a semiconductor chip which can substantially deny external access and has a multilayer structure, an internal memory which is switched between dummy layers made of aluminum or the like or disposed on the lowest layer, and a narrow range of operating voltage and/or frequency. In this regard, the recording and reproducing apparatus password translation processing section 302 may be software configured to prevent confidential information for the key from being easily leaked to the outside.

The encryption/decryption section 406 performs a data authentication process, an encryption and decryption process, generation and verification of a predetermined integrity check value or electronic signature, generation of a random number, and the like, with key data or the like stored in the internal memory 405 at the time of downloading content data from the recording and reproducing device 300, reproducing content data stored in the external memory 402 of the recording device 400, or performing mutual authentication between the recording and reproducing device 300 and the recording device 400.

The communication section 404 is connected to the recording device controller 303 of the recording and reproducing device 300 so as to download or reproduce content data or to transfer data between the recording and reproducing device 300 and the recording device 400 in a mutual authentication process under the control of the control section 301 of the recording and reproducing device 300 or the control of the control section 403 of the recording device 400.

(2) Content data format

The data format of the data stored in the medium 500 of the system of the present invention or transmitted on the data communication device 600 is explained below with reference to fig. 4 to 6.

The structure shown in fig. 4 shows the format of the entire content data, the structure shown in fig. 5 shows the details of the "usage policy" that partially constitutes the header of the content data, and the structure shown in fig. 6 shows the details of the "block information table" that partially constitutes the header of the content.

The following describes representative examples of data formats applied to the system of the present invention, but different types of data formats, such as a format corresponding to a game program and a format suitable for processing music data or the like in real time, may also be applied to the system. These formats will be described in detail below in "(10) a plurality of content data formats and download and reproduction procedures corresponding to the respective formats".

In the data format shown in fig. 4, the entries shown in gray represent encrypted data, the entries shown in double-boxed form represent tamper check data, and the other entries shown in white represent unencrypted old-format text data. The encryption key of the encryption unit is shown on the left side of the double box. In the example shown in fig. 4, some blocks of the content part (content block data) contain encrypted data, and other blocks contain non-encrypted data. This form varies depending on the content data, and all content block data contained in the data can be encrypted.

As shown in fig. 4, the data format is divided into a header part including a content ID, a usage policy, an integrity check value a < hereinafter referred to as "ICVa" >, a block information table key (hereinafter referred to as "Kbit"), a content key Kcon, a block information table (hereinafter referred to as "BIT"), an integrity check value b (icvb), and an overall integrity check value (ICVt), and a content part including a plurality of content blocks (e.g., encrypted and non-encrypted contents).

In this case, the individual information indicates a content ID for identifying the content. The usage policy includes a header length indicating the header length, a content length indicating the content section length, a format version indicating format version information, a format type indicating the format type, a content type indicating whether the content type is a program or data, an operation priority indicating a start priority if the content type is a program, a localization field indicating whether only the content downloaded in this format can be used for a device downloading the content or can be used for other similar devices, a copy permission indicating whether the content downloaded in this format can be copied from the device downloading the content to other similar devices, a move permission indicating whether the content downloaded in this format can be moved from the device downloading the content to other similar devices, an encryption algorithm indicating an algorithm for encrypting a block of content in the content section, an encryption mode indicating a method of controlling the algorithm for encrypting the content in the content section, And a integrity check method, which represents a method for generating an integrity check value, as shown in detail in fig. 5.

The above-described data entry recorded in the usage policy is merely exemplary, and various kinds of usage policy information may be recorded according to the corresponding contents data aspect. The identifier is described in detail below, for example in "(17) for eliminating (revoking) illegal devices". It is also possible to form a structure capable of excluding an illegal device from using the content by recording the content of the illegal recording and reproducing device as data and by checking the time of starting to use.

The integrity check value a ICVa is used to verify that the content ID or usage policy has not been tampered with. This value is used as a check value for partial data rather than the entire content data, that is, as a partial integrity check value. The data block information table key Kbit is used to encrypt the block information table, and the content key Kcon is used to encrypt the content block. The block information table key Kbit and the content key are encrypted using a distribution key (hereinafter referred to as "Kdis") on the medium 500 and the communication apparatus 600.

Fig. 6 shows the block information table in detail. The block information table in fig. 6 includes data encrypted with the block information table key Kbit shown in fig. 4. The block information table includes block numbers indicating the numbers of content blocks and information on the N content blocks, as shown in fig. 6. The content block information table includes a block length, an encryption flag indicating whether the block is encrypted, an ICV flag indicating whether an integrity check value must be calculated, and a content Integrity Check Value (ICVi).

The content integrity check value is used to verify that the respective content block has not been tampered with. A specific example of a method for generating a content integrity check value will be described below in "(10) a plurality of content data formats and download and reproduction procedures corresponding to the respective formats". The block information table key Kbit used for encrypting the block information table is further encrypted with the distribution key Kdis.

The data format in fig. 4 is explained further. The integrity check value B ICVb is used to verify that the block information table key Kbit, the content key Kcon and the block information table have not been tampered with. This value is used as a check value for partial data rather than the entire content data, that is, as a partial integrity check value. The integrity check value ICVt is used to verify that the integrity check values ICVa and ICVb, the integrity check value ICVi for each content block (if set), a partial integrity check value, or all the data to be checked has not been tampered with.

In fig. 6, the block length, encryption flag, and ICV flag may be arbitrarily set, but some rules may be formed. For example, the encrypted and plain text regions may be repeated over a fixed length, all content data may be decrypted, or the block information table BIT may be compressed. Further, in order to use different content keys Kcon for different content blocks, the content key Kcon is contained in the content block instead of the header section. Examples of the content data format will be described in detail below in "(10) a plurality of content data formats and download and reproduction processes corresponding to the respective formats".

(3) Summary of cryptographic translation processing procedures applicable to the data processing apparatus of the present invention

The following describes aspects of various cryptographic translation processes applicable to the data processing apparatus of the present invention. The description of the cryptographic translation processing procedure in "(3) summary of cryptographic translation processing procedure applicable to the data processing apparatus of the present invention" corresponds to a summary of aspects of the cryptographic translation processing procedure, such as "a. authentication procedure between recording and reproducing apparatus and recording apparatus", "b. download procedure of apparatus for loading content", "c. procedure for reproducing content stored in recording apparatus", and various procedures executed by the data processing apparatus of the present invention, which will be specifically described below, are based on the summary. The specific processes performed by the recording and reproducing apparatus 300 and the recording apparatus 400 are detailed in item (4) and subsequent items, respectively.

A summary of a cryptographic translation process applicable to a data processing apparatus is described in the following order:

(3-1) message authentication based on shared-key cryptosystem

(3-2) electronic signature based on public key cryptosystem

(3-3) electronic signature verification based on public key cryptosystem

(3-4) mutual authentication based on common key cryptosystem

(3-5) public Key certificate

(3-6) mutual authentication based on public key cryptosystem

(3-7) encryption Process Using elliptic Curve Cryptographic translation

(3-8) decryption procedure Using elliptic Curve Cryptographic translation

(3-9) random number Generation Process

(3-1) message authentication based on shared-key cryptosystem

First, a process of generating tamper detection data using a common key encryption method is explained. The tamper detection data is appended to the data to be tamper detected in order to check the tamper and authentication generator.

For example, the integrity check values a and B and the overall integrity check value in the data structure enclosed with a double frame as described in fig. 4, the content check values stored in the respective blocks in the block information table shown in fig. 6, and the like are generated as the tamper detection data.

Here, as an example of a method for generating and processing electronic signature data, use of DES, which is a common key cryptosystem, is explained. In addition to DES, the present invention may also use, for example, FEAL (fast encryption algorithm) or AES (advanced encryption standard) (next generation standard translation of the united states) as a similar common key cryptosystem-based process.

A method of generating an electronic signature using the general DES is described with reference to fig. 7. First, before generating an electronic signature, a message to which the electronic signature is to be appended is divided into a set of 8 bytes (hereinafter, the divided message segments are referred to as "M1, M2, … MN"). The initial (hereinafter referred to as "IV") and M1 are XOR'd (the result is referred to as "I1"). Then, I1 is input to a DES encryption section, which encrypts I1 with a key (hereinafter referred to as "K1") (the output is referred to as "E1"). Thereafter, E1 and M2 are xored, I2 is input to the DES encryption section, which encrypts I1 with key K1 (the output is referred to as "E2"). This process is repeated for all messages obtained by the division. The final output EN is the electronic signature. This value is commonly referred to as "MAC (message authentication code)", and is used to check a message for tampering. Further, such a system for chaining encrypted texts is called "CBC (encrypted block chaining) mode".

The MAC value output in the generation example shown in fig. 7 can be used as the integrity check value a or B or the overall integrity check value in the data structure enclosed with a double box shown in fig. 4 and the content check values ICV1 to ICVN stored in the respective blocks in the block information table shown in fig. 6. In verifying the MAC value, the verifier generates the MAC value in a similar manner to that used to generate the MAC value at the beginning, and if the same value is obtained, it may be determined that the verification is successful.

Also, in the example shown in fig. 7, the initial value IV is exclusive-ored with the header 8-byte message M1, but the initial value IV may be zero, so that no exclusive-or operation is performed.

Fig. 8 shows a structure of a method for generating a MAC value, which has improved security compared to the MAC value generation method shown in fig. 7. Fig. 8 shows an example in which, instead of the single DES in fig. 7, a triple DES is used to generate a MAC value.

Fig. 9A and 9B show an example of a detailed structure of each triple DES module shown in fig. 8. As shown in fig. 9, there are two different aspects of the structure of the triple DES. Fig. 9(a) shows an example of using two crypt translation keys, in which processing is performed in the order of encryption processing with key 1, decryption processing with key 2, and encryption processing with key 1. Two types of keys are used in the order of K1, K2, and K1. Fig. 9(b) shows an example of translating keys with three ciphers, in which processing is performed in the order of encryption processing with key 1, encryption processing with key 2, and encryption processing with key 3. Three types of keys are used in the order of K1, K2, and K3. Therefore, it is possible to continuously perform a plurality of processes in order to improve the degree of secrecy as compared with the single DES. However, the triple DES structure has a processing time required three times that of the single DES.

Fig. 10 shows an example of a MAC value generation structure obtained by modifying the triple DES structure described in fig. 8 and 9. In fig. 10, the encryption process for each message from the start to the end of the message string to be added with the signature is based on the single DES, and only the encryption process for the last message is based on the triple DES structure shown in fig. 9 (a).

The structure shown in fig. 10 can reduce the time required for generating a MAC value for a message to almost the same time as the time required for the single DES-based MAC value generation process, and the confidentiality is improved compared to the single DES-based MAC value. Also, the triple DES structure for the last message is as shown in fig. 9 (b).

(3-2) electronic signature based on public key cryptosystem

Having described the method for generating electronic signature data in the case where a common key cryptosystem is used as the cryptosystem, the method for generating an electronic signature data name in the case where a common key cryptosystem is used as the cryptosystem will be described below with reference to fig. 11. The process described in fig. 11 corresponds to a flow of generating electronic signature data using the elliptic curve digital signature algorithm (EC-DSA) IEEE P1363/D3. The following description uses elliptic curve cryptography (hereinafter referred to as "ECC") as an example of public key cryptography. In addition to elliptic curve cryptographic translation, the data processing apparatus of the present invention may also use, for example, RAS (Rivest Shamir, Adleman; ANSI X9.31)) cryptographic translation, which is a similar public cryptographic system.

The respective steps in fig. 11 are explained below. In step S1, the following definitions are set: reference numeral P denotes a feature, a and b denote coefficients of an elliptic curve (elliptic curve: y)²＝x³+ ax + b), G denotes a base point on the elliptic curve, r denotes a numerical value of G, and Ks denotes a secret number 0 < Ks < r). In step S2, a hash value for message M is calculated to obtain f ═ hash (M).

Next, a method for determining a hash value with a hash function is explained. The hash function receives as input a message, compresses it into data of a predetermined bit length and outputs the compressed data as a hash value. Hash values are characterized in that it is difficult to predict the input from the hash value (output), when one bit of data input to the hash function is changed, a plurality of bits of the hash value are changed, and it is difficult to find different input data with the same hash value. The hash function may be MD4, MD5 or SHA-1 or PES-CBC similar to that described in FIG. 7 or other figures. In this case, the MAC (corresponding to the integrity check value ICV) which is the final output value is a hash value.

Thereafter, in step S3, a random number u is generated, and in step S4, the base point is multiplied by u to obtain coordinates V (Xv, Yv). The addition of 2 to the ellipse curve and the multiplication by 2 are defined as follows:

If P is (Xa, Ya), Q is (Xb, Yb), and R is (Xc, Yc) is P + Q.

When P ≠ Q (addition)

Xc＝λ²-Xa-Xb

Yc＝λx(Xa-Xc)-Ya

λ＝(Yb-Ya)/(Xb-Xb)

When P is Q (multiplied by 2)

Xc＝λ²-2Xa

Yc＝λx(Xa-Xc)-Ya

λ＝(3(Xa)²+a)/(2Ya) ……(1)

These are used to multiply the point G by u (although the computation speed is slow, the following shows the most easily understood computation method.computation G, 2 XG, 4X G.u are extended in binary, 2^IXg (a value obtained by multiplying G by 2I times) is added to a bit of 1 (I denotes a position of a bit counted from LSB).

In step S5, c ═ Xv mod r is calculated. In step 6, it is determined whether the result is zero. If the result is not zero, d [ (f + cKs)/u ] mod r is calculated in step S7, and it is determined whether d is zero in step S8. If d is not zero, c, d) is output as the electronic signature data in step S9. When it is assumed that r represents a length of 160 bits, the electronic signature data has a length of 320 bits.

If c is 0 in step S6, the process returns to step S3 to regenerate a new random number. Similarly, if d is zero in step S8, the process also returns to step S3 to regenerate a new random number.

(3-3) electronic signature verification based on public key cryptosystem

The verification of an electronic signature with a public key cryptosystem is described below with reference to fig. 12. In step S11, the following definitions are set: reference M denotes a message, reference p denotes a feature, reference a and b denote the coefficients C of an elliptic curve: y is²＝x³+ ax + b), reference G denotes a base point on the curve, reference r denotes the value of G, and reference G and Ks × G denote commonKey (0 < Ks < r). In step S12, it is verified that the electronic signature data c and d satisfy 0 < c < r and 0 < d < r. If the data satisfies these conditions, then in step S13, a hash value for message M is calculated to obtain f ═ hash (M). Then, in step S14, h is calculated to be 1/d modr, and in step S15, h1 is calculated to be fh modr and h2 is calculated to be ch modr.

In step S16, P ═ h1 × G + h2.ks × G is calculated using the calculated h1 and h2. The electronic signature verifier knows the common secret keys G and Ks × G, and thus can calculate the number multiplication of points on the elliptic curve similarly to step S4 in fig. 11. Then, in step S17, it is determined whether P is a point at infinity, and if not, the process proceeds to step S18 (it is actually determined at step S16 whether P is a point at infinity, that is, when P ═ X, Y and Q ═ X, -Y are added together, it is impossible to calculate λ to represent a point at which P + Q is at infinity). In step S18, Xp mod r is calculated and compared with the electronic signature data c. Finally, if these values are equal, the process proceeds to step S19 to determine that the electronic signature is correct.

If the electronic signature is judged to be correct, the data is not tampered, and the person holding the secret key corresponding to the public key has generated the electronic signature.

If the signature data c or d does not satisfy 0 < c < r or 0 < d < r at step S12, the process proceeds to step S20. Further, if P is a point at infinity in step S17, the processing also proceeds to step S20. Further, if Xp mod r is not equal to the signature data in step S18, the processing proceeds to step S20.

If it is determined in step S20 that the signature is incorrect, this indicates that the received data has been tampered with or not generated by a person who grasps the secret key corresponding to the common public key.

(3-4) mutual authentication based on common key cryptosystem

Mutual authentication with a common key cryptosystem is described below with reference to fig. 13. In the figure, the shared key cryptosystem is DES, but any shared key cryptosystem similar to the one described above may be used. In fig. 13, B first generates a 64-bit random number Rb and passes Rb and its own ID (B) to a. Upon receiving the data, a generates a new 64-bit random number Ra, encrypts the data in DES CBC mode with the key Kab in the order Ra, Rb and id (B) and returns them to B. According to the DES CBC mode processing structure shown in fig. 7, Ra, Rb and id (b) pairs are applied to M1, M2 and M3, and at initial values: when IV is 0, the outputs E1, E2, and E3 are encrypted texts.

Upon receipt of the data, B decrypts the received data with the key Kab. To decrypt the received data, the encrypted text E1 is first decrypted with the key Kab to obtain the random number Ra. The encrypted text E2 is then decrypted with the key Kab, the result of which is xored with E1 to obtain Rb. Finally, the encrypted text E3 is decrypted with the key Kab, the result of which is xored with E2 to obtain the id (b). In Ra, Rb and id (B) thus obtained, Rb and id (B) are checked for equality with those values conveyed by B. If they are successfully verified, B authenticates A.

Then, B generates a session key (hereinafter, referred to as "Kses") used after authentication (which is generated with a random number). Rb, Ra and Kses are encrypted in DES CBC mode in this order with the key Kab and returned to a.

Upon receiving the data, a decrypts the received data with the key Kab. The method for decrypting the received data is similar to that performed by B, so a detailed description thereof is omitted. In the Ra, Rb and Kses thus obtained, it is checked that Rb and Kses are equivalent to those transmitted by a. If they are successfully verified, A authenticates B. After a and B have authenticated each other, the session key Kses is used as a public key, which is used for secure communication after authentication.

If the received data is found to be illegitimate or non-identical during the verification process, the mutual authentication is deemed to have failed and the process is interrupted.

(3-5) public Key certificate

The public key certificate is explained below with reference to fig. 14. Public key certificates are issued by the Certificate Authorities (CAs) of public key cryptosystems. When a user submits his or her own ID, public key, and other data to a certificate authority, the authority adds information such as the user's own ID and validity period to the user-submitted data and also adds its signature to the data to generate a public key certificate.

The public key certificate shown in fig. 14 contains the version number of the certificate, the serial number of the certificate assigned to the certificate user by the certificate authority, the algorithm and parameters for electronic signature, the name of the certificate authority, the validity period of the certificate, the name of the certificate user (user ID), and the public key and electronic signature of the certificate user.

The electronic signature is data generated by applying a hash function to all of the version number of a certificate, a certificate serial number assigned to a certificate user by a certificate authority, an algorithm and parameters for the electronic signature, the name of the certificate authority, the validity period of the certificate, the name of the certificate user (user ID), and the public key of the certificate user to generate a hash value and then using the secret key of the certificate authority of the hash value. For example, the electronic signature is generated using the flow described in fig. 11.

The certificate authority issues the public key certificate shown in fig. 14, updates the public key certificate whose validity period has expired, and creates, manages, and issues an illegal user list so as to exclude users with illegal activities (hereinafter referred to as "revocation"). Certificate management also generates public and secret keys as needed.

On the other hand, in order to use the above-mentioned public key certificate, the user verifies the electronic signature on the public key certificate with the public key held by the certificate authority itself, and after having successfully verified the electronic signature, the user takes out the public key from the public key certificate and uses the same. Thus, all users using public key certificates have a common public key of the certificate authority. Fig. 12 illustrates a method for authenticating an electronic authority, and a detailed description thereof is omitted.

(3-6) mutual authentication based on public key cryptosystem

A method of mutual authentication using a 160-bit elliptic curve crypto-translation, which is a public key crypto-translation, is described below with reference to fig. 15. In the figure, the public key cryptosystem is an ECC, but any similar public key cryptosystem may be used as described above. Further, the key length is not limited to 160 bits. In fig. 15, B first generates a 64-bit random number Rb and passes Rb and its own ID (B) to a. Upon receiving the data, a generates a new 64-bit random number Ra and a random number Ak that is smaller than the feature p. A then multiplies the base point G by Ak to determine Av ═ Ak × G, generates electronic signatures a.sig for Ra, Rb, and Av (X and Y coordinates), and returns these data to B along with a's public key certificate. In this case, since Ra and Rb each contain 64 bits and Av's X and Y coordinates each contain 160 bits, the total number of electronic signatures is 448 bits. The method of generating an electronic signature has already been described in fig. 11, and a detailed description thereof will be omitted. The public key certificate is illustrated in fig. 14, and a detailed description thereof is omitted.

Upon receiving a's public key certificate Ra, Rb and electronic signature a.sig, B verifies that Rb transmitted by a matches Rb transmitted by B. If they are judged to be matched, B verifies the electronic signature in A's public key certificate with the public key of the certificate authority and retrieves A's public key. The verification of the public key certificate has been described with reference to fig. 14, and a detailed description thereof will be omitted. B then verifies the electronic signature a.sig with the obtained public key of a. A method of verifying an electronic signature is described in fig. 12, and a detailed description thereof will be omitted. Once the electronic signature is successfully verified, B authenticates a.

Then, B generates a new random number smaller than the feature p. Thereafter, B multiplies the base point G by Bk to determine Bv ═ Bk × G, generates an electronic signature a.sig for Ra, Rb, and Bv (X and Y coordinates), and returns these data to B along with B's public key certificate.

Upon receiving B's public key certificate Rb, Ra, Rb, Av and electronic signature b.sig, a verifies that the Ra transmitted by B matches the Ra transmitted by a. If they are judged to be matched, A verifies the electronic signature in B's public key certificate with the public key of the certificate authority and retrieves B's public key. A then verifies the electronic signature b.sig with the obtained public key of B. Once the electronic signature is successfully verified, a authenticates B.

If A and B successfully authenticate each other, B calculates Bk × Av (points on the elliptic curve must be scalar multiplied since Bk is a random number but Av is a point on the elliptic curve), and B calculates Ak × Bv so the lower 64 bits of each X coordinate of these points can be used as a session key for use in later communications (if the common key cryptographic translation uses a 64-bit key length). Of course, the session key may be generated from the Y coordinate, or the lower 64 bits may not be used. In the secure communication after the mutual authentication, not only the transmitted data is encrypted with the session key, but also an electronic signature may be added to the transmitted data.

If the illegitimate and inequality are found in the verification process of the electronic signature or the received data, the mutual authentication is considered to have failed, and the process is interrupted.

(3-7) encryption Process Using elliptic Curve Cryptographic translation

Encryption using elliptic curve cryptography translation is described below with reference to fig. 16. In step S21, the following definitions are set: reference numerals Mx and Mr denote messages, reference numeral p denotes a feature, and reference numerals a and b denote coefficients of an elliptic curve (elliptic curve: y)²＝x³+ ax + b), reference G denotes a base point on the curve, reference r denotes the value of G, and reference G and Ks × G denote common Key (0 < Ks < r). In step S22, a random number u is generated, and therefore 0 < u < r. In step S23, the key multiplies the common key Ks × G by u to calculate the coordinate V. Step S4 in fig. 11 illustrates scalar multiplication on an elliptic curve, and therefore, the description thereof is omitted. In step S24, the X coordinate of V is multiplied by Mx and then divided by p to determine the remainder X0. In step S25, the Y coordinate of V is multiplied by My and then divided by p to determine the remainder Y0. If the length of the message is less than the number of bits, My includes a random number, which the decryption section discards. In step S26, u × G is calculated, and in step S27, encrypted text is obtained.

(3-8) decryption procedure Using elliptic Curve Cryptographic translation

Decryption of the elliptic curve cryptogram translation is explained below with reference to fig. 17. In step S31, the following definitions are set: the notation u × G, (X0, Y0) denotes encrypted text, and the title p denotes a feature. Scale numbers a and b denote the coefficients of an elliptic curve (elliptic curve: y)²＝x³+ ax + b), reference G denotes the base point on the curve, reference r denotes the value of G, and reference Ks denotes the secret key (0 < Ks < r). In step S32, the encrypted data (u × G) is multiplied by a value determined relative to the secret key Ks to determine coordinates (Xv, yv). In step S33, the X coordinate of (X0, Y0) is taken out from the encrypted text data and X1 ═ X0/Xv mod p is calculated. In step S34, the Y coordinate is extracted and Y1 ═ Y0/Yv mod p is calculated. In step S35, X1 is determined to be Mx and Y1 is determined to be My to obtain a message. At this point, Y1 is discarded if My is not used for a message.

In this way, when the secret key is Ks and the public key is G, Ks × G is calculated, and the key used for encryption and the key used for decryption may be different.

Another well-known example of public key cryptographic translation is RSA, but a detailed description thereof is omitted (details of which are described in PKCS #1 version 2).

(3-9) random number Generation Process

A method of generating random numbers is explained below. Known random number generation methods include an inherent random number generation method of amplifying thermal noise to generate a random number from a final a/D output and a pseudo random number generation method of combining a plurality of linear circuits such as an M sequence together. Methods of cryptographic translation using a common key such as DES are also known. In this example, a pseudo random number generation method using DES (based on ANSI X9.17) is explained.

First, a 64-bit value obtained from data such as time (in terms of a smaller number of bits, a higher bit is set to 0) is defined as D, key information for triple DES is defined as Kr, and a seed for generating a random number is defined as S. Thus, the random number is calculated as follows:

triple DES (Kr, D) … … (2-1)

Triple DES (Kr, S φ I) … … (2-2)

Triple DES (Kr, R phi I) … … (2-3)

In this case, the triple DES () is a function that uses the first argument as the cipher translation key information and encrypts the value of the second argument according to the triple DES. The operation φ is an XOR performed every 64 bits. The last value S is updated to the new seed.

If the random numbers are continuously generated, equations (2-2) and (2-3) are repeated.

Aspects of various cryptographic translation processes suitable for use with the data processing apparatus of the present invention have been described. The specific processes performed in the data processing apparatus of the present invention are described in detail below.

(4) Structure of data stored in recording and reproducing apparatus

Fig. 18 is a diagram for explaining the data content stored in the internal memory 307 in the recording and reproducing device password interpretation processing section 302 of the recording and reproducing device 300 shown in fig. 3.

As shown in fig. 18, the internal memory 307 stores the following keys and data:

MKake: the recording apparatus authenticates a master key, which is used to generate an authentication and key exchange key (hereinafter, referred to as "Kake") required for a mutual authentication process performed between the recording and reproducing apparatus 300 and the recording apparatus 400 (see fig. 3).

IVake: for recording an initial value of the device authentication key.

MKdis: a master key for issuing keys, which are used to generate an issuing key Kdis.

Ivdis: issuing key generation initial value

Kicva: the integrity check value a generates a key that is used to generate the integrity check value ICVa.

Kicvb: the integrity check value B generates a key which is used to generate the integrity check value ICVb.

Kicvc: the content integrity check value generation key is used to generate an integrity check value ICVi (i ═ 1 to N) for each content chunk.

Kicvt: the global integrity check value generates a key that is used to generate the global integrity check value ICVt.

Ksys: a system signing key that is used to add a common signature or ICV to the issuing system.

Kdev: the recording and reproducing apparatus signature key, which varies with the recording and reproducing apparatus and is used by the recording and reproducing apparatus to increase the signature or ICV.

IVmem: an initial value of a cryptographic translation process or the like for the mutual authentication process. This value is shared by the recording devices.

The above-described key and key are stored in the internal memory 307 of the recording and reproducing device password translation processing section 302.

(5) Structure of data stored in recording apparatus

Fig. 19 is a diagram showing how data is saved on the recording and reproducing apparatus. In this figure, the internal memory 405 is divided into a plurality of blocks (N in this example), each of which stores the following keys and data:

IDmen: recording device identification information, which is unique to the recording device.

Kake: an authentication key for mutual authentication with the recording and reproducing apparatus 300.

IVmem: an initial value, which is used in a cryptographic translation process for mutual authentication or the like.

Kstr: a storage key, which is a cryptographic translation key for the block information and other content data.

Kr: random number generation key

S: and (4) seeds.

These data are stored in corresponding blocks. The external memory 402 stores a plurality of content data (M in this example), and the external memory 402 stores data shown in fig. 26 or 27, for example, as described in fig. 4. The structural differences between fig. 26 and 27 are explained below.

(6) Mutual authentication processing procedure between recording and reproducing apparatus and recording apparatus

(6-1) outline of mutual authentication Process

Fig. 20 is a flowchart illustrating a procedure of authentication between the recording and reproducing apparatus 300 and the recording apparatus 400. In step S41, the user inserts the recording apparatus 400 into the recording and reproducing apparatus 300. However, if the recording apparatus 400 can communicate in a non-contact manner, it is not necessary to insert the recording apparatus.

When the recording apparatus 400 is set in the recording and reproducing apparatus 300, the recording apparatus detection means (not shown) in the recording and reproducing apparatus 300 shown in fig. 3 notifies the control section 301 that the recording apparatus 400 has been installed. Then, in step S42, the control section 301 of the recording and reproducing device 300 transmits an initialization command to the recording device 400 through the recording device controller 303. Upon receiving the command, the recording apparatus 400 causes the control section 403 of the recording apparatus password translation processing section 401 to receive the command through the communication section 404 and clear the flag if the authentication completion flag is set. That is, set to an unidentified state.

Then, in step S43, the control section 301 of the recording and reproducing device 300 passes an initialization command to the recording and reproducing device password translation processing section 302. At this time, the control section also transmits the recording device insertion port number. When the transmitting recording device inserts the port number, even if a plurality of recording devices 400 are connected to the recording and reproducing device 300, the recording and reproducing device 300 can simultaneously perform authentication with these recording devices and transmit and receive data to and from the recording devices.

Upon receiving the initialization command, if the signing completion flag corresponding to the recording apparatus insertion port number has been set, the recording and reproducing apparatus password translation processing section 302 of the recording and reproducing apparatus 300 causes the control section 306 thereof to clear the flag. That is, set to an unidentified state.

In step S44, the control section 301 of the recording and reproducing device 300 specifies the key block number used by the recording device password translation processing section 401 of the recording device 400. The details of the key block number will be described later. In step S45, the control section 301 of the recording and reproducing device 300 reads out the recording device identification information IDmem stored in the specified key block within the internal memory 405 of the recording device 400. In step S46, the control section 301 of the recording and reproducing device 300 sends the recording device identification information IDmem to the recording and reproducing device password translation processing section 302 so as to generate the authentication key Kake based on the recording device identification information IDmem. The authentication key Kake is generated, for example, in the following manner:

Kake＝DES(MKake，IDmemφIVake)……(3)

In this case, MKake denotes a master key used for a recording apparatus authentication key used for generating an authentication key (see fig. 3) required for a mutual authentication process performed between the recording and reproducing apparatus 300 and the recording apparatus 400, which is stored in the internal memory of the recording and reproducing apparatus 300 as described above. Further, IDmem denotes recording apparatus identification information unique to the recording apparatus 400. Furthermore, IVake denotes an initial value for recording the device authentication key. Further, in the above equation, DES () represents a function that uses a first argument as a cryptographic translation key and encrypts the value of a second argument according to DES. Operation phi denotes an exclusive or operation performed every 64.

If, for example, the DES structure shown in fig. 7 or 8 is applied, the message M shown in fig. 7 and 8 corresponds to the recording apparatus identification information IDmem, the key K1 corresponds to the master key MKake for the apparatus authentication key, the initial value IV corresponds to the value IVake, and the obtained output is the authentication key Kake.

Then, in step S47, a mutual authentication processing procedure and a procedure for generating the session key Kses are performed. Mutual authentication is performed between the encryption/decryption unit 308 of the recording and reproducing device password translation processing unit 302 and the encryption/decryption unit 406 of the recording device password translation processing unit 401, and the control unit 301 of the recording and reproducing device 300 mediates between the two.

The mutual authentication process may be performed as described above in fig. 13. In the structure shown in fig. 13, a and B correspond to the recording and reproducing apparatus 300 and the recording apparatus 400, respectively. First, the recording and reproducing device password translation processing section 302 of the recording and reproducing device generates a random number Rb and transmits Rb and the recording and reproducing device identification information IDdev, which is its own ID, to the recording device password translation processing section 401 of the recording device 400. The recording and reproducing apparatus identification information IDdev is an identifier unique to the reproducing apparatus stored in the storage part of the recording and reproducing apparatus 300. The recording and reproducing apparatus identification information IDdev may be recorded in the internal memory of the recording and reproducing apparatus password translation processing section 302.

Upon receiving the random number Rb and the recording and reproducing apparatus identification information IDdev, the recording apparatus password translation processing section 401 of the recording apparatus 400 generates a new 64-bit random number Ra, encrypts data in DES CBC mode in the order of Ra, Rb and the recording and reproducing apparatus identification information IDdev with the authentication key Kake, and returns them to the recording and reproducing apparatus password translation processing section 302 of the recording and reproducing apparatus 300. For example, according to the DES CBC mode processing structure shown in fig. 7, Ra, Rb and IDdev are respectively applied to M1, M2 and M3, and at the initial value: when IV is IVmem, the outputs E1, E2, and E3 are encrypted text.

Upon receiving the encrypted texts E1, E2, and E3, the recording and reproducing apparatus password translation processing section 302 of the recording and reproducing apparatus 300 decrypts the received data with the authentication key Kake. To decrypt the received data, the encrypted text E1 is first decrypted with the key Kake, the result of which is xored with IDmem to obtain the random number Ra. The encrypted text E2 is then decrypted with the key Kake, the result of which is xored with E1 to obtain Rb. Finally, the encrypted text E3 is decrypted with the key Kake, and the result is exclusive-ored with E2 to obtain the recording and reproducing apparatus identification information IDdev. In the Ra, Rb and the recording and reproducing device identification information IDdev thus obtained, it is checked that Rb and the recording and reproducing device identification information IDdev are equivalent to those transmitted by the recording and reproducing device 300. The recording and reproducing device password interpretation processing section 302 of the recording and reproducing device 300 authenticates the recording device 400 if they are successfully verified.

Then, the recording and reproducing apparatus password interpretation processing section 302 of the recording and reproducing apparatus 300 generates a session key (hereinafter referred to as "Kses") (which is generated with a random number) used after authentication. Rb, Ra, and Kses are encrypted in DES CBC mode in this order with the key Kake and returned to the recording apparatus password translation processing section 401 of the recording apparatus 400.

Upon receiving the data, the recording apparatus password translation processing section 401 of the recording apparatus 400 decrypts the received data with the key Kake. The method for decrypting the received data is similar to the method performed by the recording and reproducing device password interpretation processing section 302 of the recording and reproducing device 300, so a detailed description thereof is omitted. In the Ra, Rb, and Kses thus obtained, it is checked that Rb and Kses are equivalent to those transmitted by the recording apparatus 400. If they are successfully verified, the recording device password interpretation processing section 401 of the recording device authenticates the recording and reproducing device 300. After the devices have authenticated each other, the session key Kses is used as a public key, which is used for secure communication after authentication.

If the received data is found to be illegitimate or non-identical during the verification process, the mutual authentication is deemed to have failed and the process is interrupted.

If the mutual authentication is successfully performed, the processing proceeds from step S48 to step S49, and in step S49, the recording and reproducing apparatus password translation processing section 302 of the recording and reproducing apparatus 300 holds the session key Kses and sets the authentication completion flag to indicate that the mutual authentication is completed. Further, if the mutual authentication fails, the processing proceeds to step S50, where the session key Kses is discarded and the authentication completion flag is cleared. If the flag has been cleared, then a clearing process is not necessarily required.

If the recording apparatus 400 is removed from the recording insertion port, the recording apparatus detection means in the recording and reproducing apparatus 300 notifies the control section 301 of the recording and reproducing apparatus 300 that the recording apparatus 400 has been removed. In response to this, the control section 301 of the recording and reproducing device 300 instructs the recording and reproducing device password translation processing section 302 of the recording and reproducing device 300 to clear the authentication completion flag corresponding to the recording device insertion port number. In response to this, the recording and reproducing device password translation processing section 302 of the recording and reproducing device 300 clears the authentication completion flag corresponding to the recording device insertion port number.

An example of performing mutual authentication processing according to the procedure shown in fig. 13 has been described, but the present invention is not limited to the above-described example of the authentication procedure, and processing according to the mutual authentication example in fig. 15 is possible. In addition, in the process described in fig. 13, a in fig. 13 may be set as the recording and reproducing apparatus 300, B may be set as the recording apparatus 400, and B: the recording apparatus 400 first sends to a: the ID of the recording and reproducing apparatus 300 is set as recording apparatus identification information within a key block in the recording apparatus. Various processing procedures can be applied to the authentication processing procedure performed in the present invention, and the present invention is not limited to the above authentication procedure.

(6-2) switching key blocks in mutual authentication process

A partial feature of the mutual authentication process in the data processing apparatus of the present invention is that the authentication process is performed by configuring a plurality of key blocks (for example, N) on the recording apparatus 400 side and causing the recording and reproducing apparatus 300 to designate one of them (step S44 in the flow of fig. 20). As described earlier in fig. 19, a plurality of key blocks, which store different data such as key data and ID information, are formed in the internal memory 405 provided in the password translation processing section 401 of the recording apparatus 400. The mutual authentication process between the recording and reproducing apparatus 300 and the recording integrity check value 400, which is performed as described in fig. 20, is performed on one of the plurality of key blocks of the recording apparatus 400 in fig. 19.

A general structure for performing a mutual authentication process between a recording medium and a reproducing apparatus generally uses a common authentication key for mutual authentication. Therefore, when an authentication key is to be changed for each product destination (country) or product, key data necessary for authentication processing for both devices must be changed on the recording and reproducing device and the recording device. Accordingly, key data required for an authentication process stored in a newly sold recording and reproducing apparatus does not correspond to key data required for an authentication process stored in a previously sold recording and reproducing apparatus, and therefore, the new recording and reproducing apparatus cannot access an old version of the recording apparatus. In contrast, there is a similar situation in the relationship between the new version recording apparatus and the old version recording and reproducing apparatus.

In the data processing apparatus of the present invention, a key block is stored in the recording apparatus 400 as a plurality of different key sets shown in fig. 19. The recording and reproducing apparatus has a key block to be applied to an authentication process, i.e., a set of key blocks having a designation, for example, in terms of each product destination (country), product, apparatus type, version, or application. Such aggregate information is stored in a storage section of the recording and reproducing apparatus, for example, in the internal memory of fig. 3 or other storage means of the recording and reproducing apparatus 300, and is accessed by the control section 301 in fig. 3 in the authentication process to specify a key block based on such aggregate information.

The master key Mkake for the recording apparatus authentication key in the internal memory 307 of the recording and reproducing apparatus 300 is set according to the set for the specified key block, and corresponds only to the specified key block, which does not form mutual authentication with any key block other than the specified block.

As shown in fig. 19, the internal memory 405 of the recording apparatus 400 has N sets of key blocks (1 to N), each set storing recording apparatus identification information, an authentication key, an initial value, a storage key, a random number generation key, and a seed, each key block storing at least authentication key data as data that varies from key block to key block.

In this way, the key data structure of the key block in the recording apparatus 400 is changed from key block to key block. Thus, for example, a key block by which a certain recording and reproducing apparatus a performs an authentication process with a master key MKake for a recording apparatus authentication key stored in an internal memory may be set as a key block number one, and a key block by which a recording and reproducing apparatus B having a different specification performs an authentication process may be set as another key block such as a key block number two.

Although detailed description will be made below, when content is stored in the external memory 402 of the recording apparatus 400, the storage key Kstr stored in each key block is used to encrypt and store the content. In particular, the storage key is used to encrypt the content key, and the key is used to encrypt the content chunk.

As shown in fig. 19, the storage key is configured as a key that varies from key block to key block. Accordingly, it is possible to prevent contents stored in the memory of the recording apparatus from being shared by two different recording and reproducing apparatus setting sets to designate different key blocks. That is, recording and reproducing apparatuses of different settings can use only the content stored in the recording apparatus compatible with the settings thereof.

Data common to the respective key blocks may be formed in the above-described manner, while, for example, only authentication key data and storage key data may vary from key block to key block.

In a specific example in which a key block including a plurality of different key data is configured in a recording apparatus, for example, different key block numbers to be specified are set for different types of recording and reproducing apparatuses 300 (installation type, portable type, etc.), or different specified key blocks are set for different applications. Further, different key blocks may be set for different regions, for example, a key block one number is designated for a recording and reproducing apparatus sold in japan, and a key block two number is designated for a recording and reproducing apparatus sold in the united states. With this structure, even if a recording apparatus such as a memory card is passed from the united states to japan or vice versa, contents used in different regions and stored in respective recording apparatuses having different storage keys cannot be used in recording and reproducing apparatuses having different key settings, and thus, illegal and unordered distribution of contents stored in the storage can be prevented. Specifically, this helps to exclude a case where the content key Kcon encrypted with a different storage key Kstr is mutually used in two different countries.

Also, at least one of the key blocks 1 to N, for example, the nth key block in the internal memory 405 of the recording apparatus 400 shown in fig. 19 may be shared by any recording and reproducing apparatus 300.

For example, when the key block N-th number and the master key MKake for the recording apparatus authentication key that can perform authentication are stored in all apparatuses, the content can be distributed regardless of the type of the recording and reproducing apparatus 300, the application, or the destination country. For example, encrypted content stored in a memory card with a storage key stored in the nth number of the key block may be used in any device. For example, music data or the like can be decrypted and reproduced from a memory card by encrypting data with a storage key in a shared key block, storing them into the memory card, and setting the memory card to, for example, a portable sound reproducing apparatus in which a master key MKake for a recording apparatus authentication key that is also shared is stored.

Fig. 21 shows an example of the use of the data processing device of the invention with a plurality of key blocks. The recording and reproducing apparatus 2101 is a product sold in japan and has a master key capable of authentication processing with the key block number one and number four in the recording apparatus. The recording and reproducing apparatus 2102 is a product sold in the united states and has a master key capable of performing authentication processing with key block No. two and No. four in the recording apparatus. The recording and reproducing apparatus 2103 is a product sold in europe and has a master key capable of performing authentication processing with the key block No. three and No. four in the recording apparatus.

For example, the recording and reproducing apparatus 2101 authenticates the key block 1 or 4 in the recording apparatus 2104 to store the content encrypted by the storage key stored in the key block into the external memory. The recording and reproducing apparatus 2102 authenticates with the key block 2 or 4 in the recording apparatus 2105 to store the content encrypted by the storage key stored in the key block into the external memory. The recording and reproducing apparatus 2103 authenticates the key block 3 or 4 in the recording apparatus 2106 to store the contents encrypted by the storage key stored in the key block into the external memory. Then, if the recording apparatus a2104 is mounted in the recording and reproducing apparatus 2102 or 2103, the content encrypted with the storage key in the key block 1 cannot be used because authentication cannot be made between the recording and reproducing apparatus 2102 or 2103 and the key block 1. On the other hand, the content encrypted with the storage key in the key block 4 can be used because authentication can be made between the recording and reproducing apparatus 2102 or 2103 and the key block 4.

As described above, in the data processing apparatus of the present invention, a key block including a plurality of different key sets is arranged in a recording apparatus, and a recording and reproducing apparatus stores a master key so that authentication for a specific key block can be performed, whereby restrictions on use of content can be set according to different forms of use.

Also, a plurality of key blocks, for example, 1 to k, may be specified in one recording and reproducing apparatus, and a plurality of key blocks p and q may be specified in another recording and reproducing apparatus. Furthermore, a plurality of sharable keyblobs may be provided.

(7) Procedure for downloading from a recording and reproducing device to a recording device

The following describes a procedure of the data processing apparatus of the present invention for downloading content from the recording and reproducing apparatus 300 to the external memory of the recording apparatus 400.

Fig. 22 is a flowchart for explaining the downloading of content from the recording and reproducing apparatus 300 to the recording apparatus 400. In this figure, it is assumed that the above-described mutual authentication process between the recording and reproducing apparatus 300 and the recording apparatus 400 has been completed.

In step S51, the control section 301 of the recording and reproducing apparatus 300 reads out data in a predetermined format from the medium 500 in which the content is stored with the reading section 304 or receives data in a predetermined format from the communication device 600 with the communication section 305. Then, the control section 301 of the recording and reproducing device 300 passes the header section of the data (see fig. 4) to the recording and reproducing device password translation processing section 302 of the recording and reproducing device 300.

In step S52, the control section 306 of the recording and reproducing device password translation processing section 302 that has received the header in step S51 causes the encryption/decryption section 308 of the recording and reproducing device password translation processing section 302 to calculate the integrity check value a. The integrity check value a is calculated in the ICV calculation method described in fig. 7 in the case where the integrity check value a generation key Kicva stored in the internal storage 307 of the recording and reproducing apparatus password translation processing section 302 is used as a key and the content ID and the usage policy are used as messages, as shown in fig. 23. The initial value may be IV-0 or may be an integrity check value a generation initial value, which is stored in the internal memory 307 of the recording and reproducing device password translation processing section 302. Finally, the integrity check value a and the check value ICVa stored in the header are compared together, and if they are equal, the process proceeds to step S53.

As previously described in fig. 4, the check value A, ICVa is used to verify that the content ID and usage policy have not been tampered with. If the integrity check value a calculated by the ICV calculation method described in fig. 7 in the case where the integrity check value a generation key Kicva stored in the internal storage 307 of the recording and reproducing apparatus cryptographic translation processing section 302 is used as a key and the content ID and the usage policy are used as messages is equal to the check value ICVa stored in the header, it can be determined that the content ID and the usage policy have not been tampered with.

Then, in step S53, the control section 306 of the recording and reproducing device password translation processing section 302 causes the encryption/decryption section 308 of the recording and reproducing device password translation processing section 302 to generate the distribution key Kdis. The distribution key Kdis is generated, for example, as follows:

kdis ═ DES (MKdis, content ID φ IVdis) … … (4)

In this case, MKdis denotes a master key used for issuing a key used for generating the issuing key Kdis, which is stored in the internal memory of the recording and reproducing device 300 as described above. The content ID is identification information of a header portion of the content data, and the IVdis represents an initial value of the distribution key. Further, in the above equation, DES () represents a function that uses a first argument as a cryptographic translation key and encrypts the value of a second argument. Operation phi denotes an exclusive or operation performed every 64.

In step S54, the control section 306 of the recording and reproducing device crypt translation processing section 302 decrypts the block information table key Kbit and the content key Knon (see fig. 4) stored in the header section of the data obtained from the medium 500 by the reading section 304 or received from the communication apparatus 600 by the communication section 305, with the encryption/decryption section 308 of the recording and reproducing device crypt translation processing section 302 and with the distribution key Kdis generated in step S53. As shown in fig. 4, the block information table key Kbit and the content key Knon are encrypted in advance with the distribution key Kdis on a medium such as a DVD or a CD or on a communication path such as the internet.

In step S55, the control section 306 of the recording and reproducing device crypt translation processing section 302 decrypts the Block Information Table (BIT) with the encryption/decryption section 308 of the recording and reproducing device crypt translation processing section 302 by means of the block information table key Kbit decrypted in step S54. The Block Information Table (BIT) shown in fig. 4 is encrypted in advance with a block information table key Kbit on a medium such as a DVD or a CD or on a communication path such as the internet.

Further, in step S56, the control section 306 of the recording and reproducing device cryptographic translation processing section 302 divides the block information table key Kbit, the content key Kcon, and the Block Information Table (BIT) into 8-byte sections, all of which are exclusive-or operated (any operation such as addition or subtraction may be used). Then, the control section 306 of the recording and reproducing device password translation processing section 302 causes the encryption/decryption section 308 of the recording and reproducing device password translation processing section 302 to calculate the integrity check value b (icvb). The integrity check value B is generated by using the integrity check value B generation key Kicvb stored in the internal storage 307 of the recording and reproducing apparatus password translation processing section 302 as a key to decrypt the previously calculated exclusive or value according to DES, as shown in fig. 24. Finally, the integrity check value B in the header and the check value ICVa are compared together, and if they are equal, the process proceeds to step S57.

As previously described in fig. 4, the check value B, ICVb is used for the block information table key Kbit, the content key Kcon, and the Block Information Table (BIT) that have not been tampered with. If the integrity check value B generated by dividing the integrity check value B generation key Kicvb stored in the internal storage 307 of the recording and reproducing device crypt translation processing section 302 into 8-byte segments, using it as a key, xoring the block information table key Kbit, the content key Kcon, and the Block Information Table (BIT), and encrypting the xored data according to DES is equal to the check value ICVb stored in the header, it can be judged that the block information table key Kbit, the content key Kcon, and the block information table have not been tampered with.

In step S57, the control section 306 of the recording and reproducing device password translation processing section 302 causes the encryption/decryption section 308 of the recording and reproducing device password translation processing section 302 to calculate an intermediate integrity check value. The above-described intermediate value is calculated in the ICV calculation method described in fig. 7 in the case where the integrity check value generation key Kicvt stored in the internal storage 307 of the recording and reproducing device password translation processing section 302 is used as a key and the integrity check values a and B and all the saved content integrity check values are used as messages. The initial value may be IV-0 or may be generated using the overall integrity check value, which is stored in the internal memory 307 of the recording and reproducing device password translation processing section 302. Further, the generated intermediate integrity check value is stored in the recording and reproducing device password translation processing section 302 of the recording and reproducing device 300 as needed.

The intermediate integrity check values are generated by using the integrity check values a and B and all saved content integrity check values as messages and the data verified by each integrity check value can be verified by comparing it to the intermediate integrity check value. However, in the present embodiment, a plurality of different integrity check values, i.e., the overall integrity check value ICVt and the check value ICVdev unique to the recording and reproducing device 300, may be independently generated from the intermediate integrity check value, and thus, a process for verifying absence of tampering, which may be performed in terms of shared data of the entire system, and a verification process for identifying occupied data occupied only by each recording and reproducing device 300 after a download process may be differently performed.

The control section 306 of the recording and reproducing device password translation processing section 302 causes the encryption/decryption section 308 of the recording and reproducing device password translation processing section 302 to calculate the global integrity check value ICVt. The overall integrity check value ICVt is generated by using the system signature key Ksys stored in the internal storage 307 of the recording and reproducing device crypto-translation processing section 302 as a key so as to decrypt the overall integrity check value in accordance with DES. Finally, the global integrity check value AICVt is compared with the ICVt stored in the header at step S51, and if they are equal, the process proceeds to step S58. The system signing key Ksys is common to a plurality of recording and reproducing apparatuses, that is, the entire system performs processing for recording and reproducing certain data.

As previously described in fig. 4, the integrity check value ICVt is used to verify that all of the integrity check values ICVa and ICVb and the integrity check values for the respective content blocks have not been tampered with. If the global integrity check value generated by the above process is equal to the integrity check value ICVt stored in the header, it can be determined that all of the integrity check values ICVa and ICVb and the integrity check value for each content block have not been tampered with.

Then, in step S58, the control part 301 of the recording and reproducing device 300 takes out the content block information from the Block Information Table (BIT) and checks whether any content block is to be authenticated. If any of the content blocks is to be authenticated, a content integrity check value has been stored in the block information of the header.

If any content block is to be authenticated, the control section 301 reads out the content block from the medium 500 by using the reading section 304 of the recording and reproducing apparatus 300 or reads out the content block received from the communication device 600 by the communication section 305 of the recording and reproducing apparatus 300, and transmits the content block to the recording and reproducing apparatus crypt translation processing section 302 of the recording and reproducing apparatus 300. Upon receiving the content block, the control section 306 of the recording and reproducing device 300 causes the encryption/decryption section 308 of the recording and reproducing device password translation processing section 302 to calculate a content intermediate value.

The content intermediate value is generated by using the content key Kcon decrypted in step S54 to decrypt the input content block in the DES CBC mode, thereby dividing the final data into 8-byte sections and performing an exclusive or operation on all of these sections (any operation such as addition or subtraction may also be used).

Then, the control section 306 of the recording and reproducing device password translation processing section 302 causes the encryption/decryption section 308 of the recording and reproducing device password translation processing section 302 to calculate the content integrity check value. The content integrity check value is generated by using the content integrity check value generation key Kicvc stored in the internal storage 307 of the recording and reproducing device crypto-translation processing section 302 as a key so as to decrypt the content intermediate value according to DES. The control section 306 of the recording and reproducing device 300 compares this content integrity check value with the ICV in the content block received from the control section 301 of the recording and reproducing device 300 in step S51, and passes the result to the control section 301 of the recording and reproducing device 300. Upon receiving the above result and having successfully authenticated, the control section 301 of the recording and reproducing device 300 takes out the next content block to be authenticated and causes the recording and reproducing device password translation processing section 302 of the recording and reproducing device 300 to authenticate the content block. A similar verification process is repeated until all content chunks are verified. The initial value may be IV-0, or if the header generation side uses the same setting, the initial value IVc may be generated using the content integrity check value, which is stored in the internal memory 307 of the recording and reproducing device password translation processing section 302. Further, all the checked content integrity check values are held in the recording and reproducing device password translation processing section 302 of the recording and reproducing device 300. Further, the recording and reproducing device password interpretation processing section 302 of the recording and reproducing device 300 monitors the order of verifying the content blocks so as to consider that the authentication has failed in the case where the order is not correct or in the case where the same content block is verified two or more times. If all the pieces of content are successfully verified, the process proceeds to step S59.

Then, in step S59, the recording and reproducing device crypt translation processing section 302 of the recording and reproducing device 300 causes the encryption/decryption section 308 of the recording and reproducing device crypt translation processing section 302 to encrypt the block information table key Kbit and the content key decrypted in step S54 by using the session key Kses sharable in the mutual authentication process. The control section 301 of the recording and reproducing apparatus 300 reads the block information table key Kbit and the content key Kcon, which are decrypted with the session key Kses, from the recording and reproducing apparatus crypt translation processing section 302 of the recording and reproducing apparatus 300. The control section 301 transfers these data to the recording device 400 through the recording device controller 303 of the recording and reproducing device 300.

In step S60, upon receiving the block information table key Kbit and the content key Kcon transmitted from the recording and reproducing device 300, the recording device 400 causes the encryption/decryption section 406 of the recording device cipher translation processing section 401 to decrypt the received data with the session key Kses sharable in the mutual authentication process and re-encrypt the decrypted data with the storage key Kstr unique to the recording device stored in the internal memory 405 of the recording device cipher translation processing section 401. Finally, the control section 301 of the recording and reproducing apparatus 300 reads out the block information table key Kbit and the content key Kcon, which are re-encrypted with the storage key Kstr, from the recording apparatus 400 through the recording apparatus controller 303 of the recording and reproducing apparatus 300. They may be replaced with a block information table key Kbit and a content key Kcon encrypted with an issuance key Kdis.

In step S61, the control section 301 of the recording and reproducing apparatus 300 extracts the localization field from the use policy in the header section of the data to determine whether the downloaded content is for this recording and reproducing apparatus 300 only (in this case, the localization field is set to 1) or is usable by other similar recording and reproducing apparatuses 300 (in this case, the localization field is set to 0). If the result of the judgment shows that the localization field is set to 1, the processing proceeds to step S62.

In step S62, the control section 301 of the recording and reproducing device 300 causes the recording and reproducing device password interpretation processing section 302 of the recording and reproducing device 300 to calculate an integrity check value unique to the recording and reproducing device. An integrity check value unique to the recording and reproducing apparatus is generated by using the recording and reproducing apparatus signature key Kdev stored in the internal storage 307 of the recording and reproducing apparatus crypt translation processing section 302 as a key so as to decrypt the intermediate integrity check value according to DES. The intermediate integrity check value is saved in step S58. The integrity check value ICVdev calculated to be unique to the recording and reproducing apparatus may replace the overall integrity check value.

As described above, the system signature key Ksys is used to attach the common signature or ICV to the distribution system, and the recording and reproducing device signature key Kdev is a function of the recording and reproducing device and is usable by the recording and reproducing device to attach the signature or ICV. That is, data signed with the system signature key Ksys can be successfully checked by the system (recording and reproducing apparatus) having the same system signature key, that is, such data has the same overall integrity check value and thus can be shared. However, if the data is signed with the recording and reproducing apparatus signature key Kdev, since such a signature key is unique to the recording and reproducing apparatus, even if an attempt is made to reproduce the data signed with the recording and reproducing apparatus signature key Kdev after the recording apparatus is inserted into another recording and reproducing apparatus, that is, the data stored in the recording apparatus after the signing, these data cannot be reproduced, that is, errors may occur due to unequal integrity check values ICVdev unique to the recording and reproducing apparatus.

Therefore, in the data processing apparatus of the present invention, setting the localization field enables the content to be arbitrarily set to be shared within the entire system or to be used only by a specific recording and reproducing apparatus.

In step S63, the control section 301 of the recording and reproducing device 300 stores the content into the external memory 402 of the recording device 400.

Fig. 26 is a diagram showing how to store content in the recording apparatus with the localization field set to 0. Fig. 27 is a diagram showing how to store content in the recording apparatus with the localization field set to 1. Fig. 26 differs from fig. 4 only in whether the content block information key Kbit and the content key Kcon are encrypted with the distribution key Kdis or the storage key Kstr. Fig. 26 and 27 differ in that in fig. 26, the integrity check value calculated from the intermediate integrity check value is encrypted with the system signing key Ksys, whereas in fig. 27, the integrity check value is encrypted with the recording and reproducing device signing key Kdev unique to the recording and reproducing device.

In the flow of fig. 22, if the verification of the integrity check value a fails in step S52, if the verification of the integrity check value B fails in step S56, if the verification of the integrity check value ICVt fails in step S57, or if the verification of the content block content integrity check value fails in step S58, the process proceeds to step S64 to provide a predetermined error display.

Further, if the localization field is set to 0 in step S61, the processing proceeds to S63 skipping step S62.

(8) Procedure performed by a recording and reproducing device for reproducing information stored in the recording device

The following describes a process performed by the recording and reproducing apparatus 300 for reproducing content information stored in the external memory 402 of the recording apparatus 400.

Fig. 28 is a flowchart for explaining the recording and reproducing apparatus 300 performing the operation for reading out a content from the recording apparatus 400 and using the content. In fig. 28, it is assumed that mutual authentication has been completed between the recording and reproducing apparatus 300 and the recording apparatus 400.

In step S71, the control section 301 of the recording and reproducing device 300 reads out the content from the external memory 402 of the recording device 400 with the recording device controller 303. Then, the control section 301 of the recording and reproducing apparatus 300 transfers the header of the data to the recording and reproducing apparatus password translation processing section 302 of the recording and reproducing apparatus 300. Step S72 is similar to step S52 described in "(7) procedure for downloading from the recording and reproducing apparatus to the recording apparatus", in which the control section 306 of the recording and reproducing apparatus password translation processing section 302 having received the header may cause the encryption/decryption section 308 of the recording and reproducing apparatus password translation processing section 302 to calculate the integrity check value a. In the case where the integrity check value a generation key Kicva stored in the internal storage 307 of the recording and reproducing apparatus password translation processing section 302 is used as a key and the content ID and the usage policy are used as messages, the integrity check value a is calculated in the ICV calculation method described in fig. 7, as previously shown in fig. 23.

As previously described, the check value A, ICVa is used to verify that the content ID and usage policy have not been tampered with. If the integrity check value a calculated by the ICV calculation method described in fig. 7 in the case where the integrity check value a generation key Kicva stored in the internal storage 307 of the recording and reproducing device cryptographic translation processing section 302 is used as a key and the content ID and the usage policy are used as messages is equal to the check value ICVa stored in the header, it can be determined that the content ID and the usage policy stored in the recording device 400 have not been tampered with.

In step S73, the control section 301 of the recording and reproducing device 300 reads out the block information table key Kbit and the content key Knon from the read header section, and then transfers them to the recording device 400 through the recording device controller 303 of the recording and reproducing device 300. Upon receiving the block information table key Kbit and the content key Knon transmitted from the recording and reproducing device 300, the recording device 400 causes the encryption/decryption section 406 of the recording device crypto-translation processing section 401 to decrypt the received data with the storage key Kstr unique to the recording stored in the internal memory 405 of the recording device crypto-translation processing section 401, and then re-encrypt the decrypted data with the session key Kses sharable in the mutual authentication process. Thereafter, the control section 301 of the recording and reproducing apparatus 300 reads out the block information table key Kbit and the content key Knon, which are re-encrypted with the session key Kses from the recording apparatus 400, from the recording apparatus 400 through the recording apparatus controller 303 of the recording and reproducing apparatus 300.

In step S74, the control section 301 of the recording and reproducing apparatus 300 passes the received block information key Kbit and content key Kcon, which are re-encrypted with the session key Kses, to the recording and reproducing apparatus crypt translation processing section 302 of the recording and reproducing apparatus 300.

Upon receiving the block information key Kbit and the content key Knon re-encrypted with the session key Kses, the recording and reproducing device crypt translation processing section 302 of the recording and reproducing device 300 causes the encryption/decryption section 308 of the recording and reproducing device crypt translation processing section 302 to decrypt the block information key Kbit and the content key Knon encryption of the session key Kses with the session key Kses sharable in the mutual authentication process. Then, the recording and reproducing device cryptographic translation processing section 302 causes the encryption/decryption section 308 to decrypt the block information table received in step S71 with the decrypted block information table key Kbit.

The recording and reproducing device cryptographic translation processing section 302 of the recording and reproducing device 300 replaces the decrypted block information table key Kbit, content key Kcon, and block information table BIT with the values received in step S71 for saving. Further, the control section 301 of the recording and reproducing device 300 reads out the decrypted block information table BIT from the recording and reproducing device password translation processing section 302 of the recording and reproducing device 300.

Step S75 is similar to step S56 described in "(7) procedure for downloading from the recording and reproducing apparatus to the recording apparatus". The control section 306 of the recording and reproducing apparatus crypt translation processing section 302 divides the block information table key Kbit, the content key Kcon, and the Block Information Table (BIT) read out from the recording apparatus 400 into 8-byte sections, and then exclusive-ors all of them. The control section 306 of the recording and reproducing device password translation processing section 302 causes the encryption/decryption section 308 of the recording and reproducing device password translation processing section 302 to calculate the integrity check value b (icvb). The integrity check value B is generated by using the integrity check value B generation key Kicvb stored in the internal storage 307 of the recording and reproducing apparatus password translation processing section 302 as a key to decrypt the previously calculated exclusive or operated value according to DES, as previously shown in fig. 24. Finally, the check value B and the check value ICVa in the header are compared together, and if they are equal, the processing proceeds to step S76.

As previously described, the check value B, ICVb is used to verify that the block information table key Kbit, the content key Kcon, and the Block Information Table (BIT) have not been tampered with. If the integrity check value B generated by dividing the integrity check value B generation key Kicvb stored in the internal storage 307 of the recording and reproducing device crypt translation processing section 302 into 8-byte segments using as a key, the block information table key Kbit, the content key Kcon, and the Block Information Table (BIT) read out from the recording device 400, exclusive-oring these data, and encrypting the exclusive-ored data according to DES is equal to the check value ICVb stored in the header, it can be judged that the block information table key Kbit, the content key Kcon, and the block information table have not been tampered with.

In step S76, the control section 306 of the recording and reproducing device password translation processing section 302 causes the encryption/decryption section 308 of the recording and reproducing device password translation processing section 302 to calculate an intermediate integrity check value. The above-described intermediate value is calculated in the ICV calculation method described in fig. 7 in the case where the integrity check value generation key Kicvt stored in the internal storage 307 of the recording and reproducing device password translation processing section 302 is used as a key and the integrity check values a and B and all the saved content integrity check values are used as messages. The initial value may be IV-0 or an initial value IVt may be generated using the global integrity check value, which is stored in the internal memory 307 of the recording and reproducing device password translation processing section 302. Further, the generated intermediate integrity check value is stored in the recording and reproducing device password translation processing section 302 of the recording and reproducing device 300 as needed.

Then, in step S77, the control section 301 of the recording and reproducing apparatus 300 extracts the localization field from the use policy contained in the header section of the data read out from the external memory 402 of the recording apparatus 400 to judge whether the downloaded content is for this recording and reproducing apparatus 300 only (in this case, the localization field is set to 1) or is usable by other similar recording and reproducing apparatuses 300 (in this case, the localization field is set to 0). If the result of the judgment shows that the localization field is set to 1, that is, it is set that the downloaded content is used only for this recording and reproducing apparatus 300, the processing proceeds to step S80. If the localization field is set to 0, that is, it is set so that the downloaded content can also be used by other similar recording and reproducing devices 300, the processing proceeds to step S78. Step 77 is processed by the password translation processing unit 302.

In step 78, the global integrity check value ICVt is calculated in the same manner as in step S58 described in "(7) procedure for downloading from the recording and reproducing apparatus to the recording apparatus". That is, the control section 306 of the recording and reproducing device password translation processing section 302 causes the encryption/decryption section 308 of the recording and reproducing device password translation processing section 302 to calculate the global integrity check value ICVt. The global integrity check value ICVt is generated by using the system signature key Ksys stored in the internal storage 307 of the recording and reproducing device password translation processing section 302 as a key to encrypt the intermediate value according to DES, as previously shown in fig. 25.

The process proceeds to S79 to compare the global integrity check value ICVt generated in step S78 with the ICVt stored in the header in step S71. If these values are equal, the processing proceeds to step S82.

As previously described, the integrity check value ICVt is used to verify that the integrity check values ICVa and ICVb and all content block integrity check values have not been tampered with. Therefore, if the overall integrity check value generated by the above-described process is equal to the check value ICVt stored in the header, it can be judged that the integrity check values ICVa and ICVb and all the content block integrity check values have not been tampered within the data stored in the recording apparatus 400.

If the result of the determination in step S77 shows that the localized field setting downloaded content is available only to this recording and reproducing device 300, that is, the field is set to 1, the processing proceeds to step S80.

In step S80, the control section 306 of the recording and reproducing device password translation processing section 302 causes the encryption/decryption section 308 of the recording and reproducing device password translation processing section 302 to calculate the integrity check value ICVdev. The integrity check value ickdev unique to the recording and reproducing device is generated as shown in fig. 25 by using the recording and reproducing device signing key Kdev unique to the recording and reproducing device stored in the internal storage 307 of the recording and reproducing device password translation processing section 302 as a key so as to decrypt the integrity check value in accordance with DES. The intermediate integrity check value is saved in step S58. In step S81, the check value ICVdev calculated in step S80 as being unique to the recording and reproducing apparatus and the ICVdev stored in step S71 are compared together, and if they are equal, the processing proceeds to step S82.

Therefore, data signed with the same system signature key Ksys can be successfully checked by the system (recording and reproducing apparatus) having the same system signature key, that is, such data has the same overall integrity check value ICVt and can be shared. However, if data is signed with the recording and reproducing apparatus signature key Kdev, since such a signature key is unique to the recording and reproducing apparatus, even if it is attempted to reproduce the data signed with the recording and reproducing apparatus signature key Kdev after the recording apparatus is inserted into another recording and reproducing apparatus (i.e., the data stored in the recording apparatus after the signing), the data cannot be reproduced, that is, an error occurs for a mismatch in the integrity check value vdiev unique to the recording and reproducing apparatus. Thus, setting the localization field enables content to be arbitrarily set to be shared within the entire system or to be used only by a specific recording and reproducing apparatus.

In step S82, the control part 301 of the recording and reproducing device 300 takes out content block information from within the Block Information Table (BIT) read out in step S74 and checks whether any content block is to be encrypted. If any piece of content is to be encrypted, the control section 301 reads out this piece of content from the external memory 402 of the recording apparatus 400 through the reading apparatus controller 303 of the recording and reproducing apparatus 300, and then sends the piece of content to the recording and reproducing apparatus password translation processing section 302 of the recording and reproducing apparatus 300. Upon receiving the content block, the control section 306 of the recording and reproducing device password translation processing section 302 causes the encryption/decryption section 308 of the recording and reproducing device password translation processing section 302 to decrypt the content, and if the content block is to be authenticated, causes the encryption/decryption section 308 to calculate a content integrity check value in step S83.

Step S83 is similar to step S58 described in "(7) procedure for downloading from the recording and reproducing apparatus to the recording apparatus". The control section 301 of the recording and reproducing apparatus 300 takes out the content block information from the Block Information Table (BIT) and judges whether or not any content block is to be authenticated based on the stored content integrity check value. If any piece of content is to be authenticated, the control section 301 receives the piece of content from the external memory 402 of the recording apparatus 400 and passes it to the recording and reproducing apparatus password translation processing section 302 of the recording and reproducing apparatus 300. Upon receiving the content block, the control section 306 of the recording and reproducing device password translation processing section 302 causes the encryption/decryption section 308 of the recording and reproducing device password translation processing section 302 to calculate a content intermediate value.

The content intermediate value is generated by using the content key Kcon decrypted in step S74 to decrypt the input content block in the DES CBC mode, thereby dividing the final data into 8-byte segments and xoring all the segments.

Then, the control section 306 of the recording and reproducing device password translation processing section 302 causes the encryption/decryption section 308 of the recording and reproducing device password translation processing section 302 to calculate the content integrity check value. The content integrity check value is generated by using the content integrity check value generation key Kicvc stored in the internal storage 307 of the recording and reproducing device crypto-translation processing section 302 as a key so as to decrypt the content intermediate value according to DES. The control section 306 of the recording and reproducing device 300 compares this content integrity check value with the ICV in the content block received from the control section 301 of the recording and reproducing device 300 in step S71, and passes the result to the control section 301 of the recording and reproducing device 300. Upon receiving the above result and having successfully authenticated, the control section 301 of the recording and reproducing device 300 takes out the next content block to be authenticated and causes the recording and reproducing device password translation processing section 302 of the recording and reproducing device 300 to authenticate the content block. A similar verification process is repeated until all content chunks are verified. The initial value may be IV-0, or an initial value IVc may be generated using the content integrity check value, which is stored in the internal memory 307 of the recording and reproducing device password translation processing section 302. Further, all the checked content integrity check values are held in the recording and reproducing device password translation processing section 302 of the recording and reproducing device 300. Further, the recording and reproducing device password interpretation processing section 302 of the recording and reproducing device 300 monitors the order of verifying the content blocks so as to consider that the authentication has failed in the case where the order is not correct or in the case where the same content block is verified two or more times.

The control section 301 of the recording and reproducing apparatus 300 receives the comparison results of the content integrity check values (if no content block is to be authenticated, all the comparison results are successful), and if the authentication has been successful, the control section 301 fetches the decrypted content from the recording and reproducing apparatus crypto-translation processing section 302 of the recording and reproducing apparatus 300. Then, the control section 301 takes out the next content block to be authenticated and causes the recording and reproducing device password interpretation processing section 302 of the recording and reproducing device 300 to decrypt the content block. A similar authentication process is repeated until all content blocks have been decrypted.

In step 83, if the recording and reproducing device password interpretation processing section 302 of the recording and reproducing device 300 judges that the content integrity check values are not equal after the authentication process, it regards the authentication as failed and prevents decryption of the remaining content. Further, the recording and reproducing device password interpretation processing section 302 of the recording and reproducing device 300 monitors the order of decrypting the content blocks so as to consider that the decryption has failed in the case where the order is not correct or in the case where the same content block is decrypted two or more times.

If the verification of the integrity check value a has failed in step S72, if the verification of the integrity check value B has failed in step S75, if the verification of the integrity check value ICVt has failed in step S79, if the verification of the integrity check value ICVdev unique to the recording and reproducing apparatus has failed in step S81, or if the verification of the content block content integrity check value has failed in step S81, the processing proceeds to step S84 to provide a predetermined error display.

As described above, not only can the important data be encrypted, canceled, or subjected to a falsification check at the time of downloading or using the content, but also the content can be prevented from being decrypted incorrectly even when the data on the recording medium is simply copied onto another recording medium, because the block information table key for decrypting the block information table BIT and the content key Kcon for decrypting the content exist together with the storage key Kstr unique to the recording medium. Specifically, for example, in step S74 of fig. 28, the other recording apparatus cannot properly decrypt the data because each recording apparatus decrypts the data encrypted with the different storage key Kstr.

(9) Key exchange procedure after mutual authentication

The data processing apparatus of the present invention is characterized in part in that the recording apparatus 400 can be used only after the above-described mutual authentication process between the recording and reproducing apparatus 300 and the recording apparatus 400, and the form of use of the recording apparatus is limited.

For example, in order to prevent a user from producing a recording device such as a memory card in which contents are stored by illegal copying or the like and using such a recording device in a recording and reproducing device, mutual authentication is performed between the recording and reproducing device 300 and the recording device 400, and the (encrypted) contents can be transferred between the recording and reproducing device 300 and the recording device 400 only if they are mutually authenticated.

In order to obtain the above-described restriction process, according to the data processing device of the present invention, all processes in the cryptographic translation processing section 401 of the recording device 400 are executed according to a predetermined command string. That is, the recording apparatus has a command procedure structure that obtains a command from the register according to the command number. Fig. 29 is a diagram for explaining a command procedure structure of the recording apparatus.

As shown in fig. 29, between the recording and reproducing device 300 having the recording and reproducing device password translation processing section 302 and the recording device 400 having the recording device encryption processing section 401, a command number (No.) is output from the recording device controller 303 to a communication section (including a reception register) 404 of the recording device 400 under the control of the control section 301 of the recording and reproducing device 300.

The recording apparatus 400 has a command number management section 2201 (2901. The command number management section 2901 has a command register 2902 to store a command string corresponding to a command number output from the recording and reproducing device 300. In the command string, command numbers 0 to y are associated with the execution commands in order, as shown on the right side of fig. 29. The command number management section 2901 monitors the command numbers output from the recording and reproducing device 300 to fetch the corresponding commands from the command register 2902 for execution.

In the command sequence stored in the command register 2902, the command string for the authentication processing sequence is associated with the preceding command numbers 0 to k, as shown on the right side of fig. 29. Further, the command numbers p to s following the command string for the authentication processing sequence are associated with the decryption, key exchange, and encryption processing command sequence 1, and the following command numbers u to y are associated with the decryption, key exchange, and encryption processing command sequence 2,

as described above with respect to the authentication process in fig. 20, when the recording apparatus 400 is mounted into the recording and reproducing apparatus 300, the control section 301 of the recording and reproducing apparatus 300 transmits a mounting command to the recording apparatus 400 through the recording apparatus controller 303. Upon receiving the command, the recording apparatus 400 causes the control section 403 of the recording apparatus password translation processing section 401 to receive the command through the communication section 404 and clear the authentication flag 2903. That is, an unauthenticated state is set. In addition, in the case where power is supplied from the recording and reproducing apparatus 300 to the recording apparatus 400, the unauthenticated state (.

Then, the control section 301 of the recording and reproducing device 300 passes the install command to the recording and reproducing device password translation processing section 302. At this time, the control unit 301 also transmits the recording device insertion port number. When the recording device insertion port number is transmitted, even if a plurality of recording devices 400 are connected to the recording and reproducing device 300, the recording and reproducing device 300 simultaneously performs authentication with the recording device 400 and transmits and receives data to and from the recording devices.

Upon receiving the install command, the recording and reproducing apparatus password translation processing section 302 of the recording and reproducing apparatus 300 causes the control section 306 thereof to clear the signature flag 2904 corresponding to the recording apparatus insertion port number. That is, set to an unidentified state.

Once the mounting process is completed, the control section 301 of the recording and reproducing device 300 outputs the command numbers sequentially in ascending order starting from the command number 0 through the recording device control 303. The recording apparatus 400 command number management section 2901 monitors the command numbers input from the recording and reproducing apparatus 300 to ensure that they are input in the order starting with command number 0, and obtains the corresponding commands from the command register 2902 in order to execute various processing procedures such as authentication processing procedures. If the input command numbers are not in the specified order, an error occurs, and the command number reception value is reset to the initial value, that is, the executable command number is reset to 0.

In the command sequence shown in fig. 29 stored in the command register 2092, a command number is notified to perform the authentication process first, and after this process sequence, a decryption, key exchange, and encryption process sequence is stored.

A specific example of a sequence of decryption, key exchange and encryption processes is described below with reference to fig. 30 and 31.

Fig. 30 shows a part of the process performed when downloading content from the recording and reproducing apparatus 300 to the recording apparatus 400 as previously described in fig. 22. Specifically, this process is performed between steps 59 and 60 in fig. 22.

In fig. 30, in step S3001, the recording apparatus receives data (e.g., the block information table key Kbit, the content key Kcon) encrypted with the session key Kses from the recording and reproducing apparatus. Thereafter, the command strings p to s shown in fig. 21 are started. After the authentication processing commands 0 to k have been completed to set the authentication flags 2903 and 2904 shown in fig. 29 to indicate completion, the command strings p to s are started. The command number management unit 2901 ensures this by receiving command numbers only in ascending order starting from 0.

In step S3002, the recording apparatus stores the data (e.g., the block information table key Kbit, the content key Kcon) received from the recording and reproducing apparatus and encrypted with the session key Kses in the register.

In step S3003, a process is performed which takes out the data encrypted with the session key Kses (e.g., the block information table key Kbit, the content key Kcon) from the register and decrypts them with the session key Kses.

In step S3004, a process is performed that encrypts data (e.g., the block information table key Kbit, the content key Kcon) decrypted with the session key Kses with the storage key Kstr.

The above-described steps 3002 to 3004 correspond to the procedure included in the command numbers p to s in the command register as previously shown in fig. 29. The recording apparatus password translation processing section 401 sequentially executes these processes from the command numbers p to s received in the recording and reproducing apparatus 300 according to the command number management section 2901 of the recording apparatus 400.

In step S3005, the data encrypted with the storage key Kstr (e.g., the block information table key Kbit, the content key Kcon) is stored in the memory of the recording apparatus. In this step, the recording and reproducing device 300 can read out the data encrypted with the storage key Kstr from the recording device password translation processing section 401 and then store them into the external memory 402 of the recording device 400.

The above-described steps S3002 to S3004 constitute an execution sequence that is continuously executed without interruption, for example, even if the recording and reproducing apparatus 300 issues a data read command at the end of the decryption process of step S3003, since such a read command is different from the command numbers p to S set in the command register 2902 in ascending order, the command number management section 2091 does not accept execution of reading. Therefore, the external apparatus such as the recording and reproducing apparatus 300 cannot read out the decrypted data resulting from the key exchange in the recording apparatus 400, so that the key data or the content can be prevented from being illegally read.

Fig. 31 shows the content reproduction procedure shown in fig. 28, in which the content is read out from the recording apparatus 400 and reproduced by the recording and reproducing apparatus 300. Specifically, this process is performed in step S73 of fig. 28.

In fig. 31, in step S101, data encrypted with the storage key Kstr (e.g., the block information table key Kbit, the content key Kcon) is read out from the memory 402 of the recording apparatus 400.

In step S3102, the data (e.g., the block information table key Kbit, the content key Kcon) read out from the memory of the recording apparatus and encrypted with the storage key Kstr is stored in the register. In this step, the recording and reproducing apparatus 300 may read out the data encrypted with the storage key Kstr from the external memory 407 of the recording apparatus 400 and store them in the register of the recording apparatus 400.

In step S3103, the data encrypted with the storage key Kstr (e.g., the block information table key Kbit, the content key Kcon) is retrieved from the register and decrypted with the storage key Kstr.

In step S3104, the data decrypted with the storage key Kstr (e.g., the block information table key Kbit, the content key Kcon) is encrypted with the session key Kses.

The above-described process steps 3102 to 3104 correspond to the processes included in the command numbers u to y in the command register shown in fig. 29. The recording device password translation processing section 406 sequentially executes these processes by the command numbers u to y received by the command number management section 2901 of the recording device from the recording and reproducing device 300.

In the next step S3105, the data encrypted with the session key Kses (e.g., the block information table key Kbit, the content key Kcon) is transferred from the recording apparatus to the recording and reproducing apparatus.

The above-described process steps 3102 to 3104 constitute an execution sequence that is continuously executed without interruption, and for example, even if the recording and reproducing apparatus 300 issues a data read command at the end of the decryption process of step S3103, the command number management section 2091 does not accept execution of the read because such read command is different from the command numbers u to y set in the command register 2902 in ascending order. Therefore, the external apparatus such as the recording and reproducing apparatus 300 cannot read out the decrypted data resulting from the key exchange in the recording apparatus 400, so that the key data or the content can be prevented from being illegally read.

As for the processes shown in fig. 30 and 31, an example is shown in which the block information table key Kbit and the content key Kcon are decrypted and encrypted by key exchange, but these command sequences stored in the command register 2902 in fig. 29 may include decryption and encryption processes involving key exchange for the content itself. The object to be decrypted or encrypted by the key exchange is not limited to the above example.

The key exchange process after mutual authentication in the data processing apparatus of the present invention has been described. Therefore, the key exchange process in the data processing apparatus of the present invention is performed only after the authentication process between the recording and reproducing apparatus and the recording apparatus is completed. Furthermore, access to the decrypted data from the outside during the key exchange can be prevented, thereby ensuring improved confidentiality of the content and the key data.

(10) Multiple content data formats and download and reproduction procedures corresponding to each format

In the above-described embodiment, the data format used for the medium 500 or the communication apparatus 600 shown in fig. 3 is the format shown in fig. 4, for example. The data format for the medium 500 or the communication apparatus 600 is not limited to the format shown in fig. 4, but preferably depends on the content, that is, on whether the content is music, image data, a program such as a game, or the like. The following describes various data formats and processes for downloading and reproducing data from and from the recording apparatus 400.

Fig. 32 to 35 show four different data formats. The left side of each figure shows a data format used on the medium 500 or the communication medium 600 shown in fig. 3, and the right side of each figure shows a data format used in data stored in the external memory 402 of the recording apparatus 400. First, an outline of the data formats shown in fig. 32 to 35 is provided, and differences between the contents of data of the respective formats and the data of the respective formats are explained.

Fig. 32 shows a format type 0, which is the same type as shown by way of example in the above. The format type 0 is characterized in that the entire data is divided into N data blocks, i.e., blocks 1 to N, each having an arbitrary length, and each block is arbitrarily encrypted, and thus, the data can be constructed by mixing together the encrypted blocks and the non-encrypted blocks, i.e., plain text blocks. The data block is encrypted with a content key Kcon, which is encrypted with an on-medium distribution key KdiS or, when stored on the recording apparatus, with a storage key Kstr stored in an internal memory of the recording apparatus. The block information key Kbit is also encrypted with the distribution key KdiS on the medium or with the storage key Kstr stored in the internal memory of the recording apparatus when stored on the recording apparatus. The exchange of these keys is performed as described in "(9) key exchange procedure after mutual authentication".

Fig. 33 shows format type 1, in which, as in format type 0, the entire data is divided into N data blocks, blocks 1 to N, but differs from format type 1 in that N blocks each have the same length. The process for encrypting the block with the content key Kcon is similar in aspect to format type 0. Further, as in the above-described format 0, the content key Kcon and the block information key Kbit are encrypted with the distribution key KdiS on the medium or, when stored on the recording apparatus, with the storage key Kstr stored in the internal memory of the recording apparatus. Unlike format 0, format type 1 has a fixed block structure to simplify structural data such as the length of each block, thereby enabling a reduction in the storage length for block information compared to format type 0.

In the example of the structure of fig. 33, each block includes a set of encrypted portions and unencrypted (plain text) portions. If the block length and structure are regular, it is not necessary to check each block length or structure in the decryption process or the like, and thus, decryption and encryption processing can be efficiently performed. In format 1, both the encrypted portion and the unencrypted (plain text) portion constituting each block can be defined as objects to be checked, and therefore, the content integrity check value ICVi is defined for a block containing a portion that must be checked.

Fig. 34 shows a format type 2, characterized in that data is divided into N data blocks, blocks 1 to N, all having the same length, each block being encrypted with an individual block key Kblc. Each block key Kblc is encrypted with a content key Kcon, which is encrypted with an on-medium distribution key KdiS or, when stored on the recording apparatus, is encrypted with a storage key Kstr stored in an internal memory of the recording apparatus. The block information key Kbit is also encrypted with the distribution key KdiS on the medium or with the storage key Kstr stored in the internal memory of the recording apparatus when stored on the recording apparatus.

Fig. 35 shows format type 3, which is characterized in that data is divided into N data blocks, blocks 1 to N, all having the same length, each block being encrypted with an individual block key Kblc as in format type 2, and each block key Kblc is encrypted with a content key Kcon encrypted with a distribution key KdiS on the medium or encrypted with a storage key Kstr on the recording apparatus without the content key. The block information key Kbit is encrypted with the distribution key KdiS on the medium or, when stored on the recording apparatus, with the storage key Kstr stored in the internal memory of the recording apparatus.

The contents of the data in the above-described format types 0 to 3 are explained below. As previously mentioned, data is roughly divided into two parts, a header part and a content part. The header section contains a content ID, a usage policy, integrity check values a and B, a global integrity check value, a block information table key, a content key, and a block information table.

The usage policy stores a data length of the content, a header length thereof, a format type thereof (formats 0 to 3 described below), a content type indicating whether the content includes or is data, a flag determining whether the content is used only by a specific recording and reproducing apparatus or is localized as described in a part of a process for downloading and reproducing the content from and to the recording apparatus, a permission flag for content copy or move processing, and various kinds of localization and processing process information for the content such as a content encryption algorithm and a schema.

Integrity check value a: ICVa is used to examine content ID and usage policy and is generated using the method described in fig. 23, for example.

The block information table key Kbit is used to encrypt the block information table and is encrypted with the distribution key KdiS on the medium or, when stored on the recording apparatus, with the storage key Kstr stored in the internal memory of the recording apparatus, as described earlier.

The content key Kcon is used to encrypt the content block. With the format types 0 and 1, similar to the block information table key Kbit, the content key Kcon is encrypted with the distribution key KdiS on the medium or, when stored on the recording apparatus, with the storage key Kstr stored in the internal memory of the recording apparatus. As for format type 2, the content key Kcon is also used to encrypt the block key Kblc configured for each content block. Further, with format type 3, there is no content key Kcon.

The block information table describes information on each block and stores information indicating whether or not the block is to be checked (IVC), which is a length of each block and a flag indicating whether or not the block is encrypted. If the block is to be checked, a block integrity check value ICVi (integrity check value for block i) is defined and stored in a table. The block information table is encrypted with a block information table key Kbit.

If the block is encrypted, a block integrity check value, i.e., a content integrity check value ICVi, is generated by xoring the entire plain text (decrypted text) every 8 bytes and then encrypting the obtained value with the content integrity check value generation key Kicvc stored in the internal memory 307 of the recording and reproducing apparatus 300. Further, if the block is not encrypted, the block integrity check value is generated by sequentially inputting the entire block data (plain text) to the falsification check value generation function (DES-CBC-MAC of the content integrity check value generation key Kicvc) shown in fig. 36 by 8 bytes at a time. Fig. 36 shows an example of a structure for generating the content integrity check value ICVi. Each message M constitutes a respective set of 8 bytes of decrypted text data or plain text data.

With respect to Format type 1, if at least a portion of a block is data to be processed with integrity check value ICVi, i.e., is to be checked, then a content integrity check value ICVi is defined for that block. The integrity check value P-ICVij for part j of block i is generated by xoring the entire plain text (decrypted text) every 8 bytes and then encrypting the obtained data with the content integrity check value generation key Kicvc. Further, if the part j is not encrypted, the block integrity check value P-ICVij is generated by sequentially inputting the entire block data (plain text) to the falsification check value generation function (DES-CBC-MAC of the generation key Kicvc with the content integrity check value) shown in fig. 36 by 8 bytes at a time.

Further, if the block i contains a portion indicating that the block is to be checked, which has an ICV flag (ICV subject), the integrity check value P-ICVij generated in the above-described manner is directly used as the block integrity check value ICVi. If the block i contains a plurality of parts having [ ICV flag ═ ICV subject ] indicating to be checked, the block integrity check value P-ICVij is generated by concatenating a plurality of part integrity check values P-ICVij together by part number to obtain data and sequentially inputting the entire block data (plain text) to the falsification check value generation function (DES-CBC-MAC of the content integrity check value generation key Kicvc) shown in fig. 37 by 8 bytes at a time of input. Fig. 37 shows an example of a structure for generating the content integrity check value ICVi.

The block integrity check value ICVi is not defined for format type 2 or 3.

Integrity check value B: the ICVb is used to check the block information table key, the content key, and the entire block information table and is generated using a method such as that described in fig. 24.

The global integrity check value ICVt is used to check all of the aforementioned integrity check values a: ICVa and B: ICVb and the integrity check value ICVi contained in each block of content to be checked and is determined by applying the system signing key Ksys to a value according to a predetermined criterion such as integrity check value a: the intermediate integrity check value generated by each integrity check value, such as ICVa, is generated by performing the encryption process as previously described in fig. 25.

For format types 2 and 3, the integrity check value ICVt is generated by applying the system signing key Ksys to the intermediate integrity check value generated by applying the aforementioned integrity check value a: ICVa and B: the ICVb is generated by concatenating the content data, i.e., the entire data between the block key in block 1 and the final block. Fig. 38 shows an example of a structure for generating the overall integrity check values ICVi of formats 2 and 3.

If the aforementioned localization flag is set to 1, which means that the content can be used only by a specific recording and reproducing apparatus, the individual integrity check value ICVdev is replaced with the overall integrity check value ICVt. For format types 0 and 1, a unique integrity check value is generated to check the aforementioned integrity check value a: ICVa and B: ICVb and the integrity check value ICVi contained in each content block to be checked. Specifically, by applying the recording and reproducing apparatus signature key Kdev to the value obtained from the information such as the integrity check value a: the integrity check value such as ICVa generates an intermediate integrity check value and generates a unique integrity check value ICVdev as previously described in fig. 25 or 38.

A procedure for downloading the contents of each format type 0 to 3 from the recording and reproducing apparatus to the recording apparatus 400 and a procedure for reproducing the contents of each format type 0 to 3 from the recording apparatus 400 performed by the recording and reproducing apparatus 300 are explained below with reference to the flow in fig. 39 to 44.

First, a procedure for downloading content of format type 0 or 1 is explained with reference to fig. 39.

The process shown in fig. 39 is started, for example, by installing the recording apparatus 400 into the recording and reproducing apparatus 300 shown in fig. 3. In step S101, mutual authentication is performed between the recording and reproducing apparatus and the recording apparatus, which is performed in accordance with the authentication flow described previously in fig. 20.

If the authentication process in step S101 has been completed to set the authentication flag, the recording and reproducing apparatus 300 reads out data of a predetermined format from the medium 500 storing content data through the reading section 304 or receives data in a predetermined format from the communication device 600 with the communication section 305 in step S102. Then, the control section 301 of the recording and reproducing apparatus 300 transmits the header section of the data to the recording and reproducing apparatus password translation processing section 302 of the recording and reproducing apparatus 300.

Thereafter, in S103, the control section 306 of the recording and reproducing device password translation processing section 302 causes the encryption/decryption section 308 of the recording and reproducing device password translation processing section 302 to calculate the integrity check value a. The integrity check value a is calculated in the ICV calculation method described in fig. 7 in the case where the integrity check value a generation key Kicva stored in the internal storage 307 of the recording and reproducing apparatus password translation processing section 302 is used as a key and the content ID and the usage policy are used as messages, as shown in fig. 23. Then, in step S104, the integrity check value a and the check value ICVa stored in the header are compared together, and if they are equal, the processing proceeds to step S105.

As previously described, the check value A, ICVa is used to verify that the content ID and usage policy have not been tampered with. If the integrity check value a calculated by the ICV calculation method described in fig. 7 in the case where the integrity check value a generation key Kicva stored in the internal storage 307 of the recording and reproducing apparatus cryptographic translation processing section 302 is used as a key and the content ID and the usage policy are used as messages is equal to the check value ICVa stored in the header, it can be determined that the content ID and the usage policy have not been tampered with.

In step S105, the control section 306 of the recording and reproducing device encryption processing section 302 causes the encryption/decryption section 308 of the recording and reproducing device password translation processing section 302 to obtain or generate the distribution key Kdis. As in step S53 of fig. 22, the distribution key Kdis is generated with, for example, the master key MKdis for distributing the keys.

In step S106, the control section 306 of the recording and reproducing device crypt translation processing section 302 decrypts the block information table key Kbit and the content key Knon stored in the header section of the data obtained from the medium 500 by the reading section 304 or received from the communication apparatus 600 by the communication section 305, with the encryption/decryption section 308 of the recording and reproducing device crypt translation processing section 302 and the generated distribution key Kdis.

In step S107, the control section 306 of the recording and reproducing device crypt translation processing section 302 decrypts the block information table key with the decrypted block information table key Kbit by the encryption/decryption section 308 of the recording and reproducing device crypt translation processing section 302.

Further, in step 108, the control section 306 of the recording and reproducing device cryptographic translation processing section 302 calculates the integrity check value B (ICVb') from the block information table key Kbit, the content key Kcon, and the Block Information Table (BIT). The integrity check value B is generated by using the integrity check value B generation key Kicvb stored in the internal storage 307 of the recording and reproducing apparatus password translation processing section 302 as a key to decrypt the exclusive or operated value according to DES, as shown in fig. 24. The XOR-operated value includes a block information table key Kbit, a content key Kcon, and a Block Information Table (BIT). In step S109, the integrity check value B and the check value ICVa in the header are compared together, and if they are equal, the process proceeds to step S110.

As described previously, the check value B, ICVb is used for the block information table key Kbit, the content key Kcon, and the block information table have not been tampered with. If the integrity check value B generated by dividing the integrity check value B generation key Kicvb stored in the internal storage 307 of the recording and reproducing device crypt translation processing section 302 into 8-byte segments, xoring the block information table key Kbit, the content key Kcon, and the Block Information Table (BIT), and encrypting the xored data according to DES so that the generated integrity check value B is equal to the check value ICVb stored in the header, it can be judged that the block information table key Kbit, the content key Kcon, and the block information table have not been tampered with.

In step S110, the control section 306 of the recording and reproducing device password translation processing section 302 causes the encryption/decryption section 308 of the recording and reproducing device password translation processing section 302 to calculate an intermediate integrity check value. The above-described intermediate value is calculated in the ICV calculation method described in fig. 7 in the case where the integrity check value generation key Kicvt stored in the internal storage 307 of the recording and reproducing device password translation processing section 302 is used as a key and the integrity check values a and B and all the saved content integrity check values are used as messages. The generated intermediate integrity check value is stored in the recording and reproducing device password interpretation processing section 302 of the recording and reproducing device 300 as needed.

In step S111, the control section 306 of the recording and reproducing device password translation processing section 302 causes the encryption/decryption section 308 of the recording and reproducing device password translation processing section 302 to calculate the global integrity check value ICVt'. As shown in fig. 25, the global integrity check value ICVt is generated by using the system signature key Ksys stored in the internal storage 307 of the recording and reproducing device crypto-translation processing section 302 as a key so as to decrypt the intermediate integrity check value according to DES. Then, in step S112, the generated global integrity check value ICVt is compared with ICVt' stored in the header in step S112, and if they are equal, the process proceeds to step S113.

As previously described in fig. 4, the integrity check value ICVt is used to verify that all of the integrity check values ICVa and ICVb, as well as the integrity check values for the respective content blocks, have not been tampered with. Therefore, if the overall integrity check value generated by the above process is equal to the integrity check value ICVt stored in the header, it can be judged that all of the integrity check values ICVa and ICVb and the integrity check value for each content block have not been tampered.

Then, in step S113, the control section 301 of the recording and reproducing apparatus 300 takes out the content block information from the Block Information Table (BIT) and checks whether any content block is to be authenticated. If any of the content blocks is to be authenticated, a content integrity check value has been stored in the block information of the header.

If any content block is to be authenticated, in step 114, the control section 301 reads out the content block from the medium 500 by using the reading section 304 of the recording and reproducing apparatus 300 or reads out the content block received from the communication device 600 by the communication section 305 of the recording and reproducing apparatus 300, and transmits the content block to the recording and reproducing apparatus password translation processing section 302 of the recording and reproducing apparatus 300. Upon receiving the content block, the control section 306 of the recording and reproducing device 300 causes the encryption/decryption section 308 of the recording and reproducing device password translation processing section 302 to calculate the content integrity check value ICVi'.

If the block is encrypted, the block integrity check value ICVi is generated by decrypting the input content block in DES CBC mode with the content key Kcon, xoring the decrypted text every 8 bytes, and then encrypting the generated content intermediate value with the content integrity check value generation key Kicvc stored in the internal memory 307 of the recording and reproducing apparatus 300. Further, if the block is not encrypted, the block integrity check value is generated by sequentially inputting the entire block data (plain text) to the falsification check value generation function (DES-CBC-MAC of the content integrity check value generation key Kicvc) shown in fig. 36 by 8 bytes at a time.

In step S115, the control section 306 of the recording and reproducing device 300 compares this content integrity check value with the ICV in the content block received from the control section 301 of the recording and reproducing device 300 in step S102, and passes the result to the control section 301 of the recording and reproducing device 300. Upon receiving the above result and having successfully authenticated, the control section 301 of the recording and reproducing device 300 takes out the next content block to be authenticated and causes the recording and reproducing device password translation processing section 302 of the recording and reproducing device 300 to authenticate the content block. The similar authentication process is repeated until all the content blocks are authenticated (step S116).

In this regard, if the check values are not equal in any of steps 104, 109, 112, and 115, an error may occur, thereby ending the download process.

Then, in step S117, the recording and reproducing device crypt translation processing section 302 of the recording and reproducing device 300 causes the encryption/decryption section 308 of the recording and reproducing device crypt translation processing section 302 to encrypt the block information table key Kbit and the content key Kcon decrypted in step S106 by using the session key Kses sharable in the mutual authentication process. The control section 301 of the recording and reproducing device 300 reads the block information table key Kbit and the content key Kcon from the recording and reproducing device crypto-translation processing section 302 of the recording and reproducing device 300, and then transfers them to the recording device 400 through the recording device controller 303 of the recording and reproducing device 300.

In step S118, upon receiving the block information table key Kbit and the content key Kcon transmitted from the recording and reproducing device 300, the recording device 400 causes the encryption/decryption section 406 of the recording device crypto-translation processing section 401 to decrypt the received data with the session key Kses sharable in the mutual authentication process and re-encrypt the decrypted data with the storage key Kstr unique to the recording device stored in the internal memory 405 of the recording device crypto-translation processing section 401. Then, the control section 301 of the recording and reproducing apparatus 300 reads out the block information table key Kbit and the content key Kcon, which are re-encrypted with the storage key Kstr, from the recording apparatus 400 through the recording apparatus controller 303 of the recording and reproducing apparatus 300. That is, the block information table key Kbit encrypted with the distribution key Kdis may be exchanged with the content key Kcon.

In step S119, the control section 301 of the recording and reproducing apparatus 300 extracts a localization field from the usage policy in the header section of the data to judge whether or not the downloaded content is for this recording and reproducing apparatus 300 only. If the localization field is set to 1, the downloaded content is used only for this recording and reproducing apparatus 300. If the localization field is set to 0, the downloaded content can also be used by other similar recording and reproducing devices 300. If the result of the judgment shows that the localization field is set to 1, the processing proceeds to step S120.

In step S120, the control section 301 of the recording and reproducing device 300 causes the recording and reproducing device password translation processing section 302 of the recording and reproducing device 300 to calculate an integrity check value unique to the recording and reproducing device. The above-described intermediate integrity check value is generated in step S110 by generating the integrity check value unique to the recording and reproducing device by using the recording and reproducing device signing key Kdev stored in the internal storage 307 of the recording and reproducing device password translation processing section 302 as a key so as to decrypt the intermediate integrity check value according to DES. The integrity check value ICVdev calculated to be unique to the recording and reproducing apparatus may replace the overall integrity check value ICVt.

As described above, the system signature key Ksys is used to attach the common signature or ICV to the distribution system, and the recording and reproducing device signature key Kdev is a function of the recording and reproducing device and is usable by the recording and reproducing device to attach the signature or ICV. That is, data signed with the system signature key Ksys can be successfully checked by the system (recording and reproducing apparatus) having the same system signature key, that is, such data has the same overall integrity check value and thus can be shared. However, if data is signed with the recording and reproducing apparatus signature key Kdev, since such a signature key is unique to the recording and reproducing apparatus, even if it is attempted to reproduce the data signed with the recording and reproducing apparatus signature key Kdev after the recording apparatus is inserted into another recording and reproducing apparatus (i.e., the data stored in the recording apparatus after the signing), the data cannot be reproduced, that is, an error occurs due to unequal integrity check values ICVdev unique to the recording and reproducing apparatus. In the data processing apparatus of the present invention, setting the localization field enables content to be arbitrarily set to be shared within the entire system or to be used only by a specific recording and reproducing apparatus.

Then, in step S121, the control section 301 of the recording and reproducing device 300 causes the recording and reproducing device password translation processing section 302 to form a storage data format. As described earlier, one of the three format types 0 to 3 is set in the use policy of the header (see fig. 5), and therefore, data is formed in accordance with the set type in accordance with the storage format in the right side of one of the aforementioned fig. 32 to 35. The flow shown in fig. 39 is for the format 0 or 1, and therefore, data is formed into one of the formats in fig. 32 and 33.

Once the storage of the data format is completed in step S121, the control section 301 of the recording and reproducing device 300 stores the content into the external memory 402 of the recording device 400 in step S122.

It has been described how to perform a process for downloading content data of format 0 or 1.

A process for downloading the content data of format 2 is explained below with reference to fig. 40. The difference from the above-described process for downloading the content data of format 0 or 1 will be focused on.

Steps S101 to S109 are similar to the above-described procedure for downloading the content data of format 0 or 1, and thus their description is omitted.

Since format type 2 does not have the content integrity check value ICVi defined as described above, the block information table does not contain the integrity check value ICVi. The intermediate integrity check value in format type 2 is generated by applying the system signing key Ksys to the intermediate integrity check value generated by concatenating the aforementioned integrity check values a and B to the entire data between the front data of the first block (the block key in block 1) and the final block to perform the encryption process.

Therefore, in the process for downloading the data of format 2, the content data is read out in step S151, and an intermediate integrity check value is generated from the integrity check values a and B and the read-out content data in step S152. In this regard, even if the content data are encrypted, they are not decrypted.

In the case of the format type 2, a process for decrypting block data and comparing content integrity check values is omitted in order to increase processing speed, contrary to the aforementioned process for the format type 0 or 1.

The processes of step S111 and subsequent steps are similar to those for format type 0 or 1, and therefore, their descriptions are omitted.

It has been described how to perform a procedure for downloading the content data of format type 2. As described earlier, the process for downloading the content data of format type 2 omits the processes for decrypting the block data and comparing the content integrity check values in order to increase the processing speed, contrary to the aforementioned process for format type 0 or 1, and thus this format is suitable for the processing of music data or the like that must be performed in real time.

A process for downloading the content data of format 3 is explained below with reference to fig. 41. The following description will focus on the differences from the above-described download procedure for formats 0, 1 and 2.

Steps S101 to S105 are similar to those described above for the format 0, 1 and 2 download procedure.

The procedure for format type 3 basically has various features in common with the procedure for format type 2, but differs in that format type 3 has no content key because the block key Kblc is stored in the recording apparatus after being encrypted with the storage key Kstr.

The following description focuses on the differences between the download procedure for format type 3 and the download procedure for format type 2. In the case of format type 3, in step S161, after step S105, the block information table key is decrypted. The control section 306 of the recording and reproducing device crypt translation processing section 302 decrypts the block information table key Kbit stored in the header section of the data obtained from the medium 500 by the reading section 304 or received from the communication apparatus 600 by the communication section 305, with the encryption/decryption section 308 of the recording and reproducing device crypt translation processing section 302 and the distribution key Kdis generated in step 105. In the case of format type 3, the data does not contain the content key Kcon, and therefore, the process for decrypting the content key Kcon is not performed.

In the next step S107, the block information table key Kbit decrypted in step S161 is used to decrypt the block information table, and in step S162, the control section 306 of the recording and reproducing apparatus crypt-translation processing section 302 generates the integrity check value B (ICVb') from the block information table key Kbit and the Block Information Table (BIT). The integrity check value B is generated by using as a key the integrity check value B generation key Kicvb stored in the internal storage 307 of the recording and reproducing apparatus crypt-translation processing section 302 so as to decrypt the exclusive or operated value including the block information table key Kbit and the Block Information Table (BIT) according to DES. Then, in step S109, the integrity check value B and the check value ICVa in the header are compared together, and if they are equal, the processing proceeds to step S151.

In the case of format type 3, the check value B, ICVb is used to verify that the block information table key Kbit and the block information table have not been tampered with. If the generated integrity check value B is equal to the check value ICVb stored in the header, it can be judged that the block information table key Kbit and the block information table have not been tampered with.

Steps S151 to S112 are similar to the process steps for the format type 2, and therefore, their explanation is omitted.

In step S163, the block key Kblc included in the content data read out in step S151 is decrypted with the distribution key Kdi generated in step S105.

Then, in step S164, the recording and reproducing device cryptographic translation processing section 302 of the recording and reproducing device 300 causes the encryption/decryption section 308 of the recording and reproducing device cryptographic translation processing section 302 to encrypt the block information table key Kbit decrypted in step S161 and the block key Kblock decrypted in step S163 by using the session key Kses sharable in the mutual authentication process. The control section 301 of the recording and reproducing device 300 reads the block information table key Kbit and the block key Kblc from the recording and reproducing device crypto-translation processing section 302 of the recording and reproducing device 300, and then transfers these data to the recording device 400 through the recording device controller 303 of the recording and reproducing device 300.

In step S165, upon receiving the block information table key Kbit and the block key Kblc transmitted from the recording and reproducing device 300, the recording device 400 causes the encryption/decryption section 406 of the recording device crypto-translation processing section 401 to decrypt the received data with the session key Kses sharable in the mutual authentication process and re-encrypt the decrypted data with the storage key Kstr unique to the recording device stored in the internal memory 405 of the recording device crypto-translation processing section 401. The control section 301 of the recording and reproducing device 300 reads out the block information table key Kbit and the block key Kblc from the recording device 400 by the recording device controller of the recording and reproducing device 300, the block information table key Kbit and the block key Kblc being re-encrypted with the storage key Kstr. That is, the block information table key Kbit and the block key Kblc encrypted at the beginning with the distribution key Kdi s may be replaced with the block information table key Kbit and the block key Kblc re-encrypted with the storage key Kstr.

Subsequent steps S119 to S122 are similar to those for format types 0, 1, and 2, and therefore, their description is omitted.

Aspects of a process for downloading content data of format type 3 have been described. As described earlier, the download process for format type 2 omits the processes for decrypting block data and comparing content integrity check values as the process for format type 2 in order to speed up the processing, and thus, format type 3 is suitable for processing data that requires real-time processing, such as music data. Further, since the block key Kblc can determine the range of the encrypted content to be protected, improved confidentiality can be obtained compared to format type 2.

A procedure for reproducing data of each of the format types 0 to 3 from the recording apparatus 400 of the recording and reproducing apparatus 300 is explained below with reference to the flow of fig. 42 to 45.

First, a process for reproducing data of format type 0 is explained with reference to fig. 42.

Step S201 corresponds to an authentication process between the recording and reproducing apparatus and the recording apparatus, and is performed according to the authentication flow described in fig. 20.

Once the authentication process in step S201 has been completed to set the authentication flag, the recording and reproducing device 300 reads the header of the data of the predetermined format from the recording device 400 and sends it to the recording and reproducing device password translation processing section 302 of the recording and reproducing device 300 in step S202.

Thereafter, in S203, the control section 306 of the recording and reproducing device password translation processing section 302 causes the encryption/decryption section 308 of the recording and reproducing device password translation processing section 302 to calculate the integrity check value a. The integrity check value a is calculated in the case where the integrity check value a generation key Kicva stored in the internal storage 307 of the recording and reproducing apparatus password translation processing section 302 is used as a key and the content ID and the usage policy are used as a message, as shown in fig. 23. Then, in step S204, the integrity check value a and the check value ICVa stored in the header are compared together, and if they are equal, the processing proceeds to step S205.

The check value A, ICVa is used to verify that the content ID and usage policy have not been tampered with. If the calculated integrity check value a is equal to the check value ICVa stored in the header, it can be judged that the content ID and the usage policy have not been tampered with.

In step S205, the control section 306 of the recording and reproducing apparatus takes out the block information table key Kbit and the content key Knon encrypted with the storage key Kstr unique to the recording apparatus from the read header section and sends them to the recording apparatus 400 through the recording apparatus controller 303 of the recording and reproducing apparatus 300.

Upon receiving the block information table key Kbit and the content key Knon transmitted from the recording and reproducing device 300, the recording device 400 causes the encryption/decryption section 406 of the recording device crypto-translation processing section 401 to decrypt the received data with the storage key Kstr unique to the recording device stored in the internal memory 405 of the recording device crypto-translation processing section 401 and re-encrypt the decrypted data with the session key Kses sharable in the mutual authentication process. This process is described in detail previously in the key exchange process after (9) mutual authentication.

In step S206, the control section 301 of the recording and reproducing apparatus 300 receives the block information table key Kbit and the block key Kblc, which are re-encrypted with the session key Kses, from the recording apparatus 400 through the recording apparatus controller 303 of the recording and reproducing apparatus 300.

In step S207, the control section 301 of the recording and reproducing apparatus 300 transmits the received block information table key Kbit and content key Kcon re-encrypted with the session key Kses to the recording and reproducing apparatus password translation processing section 302 of the recording and reproducing apparatus 300. Upon receiving the block information table key Kbit and the content key Knon re-encrypted with the session key Kses, the crypt translation processing section 302 of the recording and reproducing device 300 causes the encryption/decryption section 308 of the recording and reproducing device crypt translation processing section 302 to decrypt the keys Kbit and Kcon with the session key Kses sharable in the mutual authentication process.

In step S208, the decrypted block information table key Kbit is used for the block information read out in step S202. The recording and reproducing apparatus crypt-translation processing section 302 of the recording and reproducing apparatus 300 replaces the decrypted block information table key Kbit, content key Kcon, and block information table BIT with the block information table key Kbit, content key Kcon, and block information table BIT contained in the header read out at step S202 to hold the block information table key Kbit, content key Kcon, and block information table BIT contained in the header read out at step S202. Further, the control section 301 of the recording and reproducing device 300 reads out the decrypted block information table BIT from the recording and reproducing device password translation processing section 302 of the recording and reproducing device 300.

Further, in step S209, the control section 306 of the recording and reproducing apparatus crypt translation processing section 302 generates an integrity check value B (ICVb') from the block information table key Kbit, the content key Kcon, and the Block Information Table (BIT). The integrity check value B is generated by using as a key the integrity check value B generation key Kicvb stored in the internal storage 307 of the recording and reproducing apparatus crypt-translation processing section 302 so as to decrypt the exclusive or operated value including the block information table key Kbit, the content key Kcon, and the Block Information Table (BIT) according to DES. Then, in step S210, the integrity check value B and the check value ICVa in the header are compared together, and if they are equal, the processing proceeds to step S211.

The check value B, ICVb is used for the block information table key Kbit, the content key Kcon, and the block information table not being tampered with. If the generated integrity check value B is equal to the check value ICVb stored in the header, it can be judged that the block information table key Kbit, the content key Kcon, and the block information table stored in the recording apparatus 400 have not been tampered with.

In step S211, the control section 306 of the recording and reproducing device password translation processing section 302 causes the encryption/decryption section 308 of the recording and reproducing device password translation processing section 302 to calculate an intermediate integrity check value. The above-described intermediate value is calculated in the ICV calculation method described in fig. 7 in the case where the overall integrity check value generation key Kicvt stored in the internal storage 307 of the recording and reproducing device cryptographic translation processing section 302 is used as a key and the verified integrity check values a and B and all the content integrity check values in the block information table are used as messages, as shown in fig. 25. In this regard, the generated intermediate integrity check value is stored in the recording and reproducing device password translation processing section 302 of the recording and reproducing device 300 as necessary.

In step S212, the control section 301 of the recording and reproducing apparatus 300 extracts the localization field from the use policy contained in the header section of the data read from the external memory 402 of the recording apparatus 400 to determine whether the content to be reproduced is for this recording and reproducing apparatus 300 only (in this case, the localization field is set to 1) or is usable by other similar recording and reproducing apparatuses 300 (in this case, the localization field is set to 0). If the result of the judgment shows that the localization field is set to 1, that is, the reproduced content is used only for this recording and reproducing apparatus 300, the processing proceeds to step S213. If the localization field is set to 0, that is, the reproduced content can also be used by other similar recording and reproducing devices 300, the processing proceeds to step S215. The process of step S211 is executed by the password translation processing section 302.

In step S213, the control section 301 of the recording and reproducing device 300 causes the recording and reproducing device password translation processing section 302 of the recording and reproducing device 300 to calculate the integrity check value ICVdev' unique to the recording and reproducing device. As shown in fig. 25, the integrity check value icddev' unique to the recording and reproducing device is generated by using the recording and reproducing device signing key Kdev stored in the internal storage 307 of the recording and reproducing device password translation processing section 302 as a key so as to decrypt the intermediate integrity check value according to DES, which is saved in step S58.

Then, in step S214, the integrity check value ICVdev' calculated in step S219 which is unique to the recording and reproducing apparatus is compared with ICVdev in the header read out in step S202, and if they are equal, the processing proceeds to step S217.

On the other hand, in step S215, the control section 306 of the recording and reproducing device password translation processing section 302 causes the encryption/decryption section 308 of the recording and reproducing device password translation processing section 302 to calculate the overall integrity check value. The overall integrity check value is generated by using the system signature key Ksys stored in the internal storage 307 of the recording and reproducing device crypto-translation processing section 302 as a key so as to decrypt the intermediate integrity check value according to DES, as shown in fig. 25. In step S216, the generated global integrity check value ICVt' and the ICVt in the header are compared together, and if they are equal, the process proceeds to step S217.

The integrity check value ICVt of the ensemble and the integrity check value ICVdev unique to the recording and reproducing device are used to verify that all the integrity check values ICVa and ICVb and the integrity check values for the respective content blocks are not tampered. Therefore, if the integrity check value of the ensemble generated by the above-described procedure is equal to the integrity check value ICVt stored in the header, it can be judged that all the integrity check values for the respective content blocks have not been tampered with.

Then, in step S217, the control section 301 of the recording and reproducing apparatus 300 reads out block data from the recording apparatus 400. Further, in step S218, it is determined whether or not the data is encrypted, and if the data is encrypted, the crypt translation processing unit 302 of the recording and reproducing device 300 decrypts the block data. If the data has not been encrypted, the process skips step S219 and proceeds to S220.

In step 220, the control section 301 of the recording and reproducing apparatus 300 checks whether any content block is to be authenticated according to the content block information table in the Block Information Table (BIT). If any of the content blocks is to be authenticated, a content integrity check value has been stored in the block information of the header. In this case, the content integrity check value ICVi for the content block is calculated in step S221. If the content block is not to be verified, the processing skips steps S221 and S222 and proceeds to S223.

If the block is encrypted as shown in fig. 36, the block integrity check value ICVi' is generated by decrypting the input content block with the content key Kcon in the desbc mode, xoring the decrypted text every 8 bytes to generate a content intermediate value, and then encrypting the obtained value with the content integrity check value generation key Kicvc stored in the internal memory 307 of the recording and reproducing apparatus 300. Further, if the block is not encrypted, the block content integrity check value is generated by inputting the entire data (plain text) sequentially 8 bytes at a time to the falsification check value generation function (DES-CBC-MAC for generating the key Kicvc with the content integrity check value) shown in fig. 36.

In step S222, the control section 306 of the recording and reproducing device password translation processing section 302 compares the generated content integrity check value ICVi' with the ICVi in the content block received from the recording and reproducing device 300 in step S202, and passes the result to the control section 301 of the recording and reproducing device 300. In the case where the above result is received and the authentication has been successful, the content plain data for execution (reproduction) in the RAM of the device system is recorded and reproduced in step S223. The control section 301 of the recording and reproducing device 300 takes out the next content block to be authenticated and causes the recording and reproducing device password translation processing section 302 of the recording and reproducing device 300 to authenticate the content block. Similar authentication process and RAM storage process are repeated until all the content blocks are authenticated (step S224).

If the check value does not match in any of the steps S204, S210, S214, S216, and S222, an error occurs, thereby ending the reproduction process.

When it is judged in step S224 that all the blocks have been read out, the processing proceeds to step S225 to start execution and reproduction of the content (program or data).

Aspects of a process for reproducing content data of format type 0 have been described.

A process of downloading the content data of format type 1 is explained below with reference to fig. 43. The following description focuses on the differences from the above-described download procedure for format type 0.

The processes from steps S201 to S217 are similar to the download process for format 0 described above, and thus their description is omitted.

With format type 1, in step S231, the encrypted portion is decrypted to generate a partial ICV. In step S232, an ICVi' is generated. As previously described, in the case of format type 1, if at least a portion of a block contains data to be verified with integrity check value ICVi, then content integrity check value ICVi is defined for that block. If part j has been encrypted, the integrity check value P-ICVij for part j of block i is generated by xoring the entire plain text (decrypted text) every 8 bytes and decrypting the obtained value with the content integrity check value generation key Kicvc. Further, if the part j is not encrypted, the block integrity check value P-ICVij is generated by inputting the entire data (plain text) to the falsification check value generation function (DES-CBC-MAC to generate the key Kicvc with the content integrity check value) shown in fig. 36 sequentially by 8 bytes at a time.

Furthermore, if the block i contains only a portion indicating that the block is to be checked, which has an ICV flag (ICV subject), the integrity check value P-ICVij generated in the above-described manner is directly used as the block integrity check value ICVi. If the block i contains a plurality of parts having [ ICV flag ═ ICV subject ] indicating to be checked, the block integrity check value P-ICVij is generated by concatenating a plurality of part integrity check values P-ICVij together by part number to obtain data and sequentially inputting the entire block data (plain text) to the falsification check value generation function (DES-CBC-MAC of the content integrity check value generation key Kicvc) shown in fig. 36 by 8 bytes at a time of input. This is the same as that illustrated in fig. 37.

With respect to the format type 1, the content integrity check value generated through the above-described procedure is subjected to comparison at step S222. The processes in the next step S223 and subsequent steps are similar to those for the format type 0, and a description thereof is omitted.

A process for reproducing the content data of format type 2 is explained below with reference to fig. 44. The following description focuses on differences from the above-described reproduction procedure for format types 0 and 2.

Steps S201 to S210 are similar to those described above for the reproduction of format types 0 and 2, and a description thereof will be omitted.

With the format type 2, the processes of steps S211 to S216 performed with the format types 0 and 1 are not performed. In addition, format type 2 does not have a content integrity check value, so content integrity check value verification performed with respect to format types 0 and 1 is not performed.

In the data reproduction process for the format type 2, after step S210 for verifying the integrity check value B, the process proceeds to step S217, in which the block data is read out under the control of the control section 301 of the recording and reproducing apparatus 300. In step S241, the cryptographic translation processing section 306 of the recording and reproducing apparatus 300 decrypts the block key Kblc included in the block data. The block key Kblc in the storage recording apparatus 400 is encrypted with the content key Kcon as shown in fig. 34 and is thus decrypted with the content key Kcon decrypted in the previous step S207.

In step S242, the block key Kblc decrypted in step S241 is used to decrypt the block data. In step S243, the content (program or data) is executed and reproduced. The process from steps S217 to S243 is repeated for all blocks. When it is judged in step S244 that all the blocks have been read out, the reproduction process is ended.

As previously described, the process for format type 2 omits the process of verifying a integrity check value, such as an overall integrity check value. It is possible to provide a structure suitable for performing decryption processing at high speed and a format suitable for processing such as music data requiring real-time processing.

A process for reproducing the content data of format type 3 is explained below with reference to fig. 45. The following description focuses on differences from the above-described reproduction procedure for format types 0, 1, and 2.

The procedure for format type 3 basically has various features in common with the procedure for format type 2, but differs in that format type 3 does not have a content key because the block key Kblc is stored in the recording apparatus after being encrypted with the storage key Kstr, as shown in fig. 35.

Between steps S201 and S210, the processes in steps S251, S252, S253, and S254 are configured to omit the use of content keys, contrary to the corresponding processes for formats 0, 1, and 2.

In step S251, the control section 301 of the recording and reproducing apparatus 300 takes out the block information table key Kbit encrypted with the storage key Kstr unique to the recording apparatus from the read header, and then transmits the key to the recording apparatus 400 through the recording apparatus controller 303 of the recording and reproducing apparatus 300.

Upon receiving the block information table key Kbit transmitted from the recording and reproducing apparatus 300, the recording apparatus 400 causes the encryption/decryption section 406 of the recording apparatus crypt translation processing section 401 to decrypt the received data with the storage key Kstr unique to the recording apparatus stored in the internal memory 405 of the recording apparatus crypt translation processing section 401, and then re-encrypt the decrypted data with the session key Kses sharable in the mutual authentication process. This process is described in detail previously in the key exchange process after (9) mutual authentication.

In step S252, the control section 301 of the recording and reproducing apparatus 300 receives the block information table key Kbit from the recording apparatus 400 through the recording apparatus controller 303 of the recording and reproducing apparatus 300, the block information table key Kbit being re-encrypted with the session key Kses.

In step S253, the control section 301 of the recording and reproducing apparatus 300 transmits the received block information table key Kbit re-encrypted with the session key Kses to the recording and reproducing apparatus password translation processing section 302 of the recording and reproducing apparatus 300. Upon receiving the block information table key Kbit re-encrypted with the session key Kses, the crypt translation processing section 302 of the recording and reproducing device 300 causes the encryption/decryption section 308 of the recording and reproducing device crypt translation processing section 302 to decrypt the block information table key Kbit with the session key Kses sharable in the mutual authentication process.

In step S208, the decrypted block information table key Kbit is used for the block information read out in step S202. The recording and reproducing device crypt-translation processing section 302 of the recording and reproducing device 300 replaces the decrypted block information table key Kbit and block information table BIT with the block information table key Kbit and block information table BIT contained in the header read out at step S202 to hold the block information table key Kbit and block information table BIT contained in the header read out at step S202. Further, the control section 301 of the recording and reproducing device 300 reads out the decrypted block information table BIT from the recording and reproducing device password translation processing section 302 of the recording and reproducing device 300.

Further, in step S254, the control section 306 of the recording and reproducing device cryptographic translation processing section 302 generates an integrity check value B (ICVb') from the block information table key Kbit and the Block Information Table (BIT). As shown in fig. 24, the integrity check value B is generated by using the integrity check value B generation key Kicvb stored in the internal storage 307 of the recording and reproducing apparatus crypt-translation processing section 302 as a key to decrypt the exclusive or operated value including the block information table key Kbit and the Block Information Table (BIT) according to DES. Then, in step S210, the integrity check value B and the check value ICVb in the header are compared together, and if they are equal, the processing proceeds to step S211.

In the case of format type 3, the block key is also encrypted with the storage key at the time of storage into the recording apparatus, so that the recording check value 400 is required to perform a decryption process with the storage key and the session key, and the recording and reproducing apparatus 300 is also required to perform a decryption process with the session key. This series of steps corresponds to the processing steps shown in steps S255 and S256.

In step S255, the control section 301 of the recording and reproducing apparatus 300 takes out the block key Kblc, which has been read out in step S217, encrypted with the storage key Kstr unique to the recording apparatus, from the read header, and then transmits the key to the recording apparatus 400 through the recording apparatus controller 303 of the recording and reproducing apparatus 300.

Upon receiving the block key Kblc transmitted from the recording and reproducing apparatus 300, the recording apparatus 400 causes the encryption/decryption section 406 of the recording apparatus crypt translation processing section 401 to decrypt the received data with the storage key Kstr unique to the recording apparatus stored in the internal memory 405 of the recording apparatus crypt translation processing section 401, and then re-encrypt the decrypted data with the session key Kses sharable in the mutual authentication process. This process is described in detail previously in the key exchange process after (9) mutual authentication.

In step S256, the control section 301 of the recording and reproducing apparatus 300 receives the block key Kblc from the recording apparatus 400 through the recording apparatus controller 303 of the recording and reproducing apparatus 300, the block key Kblc being re-encrypted with the session key Kses.

In step S257, the password translation processing section 306 of the recording and reproducing apparatus 300 decrypts the block key Kblc with the session key Kses.

In step S242, the block key Kblc decrypted in step S257 is used to decrypt the block data. In step S243, the content (program or data) is executed and reproduced. The process from steps S217 to S243 is repeated for all blocks. When it is judged in step S244 that all the blocks have been read out, the reproduction process is ended.

A process for reproducing the content of format type 3 has been described. Format type 3 is similar to format type 2 in that the process for verifying the overall integrity check value is omitted, but format type 3 improves the processing structure with a higher degree of secrecy because the process for exchanging block keys is included.

(11) Process aspect for generating a check value (ICV) performed by a content provider

In the above-described embodiment, the authentication process with the various integrity check values ICV is performed during the downloading and reproduction of the content. The following describes aspects of the process for generating the integrity check value ICV.

First, the respective integrity check values explained in the above embodiments are briefly explained. The integrity check value ICV described below is used in the data processing apparatus of the present invention.

Integrity check value a, ICVa: an integrity check value for verifying that the content ID and the usage policy in the content data have not been tampered with.

Integrity check value B, ICVb: integrity check values for verifying that the block information table key Kbit, the content key Kcon, and the block information table have not been tampered with.

Content integrity check value ICVi: a content integrity check value for verifying that each piece of content of the content has not been tampered with.

An overall integrity check value, ICVt; integrity check value for verifying that integrity check value ICVa, integrity check value ICVb, all integrity check values for the content block have not been tampered with.

Integrity check value ICVdev unique to the recording and reproducing apparatus: the above-mentioned integrity check value a for inclusion in each content block to be checked is replaced with the overall integrity check value ICVt with the localization field set to 1, i.e., the content is only for a specific recording and reproducing apparatus, and can be generated as: ICVa, integrity check value B: an integrity check value of the integrity check values ICVb and ICVi.

The integrity check values ICVt and ICVdev check not only the check values for the respective content blocks but also the contents themselves, depending on the format.

The integrity check values described above are used for the data processing check values of the present invention. Among these integrity check values, the integrity check values a and B, the overall integrity check value, and the content integrity check value are all generated by a content provider for providing content data or a content manager based on data to be authenticated, for example, as shown in fig. 32 to 35 and 6 and stored in the data together with the content before being provided to the user of the recording and reproducing device 300. When downloading content to a recording device or reproducing content from the recording device, a user of the recording and reproducing device, i.e., a content user, generates a verification ICV from each data to be verified to compare them with the stored ICV ICVdev. Furthermore, the integrity check value ICVdev unique to the reproducing apparatus may be replaced with the overall integrity check value ICVt and stored in the recording apparatus in a case where it is shown that the contents can be used only by the recording and reproducing apparatus.

In the above embodiment, the process of generating the integrity check value is based primarily on DES-CBC. However, the present invention is not limited to the above-described manner, but includes various ICV generation and verification process aspects. Specifically, as far as the relationship of the content provider or manager with the content user is concerned, there may be the following various ICV generation and authentication process structures.

Fig. 46 to 48 are diagrams for explaining a generation process performed by the generator of the integrity check value ICV and an authentication process performed by the authenticator.

Fig. 46 shows a structure in which, for example, an ICV generator, which is a content provider or manager, performs a process for generating an ICV according to DES-CBC described in the above-described embodiments, and then supplies the generated ICV together with content to a user of a recording and reproducing apparatus, i.e., a verifier. In this case, as for the authentication process, the user of the recording and reproducing apparatus, i.e., the verifier, needs a key stored in, for example, the internal memory 307 shown in fig. 18 in order to generate a corresponding integrity check value. The authenticator (user of the recording and reproducing apparatus) which is the content user applies DES-CBC to the data to be authenticated using the integrity check value generation key stored in the internal memory 307 to generate integrity check values, and then compares these values with the stored integrity check values. In this case, each integrity check value generation key is configured to be shared in a secure manner by the ICV creator and the verifier.

Fig. 47 shows a structure in which an ICV creator, which is a content provider or manager, generates an ICV with a digital signature of a public key cryptosystem and then provides the generated ICV to a content user, i.e., a verifier, along with content, and the content user, i.e., the verifier, stores a public key of the ICV creator and verifies the ICV with the key. In this case, the public key of the ICV creator, i.e., the verifier, held by the content user (recording and reproducing apparatus user) does not need to be kept secret, and is thus easier to manage. Thus, this aspect is applicable to ICV generation and management at a high security management level, for example, in ICV generation and management performed in one entity.

In fig. 48, an ICV creator, which is a content provider or manager, generates an ICV with a digital signature of a public key cryptosystem, and then provides the generated ICV to a content user, i.e., an authenticator, together with content, and also stores a public key used by the authenticator for authentication in a public key certificate (see, for example, fig. 14), and then provides the key to a recording and reproducing apparatus user, i.e., the authenticator. With multiple ICV creators, each creator has a key management center creation data (public key certificate) to ensure the validity of the public key.

The content user who is the ICV verifier has the public key of the key management center. The verifier verifies the public key certificate with the public key of the key management center, and if the validity is confirmed, the public key of the ICV creator stored in the public key certificate is retrieved. The verifier also verifies the ICV with the public key of the retrieved ICV creator.

This approach is a useful aspect if there are multiple ICV creators and if the center for managing these creators has an established management system.

(12) Architecture for generating a cryptographic translation process key from a master key

The following describes an architecture for generating a plurality of cryptographic process keys from a master key, which architecture characterizes a data processing system of the present invention.

As previously described with reference to fig. 18, the internal memory of the recording and reproducing apparatus 300 of the data processing apparatus of the present invention stores a plurality of master keys each for generating, for example, an authentication key Kake (see equation 3) or an issuance key Kdis (see equation 4).

When a cryptographic translation communication, mutual authentication, MAC generation, verification, and the like are performed between two entities, i.e., a content provider and a content provider or a recording and reproducing apparatus 300 and a recording apparatus 400 of the data processing apparatus of the present invention, these entities usually hold secret information such as key information common to them. Further, when the above-described processes are performed between one or more entities such as between one content provider and a plurality of content users and one recording and reproducing apparatus and a plurality of recording media, the entities generally store and hold secret information common to all the entities, that is, key information common to the plurality of content users or the plurality of recording media, or secret information (e.g., keys) individually managed and used for each content user by one content provider.

However, with the one-to-many relationship described above, the structure of holding secret information (keys) shared by all entities is deficient in the following respects: divulging a secret from one entity affects all other entities that use the same secret information (e.g., a key). Furthermore, when an administrator such as a content provider individually manages and uses the confidential recording and reproducing device for each content user, it is necessary to have a list for identifying all users and associating the identification data with unique confidential information (e.g., a key), thereby optimally increasing the list maintenance and management burden in proportion to the number of users.

The data processing apparatus of the present invention has solved this general problem of sharing secret information between entities using a structure for holding a master key and generating a plurality of individual keys from the master key. This structure is explained below.

In the data processing apparatus of the present invention, if different individual keys are required for each of the crypto-translation processes, authentication processes, and the like between the recording apparatus, i.e., the medium storing the content or the recording and reproducing apparatus, these individual keys are generated using individual information such as Identification Data (ID) unique to the apparatus or the medium and the individual key generation method previously determined in the recording and reproducing apparatus 300. With this structure, if any individual key generated is to be identified, damage to the entire system can be excluded by preventing the leakage of the corresponding master key. Further, the structure of generating keys from master keys may eliminate the need for an association list.

Specific examples of the structure are described below with reference to the drawings. Fig. 49 is a diagram for explaining a structure of generating a plurality of kinds of keys with a plurality of kinds of master keys held by the recording and reproducing apparatus 300. The medium 500 and the communication device 600 in fig. 49 input contents as in the foregoing embodiments. The content is encrypted by a content key Kcon, which is encrypted by an issuance key Kdi s.

For example, if the recording and reproducing apparatus 300 tries to take out a content from the medium 500 or the communication device 600 and download it to the recording apparatus 400, the recording and reproducing apparatus 300 must obtain the distribution key Kdis that encrypts the content key as described previously in fig. 2 and 39 to 41. Although the key Kdis may be directly obtained from the medium 500 and the communication means 600, or the recording and reproducing device 300 may obtain the key in advance and store it in the memory. However, the structure for distributing such keys to various users may be compromised, which may affect the overall system, as previously described.

The data processing system of the present invention is configured to generate the distribution key Kdis by applying the master key MKdis for the distribution key stored in the memory of the recording and reproducing device 300 and by generating the distribution key Kdis according to the process of the content ID, that is, Kdis ═ DES (MKdis, content ID) shown in the lower part of fig. 49. In the content distribution structure between the content provider who provides the content from the medium 500 or the communication device 600 and the recording and reproducing device 300 which is the content user, this structure can maintain advanced confidentiality without distributing the individual distribution key Kdis through the medium, the communication device, or the like or without storing them in each recording and reproducing device 300, in spite of the large number of content providers.

The generation of the authentication key kakakae is explained below. When downloading content from the recording and reproducing apparatus 300 to the recording medium 400 as described in fig. 22 and 39 or 41 or causing the recording and reproducing apparatus 300 to execute and reproduce content stored in the recording medium 400 as described in fig. 42 to 45, the recording and reproducing apparatus 300 and the recording medium 400 must perform a mutual authentication process (see fig. 20).

As shown in fig. 20, such an authentication process requires the recording and reproducing apparatus 300 to have an authentication key Kake. Although the recording and reproducing apparatus 300 may obtain an authentication key directly from, for example, the recording medium 400 or obtain and store an authentication key in advance, a structure for distributing such a key to various users may be leaked, which may affect the entire system, as described in the structure for distributing keys.

The data processing system of the present invention is configured to execute the process by applying the master key MKake for the distribution key stored in the memory of the recording and reproducing apparatus 300 and by, according to the recording apparatus ID: the IDmem process, that is, Kake ═ DES (MKake, IDmem) shown in the lower part of fig. 49 generates an authentication key Kake.

Further, when downloading content from the recording and reproducing device 300 to the recording medium 400 as described in fig. 22 and 39 or 41 or causing the recording and reproducing device 300 to execute and reproduce content stored in the recording medium 400 as described in fig. 28, 42 to 45, if the content is used only by a specific recording and reproducing device, a structure similar to that for the above-described issuing or authenticating key can be used for the recording and reproducing device signing key Kdev required to generate the integrity check value ICVdev unique to the recording and reproducing device. In the above-described embodiment, the recording and reproducing apparatus signing key Kdev is stored in the internal memory, but if the main key MKdev for the recording and reproducing apparatus signing key is stored in the memory and the recording and reproducing apparatus signing key Kdev is not stored in the memory, and if the recording and reproducing apparatus signing key Kdev is generated as needed from the recording and reproducing apparatus identifier IDdev and the main key MKdev for the recording and reproducing apparatus signing key by Kdes ═ DES (MKdev, IDdev) as shown in the lower part of fig. 49, it is not necessary for each apparatus to have the recording and reproducing apparatus signing key Kdev.

In this way, the data processing apparatus of the present invention is configured to generate information such as a key necessary for the cryptographic translation information processing between the provider and the recording and reproducing apparatus or the recording and reproducing apparatus and the recording apparatus from the master key and the respective IDs. Therefore, even if key information is leaked from each entity, the extent of damage incurred by the individual key is limited, and, as described above, it is not necessary for the individual entity to manage the key list.

Several examples of processes associated with such configurations are illustrated by display flows. Fig. 50 shows an example of a process performed by a content producer or manager for decrypting content or the like with a master key and a process performed by a user apparatus such as the recording and reproducing apparatus 300 in encryption described above for decrypting encrypted data with a master key.

In step S501, the technical content generator or manager assigns an identifier (content identifier) to the content. In step S502, the content generator or manager generates a key from the owned master key and the content ID to encrypt the content and the like. In this step, if the distribution key Kdis is to be generated, the distribution key Kdis is generated from the above-described Kdis ═ DES (MKdis, media ID). Then, in step S503, the content producer or manager encrypts part or all of the content stored in the medium with a key (e.g., distribution key Kdis). The content producer provides the content encrypted by these steps by means such as a DVD, a communication device or the like.

On the other hand, in step S504, the user equipment such as the recording and reproducing apparatus 300 reads out a content ID from content data received via a device such as a DVD, a communication device, or the like. Then, in step S505, the user device generates a key, which is used to decrypt the encrypted content, from the read-out media ID and its own master key. This generation process corresponds to, for example, the distribution key Kdis — DES (MKdis, media ID) if the distribution key Kdis is to be obtained. In step S506, the user equipment decrypts the content with the key, and uses, i.e., reproduces, the decrypted content or executes the program in step S507.

In this case, for example, as shown in the lower part of fig. 50, the content producer or manager and the user device each cause a master key (e.g., an issuance key generation master key MKdis) to sequentially generate issuance keys necessary for encrypting or decrypting the content from the master key and respective IDs (media IDs) that they own.

With this system, if the distribution key is leaked to a third party, the third party can decrypt the content, but can prevent decryption of contents having different content IDs stored in other media, thereby minimizing the negative effect of leaking one content key on the entire system. In addition, the above system does not require the user equipment, i.e., the recording and reproducing apparatus, to hold the keys associated with the lists for the respective media.

An example in which a content producer or manager holds a plurality of master keys to perform a process according to a content distribution destination is explained with reference to fig. 52.

Step S511 performed by the content producer or manager includes assigning an identifier (content ID) to the content. Step S512 includes selecting one of a plurality of master keys (e.g., a plurality of distribution key generation master keys Mkdis) held by the content generator or manager. Although detailed description will be made with reference to fig. 52, this selection process includes setting an application master key in advance for each country, each type, or each device version to which the content belongs and executing the master key according to the setting.

Then, in step S513, the content producer or manager generates an encryption key from the master key selected in step S512 and the content ID determined in step S511. If, for example, an issue key Kdis is to be generated, the key is generated from the issue key Kdis — DES (MKdis, media ID). In step S514, the content producer or manager encrypts part or all of the content stored on the medium with a key (e.g., distribution key Kdis). In step S515, the content producer issues the encrypted content through a pre-quality issue unit, such as a DVD, a communication device, or the like, which includes a content ID, used master key generation information, and the encrypted content.

On the other hand, in step S516, the user equipment such as the recording and reproducing apparatus 300, for example, determines whether it holds a master key corresponding to the master key ID in the content data distributed by the medium such as the DVD or the communication means. If there is no master key corresponding to the master key ID in the content data, the user cannot use the distributed content, and the process ends.

If the user equipment has a master key corresponding to the master key ID in the content data, the content ID is read out from the content data received via a medium, a communication device, or the like in step S517. Then, in step S518, the user device generates a key for decrypting the encrypted content from the read-out content ID and the master key it holds. If the distribution key Kdis is to be obtained, this process is to distribute the key Kdisi ═ DES (mkdis, content ID). In step S519, the content is decrypted with the key. In step S520, the decrypted contents are used, i.e., reproduction is performed or the program is executed.

In this example, as shown in the lower part of fig. 51, the content producer or manager has a master key set including a plurality of master keys such as distribution key generation master keys MKdis1 through N. On the other hand, the user device has a master key, for example the release key generation master key KKdisi, so that the content can only be decrypted if the content generator or manager uses KKdisi for encryption.

As a specific example of the aspect shown in the flow of fig. 51, fig. 52 shows an example in which a master key that varies depending on the country is applied. The content provider has master keys MK1 through n, where MK1 is used to generate keys that are used to encrypt content distributed to japanese user devices. For example, an encryption key K1 is generated from the content ID and key MK1, and the user then encrypts the content. The master keys MK1 through n are also set to key MK2 for keys used to encrypt content distributed to us user devices, key MK3 for keys used to encrypt content distributed to EU (european) user devices,

on the other hand, in the case of a user device in japan, in particular, a recording and reproducing device such as a PC or a game device sold in japan, the master key MK1 is stored in its internal memory, in the case of a user device in the united states, the master key MK2 is stored in its internal memory, and in the case of a user device in the EU, the master key MK3 is stored in its internal memory.

With this structure, the content provider selectively uses one of the master keys MK1 through n according to the user devices that can use the content, in order to encrypt the content to be distributed to the user devices. For example, in order for content to be used only by user devices in japan, a master key K1 generated with the master key MK1 is used to encrypt the content. The encrypted content can be decrypted with the master key MK1 stored in the japanese user equipment, that is, a decryption key is allowed to be generated, but the key K1 cannot be obtained from the master keys MK2 and MK3 stored in the united states and EU user equipment, respectively, so that decryption of the encrypted content can be prevented.

In this manner, a content provider can selectively set localization for a variety of content with a plurality of master keys. Fig. 52 shows an example in which different master keys are used in different countries to which the user equipment belongs, but there may be a plurality of usage forms, for example, master keys may be switched according to the type and version of the user equipment, as described above.

Fig. 53 shows an example of a process in which an identifier unique to the medium, that is, a medium ID and a master key, are combined. Here, the medium refers to, for example, a DVD or a CD in which contents are stored. The media ID may be the name of the content of an individual media, such as a movie, or unique to an individual media manufacturer. In this way, the media ID can be assigned in various ways.

In step S52, the medium producer or manager determines an identifier for the medium (medium identifier). In step S522, the media producer or manager generates a master key for encrypting the content stored in the media from the owned master key and the media ID. In this step, if the distribution key Kdis is to be generated, for example, the distribution key Kdis is generated from the above-described Kdis ═ DES (MKdis, media ID). Then, in step S523, the medium producer or manager encrypts part or all of the content stored in the medium with a key (e.g., distribution key Kdis). The media producer provides the content encrypted through these steps.

On the other hand, in step S524, the user apparatus such as the recording and reproducing apparatus 300 reads out the medium ID from the supplied medium. Then, in step S525, the user device generates a key, which is used to decrypt the encrypted content, from the read-out media ID and its own master key. This generation process corresponds to, for example, the distribution key Kdis — DES (MKdis, media ID) if the distribution key Kdis is to be obtained. In step S526. The user equipment decrypts the content with the key, and reproduces the decrypted content or executes the program in step S527.

In this example, as shown in the lower part of fig. 53, both the media producer or manager and the user device cause the master key (e.g., the distribution key generation master key MKdis) to sequentially generate distribution keys necessary for encrypting or decrypting the content from the master key and the respective IDs (media IDs) that they own.

With this system, if a media key is leaked to a third party, the third party can decrypt the content in the media, but can prevent decryption of content with a different media ID stored in other media, thereby enabling to minimize the negative effect of leaking one media key on the entire system. In addition, the above system does not require the user equipment, i.e., the recording and reproducing apparatus, to hold the keys associated with the lists for the respective media. Furthermore, the length of the content encrypted with a media key is limited to the amount that it can be stored in the media, and therefore, the content is unlikely to reach the amount of information required to attack the encrypted text, thereby reducing the possibility of decrypting the encrypted text.

Fig. 54 shows a process example in which an identifier unique to the recording and reproducing apparatus, that is, the recording and reproducing apparatus ID and the master key are combined.

In step S531, the user of the recording and reproducing apparatus generates a key for encrypting content or the like from the master key and the recording and reproducing apparatus ID stored in, for example, an internal memory of the recording and reproducing apparatus. This generation process applies Kcon — DES (MKcon, recording and reproducing apparatus ID) if, for example, the content key Kcon is to be obtained. Then, in step S532, the user decrypts the content with the key (e.g., the distribution key Kcon). In step S533, the user stores the encrypted content in a recording and reproducing apparatus such as a hard disk.

On the other hand, when a user of the recording and reproducing apparatus of the stored content requests to restore the stored data, a system manager for managing the recording and reproducing apparatus reads out the recording and reproducing apparatus ID from the recording and reproducing apparatus. Then, in step S535, the system manager generates a key, which is used to restore the encrypted content, from the read recording and reproducing apparatus ID and its own master key. Such a generation process corresponds to, for example, DES (MKcon, recording and reproducing apparatus ID) if the content key Kcon is to be obtained. In step S536, the user equipment decrypts the content with the key.

In this example, as shown in the lower part of fig. 54, both the recording and reproducing apparatus user and the system manager cause the master key (e.g., the content key generation master key MKcon) to sequentially generate distribution keys necessary for encrypting or decrypting content from the master key and the respective IDs (recording and reproducing apparatus IDs) that they own.

With this system, if a content key is leaked to a third party, the third party can decrypt the content in the medium, but can prevent decryption of content stored in other media with different recording and reproducing device IDs, thereby enabling to minimize the negative effect of leaking one content key on the entire system. In addition, the above system does not require a system administrator or user equipment to maintain keys associated with lists for each media.

Fig. 55 shows a configuration in which an authentication key used in a mutual authentication process between a slave device, for example, a recording and reproducing device such as a memory card, and a master device, for example, a recording and reproducing device, is generated from the master key. Although the authentication key is stored in the internal memory of the slave device in advance in the aforementioned authentication process (see fig. 20), the authentication key may be generated from the master key in the authentication process, as shown in fig. 55.

For example, in step S541, as an initialization process before the authentication process starts, the slave device that is the recording device generates the authentication key Kake for use in the mutual authentication process from the master key and the slave device ID stored in the internal memory of the slave device that is the recording device. The authentication key is generated by ka ke DES (MKake, slave ID). Then, in step S542, the generated authentication key is stored in the memory.

On the other hand, a master device such as a recording and reproducing device reads out a slave ID from an installed recording device, i.e., a slave device, through communication means. Then, in step S544, the master device generates a master key generation authentication key, which is used in the mutual authentication process, from the read-out slave device ID and the authentication key possessed thereby. This generation process corresponds to, for example, an authentication key Kake DES (MKake, slave ID). In step S545, the authentication key is used to perform an authentication process.

In this example, as shown in the lower part of fig. 55, both the slave device and the master device cause the authentication key generation-use key MKake to sequentially generate the distribution keys necessary for the authentication process from the master key and the slave device ID that they own.

With this system, if an authentication key is leaked to a third party, such an authentication key is valid only for the corresponding slave device, and cannot form authentication with other slave devices. Thereby minimizing the negative effects of compromised keys.

As described above, the data processing device of the present invention is configured to be able to generate information such as a key necessary for the cryptographic translation information processing between a content provider and a recording and reproducing device or between a recording and reproducing device and a recording device. Therefore, even if key information is leaked from each entity, the extent of damage incurred by the individual key is limited, and, as described above, it is not necessary for the individual entity to manage the key list.

(13) Controlling the extent of a cryptographic process during a cryptographic process

In the above-described embodiment, the cryptographic translation processing between the recording and reproducing apparatus 300 and the recording apparatus 400 is mainly described with the single DES structure-based cryptographic translation processing described with reference to fig. 7 together with an example. The encryption processing method used in the data processing apparatus of the present invention is not limited to the above-described single DES, but any encryption method may be used depending on the required security state.

For example, the triple DES method as shown in fig. 8 to 10 may be applied. For example, the password translation processing section 302 of the recording and reproducing apparatus 300 and the password translation processing section 401 of the recording apparatus 400 shown in fig. 3 may be configured to be able to execute the triple DES, and therefore, a process corresponding to the password translation processing process may be executed according to the triple DES described in fig. 8 to 10.

However, the content provider may give the highest priority to the processing speed according to the content so as to use the 64-bit content key Kcon according to the single DES method, or give the highest priority to the confidentiality so as to use the 128-or 112-bit content key Kcon according to the triple DES method. Therefore, it is not optimal to configure the crypto-translation processing section 302 of the recording and reproducing apparatus 300 and the crypto-translation processing section 401 of the recording apparatus 400 to accommodate only one of the triple DES and single DES methods. Therefore, the password translation processing section 302 of the recording and reproducing apparatus 300 and the password translation processing section 401 of the recording apparatus 400 should be configured to be able to incorporate the triple DES and single DES methods.

However, in order to configure the password translation processing section 302 of the recording and reproducing apparatus 300 and the password translation processing section 401 of the recording apparatus 400 to be able to execute the triple and single DES methods, it is necessary to provide these password translation processing sections with different circuits and logics in order to cause the recording apparatus 400 to execute a process corresponding to the triple DES, and it is necessary to store a command set for the triple DES in the command register shown in fig. 29. This complicates the processing section in the recording apparatus 400.

Therefore, with the data processing apparatus of the present invention, a configuration is proposed in which the logic of the crypt translation processing section 401 of the recording apparatus 400 is configured to accommodate the single DES while being able to execute a processing procedure corresponding to the triple DES procedure in order to store data (key, content, or the like) encrypted according to the triple DES method into the external memory 402 of the recording apparatus.

For example, in the example for the data format type 0 shown in fig. 32, when content data is downloaded from the recording and reproducing apparatus 300 to the recording apparatus 400, an authentication process is performed in step S101 described in fig. 39 showing the data of the download format type 0, and the session key Kses is generated. Further, in step S117, the password translation processing section 302 of the recording and reproducing apparatus 300 encrypts the content key Kcon with the session key Kses and transmits the encrypted key to the recording apparatus 400 via the communication means. In step S118, the password translation processing section 403 of the recording apparatus 400 that has received the encrypted key decrypts the content with the session key Kses, encrypts the data with the storage key Kstr, and passes the final key to the password translation processing section 302 of the recording and reproducing apparatus 300. The recording and reproducing apparatus 300 sequentially forms data (step S1217 and transfers the data in tape format to the recording apparatus 400, and the recording apparatus 400 stores the received data in the external memory 402.

If the cryptographic translation processing procedure executed by the cryptographic translation processing section 401 of the recording apparatus 400 between steps S117 and S118 of the above-described procedure is configured to selectively execute the single or triple DES method, the cryptographic translation processing section checks whether the content provider provides the content data with the content key Kcon a triple DES-by-single DES basis or a single DES-by-single DES basis.

Fig. 56 shows a flow for explaining a configuration in which the password translation processing method conforming to the triple DES method is executed with the password translation processing section 302 of the recording and reproducing apparatus 300 and the password translation processing section 401 of the recording apparatus 400. Fig. 56 shows an example of a process for encrypting the content key Kcon based on the triple DES method with the storage key Kstr when content data is downloaded from the recording and reproducing apparatus 300 to the recording apparatus 400. Here, an example of a process for the content key Kcon is shown, other keys or other data such as content being processed in a similar manner.

The triple DES method uses two or three keys in the following manner: the 64-bit key is used for single DES and the 128-bit key is used for triple DES, as previously described in fig. 8-10. These three content keys Kcon refer to Kcon1, Kcon2, and (Kcon 3). Kcon3 is shown in parentheses because Kcon3 may not be used.

The process in fig. 56 is explained below. In step 301, mutual authentication processing is performed between the recording and reproducing apparatus 300 and the recording apparatus 400. This mutual authentication process is performed in the process described previously in fig. 20. In this authentication process, the session key Kses is generated.

Once the authentication process in step S301 is completed, the integrity check values ICV including the integrity check values a and B, the content integrity check value, and the integrity check value are compared.

When all the check values (ICVs) are compared and it is judged that no data has been tampered with, the processing proceeds to step S303, and in step S303, the control section 306 of the recording and reproducing device crypt translation processing section 302 of the recording and reproducing device 300 decrypts with the encryption/decryption section 308 of the recording and reproducing device crypt translation processing section 302 and the content Kcon that the previously obtained or generated distribution key Kdi S is stored in the header section of data obtained from the medium 500 or received from the communication apparatus 600 through the communication section 305. The content keys are in this case triple DES type keys such as content keys Kcon1, Kcon2 and (Kcon 3).

In step S304, the control section 306 of the recording and reproducing apparatus crypt translation processing section 302 causes the encryption/decryption section 308 of the recording and reproducing apparatus crypt translation processing section 302 to encrypt only the content key Kcon1 among the content keys Kcon1, Kcon2, and (Kcon3) with the session key Kses sharable in the mutual authentication process.

The control section 301 of the recording and reproducing apparatus 300 reads out data containing the key Kcon1 encrypted with the session key Kses from the recording and reproducing apparatus password translation processing section 302 of the recording and reproducing apparatus 300. The control section 301 then transfers these data to the recording device 400 through the recording device controller 303 of the recording and reproducing device 300.

Then, upon receiving the content key Kcon1 transmitted from the recording and reproducing device 300, the recording device 400 causes the encryption/decryption section 406 of the recording device password translation processing section 401 to decrypt the received content key Kcon1 with the session key Kses sharable in the mutual authentication process. Further, in step S306, the recording apparatus 400 causes the encryption/decryption section 406 to re-encrypt the decrypted content key with the storage key Kstr unique to the recording apparatus stored in the internal memory 405 of the recording apparatus password translation processing section, and transmits the re-encrypted key to the recording and reproducing apparatus 300 through the communication section 404.

In step S307, the control section 306 of the recording and reproducing device password translation processing section 302 causes the encryption/decryption section 308 of the recording and reproducing device password translation processing section 302 to encrypt only the content key Kcon2 among the content keys Kcon1, Kcon2, and (Kcon3) decrypted in step S303, with the session key Kses sharable in the mutual authentication process.

The control section 301 of the recording and reproducing apparatus 300 reads out data containing the key Kcon2 encrypted with the session key Kses from the recording and reproducing apparatus password translation processing section 302 of the recording and reproducing apparatus 300. The control section 301 then transfers these data to the recording device 400 through the recording device controller 303 of the recording and reproducing device 300.

In step 308, upon receiving the content key Kconz transmitted from the recording and reproducing device 300, the recording device 400 causes the encryption/decryption section 406 of the recording device password translation processing section 401 to decrypt the received content key Kcon2 with the session key Kses sharable in the mutual authentication process. Further, in step S309, the recording apparatus 400 causes the encryption/decryption section 406 to re-encrypt the decrypted content key with the storage key Kstr unique to the recording apparatus stored in the internal memory 405 of the recording apparatus password translation processing section, and transmits the re-encrypted key to the recording and reproducing apparatus 300 through the communication section 404.

Then, in step S310, the control section 306 of the recording and reproducing device password translation processing section 302 causes the encryption/decryption section 308 of the recording and reproducing device password translation processing section 302 to encrypt only the content key Kcon3 among the content keys Kcon1, Kcon2, and (Kcon3) decrypted in step S303, with the session key Kses sharable in the mutual authentication process.

The control section 301 of the recording and reproducing apparatus 300 reads out data containing the key Kcon3 encrypted with the session key Kses from the recording and reproducing apparatus password translation processing section 302 of the recording and reproducing apparatus 300. The control section 301 then transfers these data to the recording device 400 through the recording device controller 303 of the recording and reproducing device 300.

Then, in step S311, upon receiving the content key Kcon3 transmitted from the recording and reproducing device 300, the recording device 400 causes the encryption/decryption section 406 of the recording device password translation processing section 401 to decrypt the received content key Kcon3 with the session key Kses sharable in the mutual authentication process. Further, in step S312, the recording apparatus 400 causes the encryption/decryption section 406 to re-encrypt the decrypted content key with the storage key Kstr unique to the recording apparatus stored in the internal memory 405 of the recording apparatus password translation processing section, and transmits the re-encrypted key to the recording and reproducing apparatus 300 through the communication section 404.

Then, in step S313, the password translation processing section of the recording and reproducing apparatus constitutes a plurality of data formats described in fig. 32 to 35 and transmits them to the recording apparatus 400.

Finally, in step S314, the recording apparatus 400 stores the received data in the band format in the external memory 402. These format data include content keys Kcon1, Kcon2, and (Kcon3) encrypted with the storage key Kstr.

The above-described procedure can store the content key stored in the recording apparatus 400 as a key according to the triple DES cryptosystem. If only the two content keys Kcon1 and Kcon2 are used, the processing from steps S310 to S312 is omitted.

As described above, the recording apparatus 400 can store the key with the triple DES applied thereto in the memory by repeating the processing procedure of the same aspect, i.e., the processing steps in step S305 and step S306, a plurality of times in the case where only the object is changed. If the single DES is applied to the content key Kcon, steps S305 and S306 may be performed so as to perform the formatting process in step S313 before storing the key in the memory. This structure can store the command for performing the processes in steps S305 and S306 into the command register previously described in fig. 29 and perform the above processes one to three times according to the aspect of the key, i.e., whether the key is based on the triple or single DES method. Accordingly, the processes based on the triple and single DES methods may be performed without including the triple DES processing method in the processing logic of the recording apparatus 400. In this regard, the cryptographic system may be recorded within a usage policy in the header of the content data for determination by reference to the usage policy.

(14) Program launch procedure based on launch priority in content data usage policy

As can be seen from the content data structures described in fig. 4 to 6, the usage policy stored in the header part of the content data used by the data processing device of the present invention contains the content type and the start priority. In the case of a plurality of kinds of accessible content data recorded in a plurality of kinds of recording media such as the recording apparatus 400, DVD, CD, hard disk, or game box, the recording and reproducing apparatus 300 in the data processing apparatus of the present invention can determine the order of starting these contents in accordance with the start priority.

The recording and reproducing device 300 performs mutual authentication with a plurality of recording devices such as respective recording devices DVD devices, CD drive devices, and hard disk drive devices, and then executes programs in the content data in accordance with priorities in the content data at the highest priority. The following explains "program startup procedure based on startup priority in content data use policy"

The above description of the data processing apparatus of the present invention has focused on the processing procedures performed if the recording and reproducing apparatus 300 reproduces and executes content data from one recording apparatus 400. However, the recording and reproducing apparatus 300 is generally configured to be able to access DVDs, CDs, and hard disks and recording media such as memory cards and game boxes connected through the PIO111 or the STO112 through the reading section 304 in addition to the recording apparatus 400. In fig. 2, only one reading section is illustrated to avoid complicating the drawing, and the recording and reproducing apparatus 300 may have different recording media such as a DVD, a CD, a floppy disk, and a hard disk, which are installed in parallel in the recording and reproducing apparatus.

The recording and reproducing apparatus 300 has access to a plurality of recording media each storing content data. Content data provided by an external content provider such as a CD is stored in the medium in the data structure shown in fig. 4 or in each recording medium such as a memory card in the content data structure shown in fig. 26 or 27 in the case where the data is taken out of the medium or downloaded through a communication device. Further, specifically, content data is stored on a medium and a recording apparatus in different formats according to the format type thereof, as shown in fig. 32 to 35. In this case, the usage policy in the header of the content data contains the content type and the start-up priority.

A procedure for starting content performed by a recording and reproducing apparatus in the case where a plurality of content data is accessible is explained in accordance with the above-described flow.

Fig. 57 shows a flow showing an example (1) of a process in which there are a plurality of content data that can be started. In step S611, a recording apparatus accessible by the recording and reproducing apparatus 300 is authenticated. Accessible recording devices include memory cards, DVD devices, CD drives, hard disk devices, and game boxes or similar devices connected, for example, by a PIO111 or SIO 112. Each recording apparatus is authenticated under the control of the control section 301 shown in fig. 2, for example, according to the procedure described previously with reference to fig. 20.

In step S612, a startable program is detected from the content data stored in the memory of the successfully authenticated recording apparatus. Specifically, this process is performed as a process of extracting content for which the content type representation included in the usage policy of the content data is a program.

In step S613, the priority of the program that can be started and has been extracted in step S612 is determined. Specifically, this process corresponds to comparing the priorities in the usage policy contained in the headers of the plurality of content data that can be started in step S612 to select the highest priority.

Then, in step S614, the selected program is started. If the plurality of programs that can be started have the same priority, a default priority is set for the recording apparatus, and therefore, the content program having the highest priority stored in the apparatus can be executed.

Fig. 58 shows an example (2) of a processing procedure, i.e., a procedure for a plurality of pieces of content that can be started, in which identifiers are set for a plurality of recording apparatuses, and thus, a content program can be sequentially authenticated and retrieved in the case of a recording apparatus with an identifier.

In step S621, the recording apparatus (i) installed in the recording and reproducing apparatus 300 is authenticated. Identifiers 1 to n are sequentially given to the (n) recording apparatuses 400.

In step S622, it is determined whether the authentication in step S621 is successful, and if so, the process proceeds to step S623, where a startable program is retrieved from the recording medium of the recording apparatus (i). If the authentication fails, the process proceeds to step S627 where it is determined whether there is a new recording apparatus from which the content is retrieved. In the case where there is no such recording apparatus, the processing procedure is ended, otherwise, the processing procedure proceeds to step S628 to update the recording apparatus identifier and repeats step S621 and the subsequent authentication processing steps.

In step S623, a startable program is detected from the content data stored in the recording apparatus (i). Specifically, this process is performed as a process of extracting content for which the content type representation included in the usage policy of the content data is a program.

In step S624, it is determined whether or not the content whose content type is a program is extracted. If the content has been extracted, the extracted program having the highest priority is selected in step S626.

If it is determined in step S624 that the unextracted content type is the content of the program, the process proceeds to step S627 to determine whether there is a new recording apparatus from which the content is retrieved. In the case where there is no such recording apparatus, the processing procedure is ended, otherwise, the processing procedure proceeds to step S628 to update the recording apparatus identifier i and repeats step S621 and the subsequent authentication processing steps.

FIG. 59 shows a flow that illustrates an example of a process for multiple content that may be launched. In step S651, a recording apparatus accessible by the recording and reproducing apparatus 300 is authenticated. Authenticating accessible DVD devices, CD drives, hard disk devices, and game boxes or the like. Each recording apparatus is authenticated under the control of the control section 301 shown in fig. 2, for example, according to the procedure described previously with reference to fig. 20.

In step S652, a startable program is detected from the content data stored in the memory of the successfully authenticated recording apparatus. Specifically, this process is performed as a process of extracting content for which the content type representation included in the usage policy of the content data is a program.

Then, in step S653, information that has been extracted in step S652, such as the name of the bootable program, is displayed on the display device. Although a display device is not shown in fig. 2, AV output data may be output to a display device (not shown). User-supplied information such as a program name for each piece of content data is stored in the content ID of the content data, and therefore, program information such as a program name for each authenticated piece of content data can be output to the output device by the control section 301 under the control of the main CPU106 shown in fig. 2.

In step S654, the main CPU106 receives a program selection input by the user from, for example, the input interface, the controller, the mouse, or the keyboard through the interface 10, and in step S655, starts the program selected by the user according to the selection input.

As described above, in the data processing apparatus of the present invention, the program start priority is stored in the use policy of the header of the content data, and therefore, the recording and reproducing apparatus 300 can start the program according to the priority, or the display device displays start information from which the user can select a predetermined program. This configuration eliminates the need for a retrieval procedure, thereby saving time and labor required for startup. Furthermore, the initiable program is started after all recording devices have been authenticated or shown to be such a program, thereby eliminating the complexity of processing such as requiring a confirmation process after selection.

(15) Content structure and rendering (decompression) process

In the data processing apparatus of the present invention, the recording and reproducing apparatus 300 downloads content from the medium 500 or the communication device 600 or reproduces data from the recording apparatus 400, as previously described. The above description has focused on the encrypted data processing process in connection with the downloading or reproduction of content.

The control section 301 of the recording and reproducing apparatus 300 in fig. 3 generally controls authentication, encryption, and decryption processes related to downloading or reproduction from the apparatus 500, the communication device 600, or the recording apparatus that provides content data such as a DVD.

Reproducible content resulting from these processes is for example sound or image data or similar. The decrypted data from the control section 301 is placed under the control of the main CPU shown in fig. 2 and output to the AV output section in accordance with the sound or image data or the like. However, if the content is, for example, sound data compressed by MP3, the MP3 decoder in the AV output portion shown in fig. 2 decrypts and outputs the sound data. Further, if the content data is an MPEG 2-compressed image, the MP2 decoder in the AV output section decompresses and outputs the image data. In this way, the data contained in the content data may or may not be compressed (encoded) and output according to the content after processing.

However, since there are a plurality of types of compression and decompression processing programs, even if a content provider provides compressed data, the data cannot be reproduced without a corresponding decompression processing execution program.

Therefore, the present invention discloses a data processing apparatus in which compressed data and a decryption (decompression) processing program for the data are stored in data content, or link information for the compressed data and a decryption (decompression) processing program for the information are stored as header information in content data.

Fig. 60 is a diagram obtained by simplifying components related to the structure from the overall perspective of data processing shown in fig. 2. The recording and reproducing apparatus 300 receives a variety of contents from an apparatus 500 such as a DVD or a CD, a communication device 600, or a recording apparatus 400 such as a memory card storing contents. These contents include various data such as sound data, still images, moving picture data, and program data that have been or have not been encrypted or compressed.

If the received content has been encrypted, a decryption process is performed in accordance with the control of the crypto-translation process by the control section 301 and the crypto-translation process section 302 by a method such as the above-described method. The decrypted data is transferred to the AV processing portion 109 under the control of the CPU106, where the data is stored in the memory 3090 of the AV processing portion 109. Then, the content analysis unit 3091 analyzes the structure of the content. If, for example, a data compression program is stored in the content, the program is stored in the program storage portion 3093. If the content contains sound or image data or the like, these data are stored in the data storage portion 3092. The compression and decompression processing portion 3094 decompresses the compressed data stored in the data storage portion 3092 with a decompression processing program such as MP3 stored in the program storage portion. Then, the data is output to the speaker 3001 or the monitor.

Some examples of the structure of data received by the AV processing portion 109 through the control portion 301 and related processing procedures are explained below. Here, sound data is shown as an example of content, and content to which MP3 is applied is explained as representative compressed data. However, this structure is also applicable to image data and sound data, and not only the MP3 decompression program but also other various such programs for MPEG2 or MPEG4 can be applied.

Fig. 61 shows an example of a content structure. This figure shows music data 6102 compressed by an MP3 and an MP3 decryption (decompression) processing program 6101, which are integrated together into one content. Such contents are each stored in the medium 500 or the recording apparatus 400 and distributed from the communication device 600 as a single content. If these contents have been encrypted as described above, the recording and reproducing apparatus 300 decrypts the contents with the password translation processing section 303 and passes it to the AV processing section 109.

The AV processing unit 109d has a content analysis unit 3091 which extracts a sound data decompression program (MP3 decoder) unit from the content including the sound data decompression program (MP3 decoder) unit and the compressed sound data unit, stores the extracted sound data decompression program (MP3 decoder) unit in the program storage unit 3093, and stores the compressed sound data in the data storage unit 3092. The content analysis section 3091 may receive information such as a content name or content structure information in addition to the content, or analyze the content based on identification data such as a data name or other data such as a data length or a data structure contained in the content. Then, the compression and decompression section 3094 decompresses the MP3 compressed sound data stored in the data storage section 3092 according to the sound data decompression program (MP3 decoder) stored in the program storage section 3093. The AV processing portion 109 then outputs the decompressed sound data to the speaker 3001.

Fig. 62 shows a flowchart showing one example of a process for reproducing the data of the content structure of fig. 61. In step S671, if the content is sound data, information such as the title of music, for example, of the data name stored in the memory 3090 of the AV processing portion 101 is taken out from the information independently received from the content or from the content data and displayed on the monitor 3002. In step S672, a user selection is received from one of various input devices such as a switch and a keyboard through the input interface 110, and then a reproduction processing command based on the user input data is output to the AV processing section 109 under the control of the CPU 106. In step S673, the AV processing unit 109 extracts and decompresses the data selected by the user.

Fig. 63 shows a configuration example in which content contains compressed sound data or a decompression processing program and also content information indicating what the content contains is contained as header information for each content.

As shown in fig. 63, if the content is a program 6202, the content contains content identification information as header information 6201, which indicates that the content is a program and the type of the program is decompressed for MP 3. On the other hand, if the sound data 6204 is contained as the content, the content information in the header 6203 indicates that the data has been MP3 compressed. The above-mentioned header information can be configured by selecting only information necessary for reproduction from data contained in the use policy (see fig. 5) of the above-mentioned content data structure shown in fig. 4, for example, and adding the information to the content passed to the AV processing section 109. Specifically, identification values for use policy data necessary for the cryptographic translation processing section 302 and for data necessary for the AV processing section 109 during reproduction are added to the respective constituent data of the "use policy" shown in fig. 5, and only data indicating that these identification values are necessary for the AV processing section 109 is extracted as header information.

Upon receiving each of the contents shown in fig. 63, the content analysis section 3091 of the AV processing section 109 stores the program content in the program storage section 3093 in the case where the content is a program or in the data storage section 3092 in the case where the content is data, based on the header information. Thereafter, the compression and decompression section 3094 takes out the data from the data storage section and decompresses the data according to the MP3 program stored in the program storage section 3093 before outputting the decompressed data. If the program storage portion 3093 has the same program already stored therein, the program storage process may be omitted.

Fig. 64 shows a flow showing one example of a process for reproducing the data of the content structure of fig. 63. In step S675, if the content is sound data, the data name (e.g., information such as the title of music) stored in the memory 3090 of the AV processing section 101 is extracted from the information received independently from the content or from the header of the content and displayed on the monitor 3002. In step S676, a user selection is received from one of a variety of input devices, such as a switch and a keyboard, via the input interface 110.

Then, in step S677, a content reproduction program (for example, MP3) corresponding to the user selection is retrieved. The maximum range of such program retrieval is preferably set as the possible access range of the recording and reproducing apparatus 300, and, for example, the medium 500, the communication device 600, and the recording apparatus 400 shown in fig. 60 are all included in the retrieval range.

Only the content passed to the AV processing section 109 is a data section, and the program content may be stored in another recording medium of the recording and reproducing apparatus 300 or provided by a content provider through a medium such as a DVD or a CD. Accordingly, the retrieval range is set to a possible retrieval range of the recording and reproducing apparatus 300. When a reproduction program is found as a result of the search, a reproduction processing command based on user input data is output to the AV processing section 109 under the control of the CPU 106. In step S679, the AV processing unit 109 extracts data and decompresses the data according to the selection of the user. In another embodiment, the program retrieval is performed before step S675, so that only data for which a program has been detected is displayed in step S675.

Fig. 65 shows a configuration example in which content contains compressed sound data 6303 and a decompression processing program 6302 and also contains content reproduction priority as header information 6301 for the content. This is an example of the content structure shown in fig. 61 described above, with the reproduction priority added thereto as header information. As in the above-described section "(14) program startup procedure of startup priority based on content data usage policy", the reproduction order is determined according to the reproduction priority set between the contents received by the AV processing portion 109.

Fig. 66 shows a flow showing one example of a process for reproducing the data of the content structure of fig. 65. In step S681, data stored in the memory 3090 of the AV processing portion 109, that is, data information for reproduction is set in the search list. The search list is set with some area of the memory of the AV processing portion 109. Then, in step S682, the content analysis unit 3091 of the AV processing unit 109 selects the data with the highest priority, and in step S683, reproduces the selected data.

Fig. 67 shows a configuration example in which content contains header information and program data 6402 or a combination of header information 6403 and compression data 6404, and only the header 6403 of the data content is added with reproduction priority.

Fig. 68 shows a flow showing an example of a process for reproducing the data of the content structure of fig. 67. In step S691, data information for reproduction, which is data stored in the memory 3090 of the AV processing unit 109, is set in the search list. The search list is set with some area of the memory of the AV processing portion 109. Then, in step S692, the content analysis unit 3091 of the AV processing unit 109 selects the data of the highest priority.

Then, in step S693, a content reproduction program (e.g., MP3) corresponding to the user selection is retrieved. As in the flow of fig. 64, the maximum range of such program retrieval is preferably set as the possible access range of the recording and reproducing device 300, and, for example, the medium 500, the communication means 600, and the recording device 400 shown in fig. 60 are all included in the retrieval range.

When the reproduction program is found as a result of the search (yes in step S694), the selected data is decompressed and reproduced by the program obtained as a result of the search.

On the other hand, if a reproduction program is not found as a result of the retrieval (yes in step S694), the processing proceeds to step S696 to delete those data that must be reproduced with the same program, among the remaining data contained in the retrieval list set in step S691. This is because, obviously, a new attempt to retrieve the reproduction program from these data fails. Further, when it is judged whether or not the retrieval list is empty, and if it is judged that the list is not empty, the processing returns to step S692 to extract the next highest priority data, thereby executing the program retrieval process.

Therefore, according to this structure, if the compressed content is constituted with its decryption (decompression) program or includes only data obtained by compressing the content or includes only a decompression processing program, since the content has header information indicating what compressed data the content is or what process the content performs, a processing section (e.g., AV processing section) receiving the content uses the decompression processing program connected to the compressed data to perform decompression or reproduction processing or retrieves and decompresses the reproduction program based on the header information in the compressed data, thereby performing decompression and reproduction based on the program obtained as a result of the retrieval. This eliminates the need for a process performed by the user, such as selecting and retrieving a data decompression program, thereby reducing the burden on the user and thus enabling efficient data reproduction. Also, a structure with reproduction priority in the header can automatically set the reproduction order, thereby leaving the user free from an operation of setting the reproduction order.

In the above-described embodiment, the MP3 is regarded as an example of a decompression processing program for compressed sound data content and sound compressed data, but such a structure is also applicable to content of a decompression processing program containing compressed data or compressed image data and can provide similar effects in this case.

(16) Generating save data and storing the save data in a recording apparatus and reproducing the save data from the recording apparatus

For example, if the content executed in the recording and reproducing device 300 is a game program or the like, and if the game program is to be continued for a predetermined time after suspension, the state of the game or the like at the time of suspension is to be saved, i.e., stored in the recording device, so as to be able to be read out at the time of continuation, thereby continuing the game.

In a recording and reproducing apparatus generally used for a game apparatus, a personal computer, or the like, the saved data retention structure is provided with a structure for retaining the saved data in a recording medium such as a memory card, a floppy disk, a game box, or a hard disk that can be embedded in the recording and reproducing apparatus or externally connected to the recording and reproducing apparatus. However, specifically, these recording and reproducing apparatuses do not have a structure for maintaining the confidentiality of save data, and thus can perform save processing with a specification common to, for example, game applications.

Thus, for example, the save data saved with the recording and reproducing apparatus a can be used to be overwritten by other game programs; little attention is paid to the confidentiality of the stored data.

The data processing apparatus of the present invention provides a structure that can maintain the confidentiality of stored data. For example, save data for a certain game program may be encrypted before being stored to a recording apparatus based on information used only by the game program. In addition, the save data may be encrypted before being stored to the recording apparatus according to information unique to the recording and reproducing apparatus. These methods may limit the use of the saved data to a particular device or program in order to maintain the confidentiality of the data. Next, description will be made of "generating save data and storing the save data in a recording device and reproducing the save data from the recording device" in the data processing device of the present invention "

FIG. 69 is a block diagram for explaining a save data storing process in the data processing apparatus of the present invention. The content from the medium 500 such as a DVD or a CD or the communication means 600 is provided to the recording and reproducing apparatus 300. The provided content has been encrypted with a content key Kcon, which is a key unique to the content as described above, and the recording and reproducing device 300 can obtain the content key according to the procedure described in "(7) procedure for downloading from the recording and reproducing device to the recording device" (see fig. 22) to decrypt the encrypted content and then store it into the recording device 400. The following description relates to a procedure performed by the recording and reproducing apparatus 300 for decrypting a content program from a medium or a communication device, reproducing and executing the program, and then storing the obtained save data in one of the plurality of recording apparatuses 400A, 400B, and 400C such as an external or built-in memory card and a hard disk for reproduction, or downloading the content in the recording apparatus 400A, reproducing and executing the content from the recording apparatus 400A, and storing the final save data in the processing and recording apparatus 400 so as to store the save data in any one of the plurality of recording apparatuses 400A, 400B, and 400C such as an external or built-in memory card and a hard disk for reproduction and reproducing the save data.

As described previously, the recording and reproducing apparatus 300 has: a recording and reproducing apparatus identifier IDdev; a system authentication key Ksys which is a signature key shared by the whole system; a recording and reproducing apparatus signature key Kdev which is unique to the individual recording and reproducing apparatus; and a master key for generating a plurality of individual keys. As detailed in "(12) structure for generating a cryptographic translation process key based on a master key", the master key is used to generate, for example, an issue key KKdis or an authentication key Kake. Here, the type of the master key is not particularly limited, but a key representing the master key of the recording and reproducing apparatus 300 is denoted by MKx. Fig. 69 shows an example of the cipher translation key Ksav for saving data in the lower part.

Saving the data-cipher translation key: ksav ═ Kcon

Saving the data-cipher translation key: ksav ═ Ksys

Saving the data-cipher translation key: ksav ═ Kdev

Saving the data-cipher translation key: ksav content ID or DES (MKx, content ID)

Saving the data-cipher translation key: ksav ═ recording and reproducing device id (iddev) or DES (MKx, recording and reproducing device id (iddev))

Saving the data-cipher translation key: ksav ═ (Kcon ^ Kdev) or DES (MKx, Kcon ^ Kdev)

Saving the data-cipher translation key: ksav ═ content ID ^ Kdev or DES (MKx, content ID ^ Kdev)

Saving the data-cipher translation key: ksav ═ KCON ^ recording and reproducing device ID or DES (MKx, KCON ^ recording and reproducing device ID)

Saving the data-cipher translation key: ksav ═ (content ID ^ recording and reproducing device ID) or DES (MKx, content ID ^ recording and reproducing device ID)

Saving the data-cipher translation key: ksav password, DES (MKx, password), or the like

The save data cipher translation key Ksav is used for an encryption process that is executable to store the save data in one of the plurality of recording apparatuses 400A to C and a decryption process that is executable to reproduce the save data from the one of the plurality of recording apparatuses 400A to C. The process of storing and reproducing the save data is explained below with reference to fig. 70 and subsequent figures.

Fig. 70 is a flow of a process of storing save data in one of the recording apparatuses 400A to C with a key unique to content or a system common key. The processes in each flow are performed by the recording and reproducing apparatus 300, and the recording apparatus 400 that stores the save data in each flow may be any one of the external recording apparatuses 400A to C and is not limited to a specific one.

In step S701, the recording and reproducing apparatus 300 reads out a content ID such as a game ID. Such an ID is data contained in the identification information of the content data shown in the previous fig. 4, 26, 27, and 32 to 35. Upon receiving a command for storing save data through the interface shown in fig. 2, the main CPU106 instructs the control section 301 to read the content ID.

If the execution program is content from a DVD, CD-ROM or the like executed by the reading section 304, the control section 301 extracts identification information from the header of the content data by the reading section, and if the execution program is content stored in the recording apparatus 400, the control section 301 extracts the identification information by the recording apparatus controller 303. If the recording and reproducing apparatus 300 is executing a content program and the content ID has been stored in the RAM or other accessible recording medium of the recording and reproducing apparatus, the identification information contained in the loaded data may be used without executing a new reading program.

In step S702, the processing procedure is changed according to whether the program is localized. Program localization is used to set whether to increase the limit of using the save data only by this program, to make the save data only for use by this program, i.e., "program localization" to "yes", and to prevent the use of data from being limited to this program, i.e., "program localization" to "no". This point may be arbitrarily set by the user or may be set by the content producer and stored into the content program, and the localization of the setting is stored as a data management file in one of the recording apparatuses 400A to C of fig. 69.

Fig. 71 shows an example of a data management file. The data management file is generated as a table containing entries including data numbers, contents IDs, recording and reproducing apparatus IDs, and program localizations. The content ID is a content program for which save data is saved. The recording and reproducing apparatus ID indicates a recording and reproducing apparatus in which the save data has been stored, and an example thereof is [ IDdev ] shown in fig. 69. The program localization is set to "yes" in order to make the saved data usable only by this program, and the program localization is set to "no" in order to prevent limiting the use of the data to this program. The program localization may be arbitrarily set by the user with the content program or may be set by the content producer and stored into the content program.

The flow is continued with reference to fig. 70. If the program localization is set to "yes" in step S702, the processing proceeds to step S703. In step S703, a content-unique key such as the content key Kcon is read out from the content data and used as the held data cipher translation key Ksav, or the held data cipher translation key Ksav is generated from the content-unique key.

On the other hand, if the program localization is set to "no" in step S702, the processing proceeds to step S707. In step S707, the system common key stored in the recording and reproducing apparatus 300, for example, the system signature key Ksys, is read out from the internal memory 307 of the recording and reproducing apparatus 300 and used as the held data cipher translation key Ksav, or the held data cipher translation key Ksav is generated from the system signature key Ksys. In addition, a different cryptographic translation key from the other keys that have been separately saved to the internal memory 307 of the recording and reproducing apparatus 300 may be used as the saved data cryptographic translation key Ksav.

In step S704, the process of encrypting the save data is performed with the save data cipher translation key Ksav selected or generated in step S703 or S707. The encryption process is executed by applying, for example, the DES algorithm described above with the crypto-translation processing section 302 of fig. 2.

In step S705, the save data encrypted in step S704 is stored in the recording apparatus. If there are a plurality of recording apparatuses capable of storing the save data as shown in fig. 69, the user selects the recording apparatuses 400A to C as the save data storage destinations in advance. Further, in step S706, "yes" or "no" of the program localization set in step S702, i.e., the program localization, is written to the data management file described with reference to fig. 71.

Thus, the process for storing the save data is completed. In step S702, the content program having no content unique key information can be prevented from decrypting the save data that is selected as yes in step S702 for program localization and encrypted with the save data encryption key Ksav generated from the content unique key in step S703, and therefore, these save data can be used only by the content program having the same content key information. In this case, however, the save data encryption key Ksav is not generated from information unique to the recording and reproducing apparatus, and therefore, save data stored in a removable recording apparatus such as a memory card can be reproduced from a different recording and reproducing apparatus as long as it can be used with a corresponding content program.

In addition, even if a program having a different content identifier is used or a different recording and reproducing apparatus is used, the save data which is program-localized-no in step S702 and encrypted with the save data encryption key Ksav generated from the system common key in step S707 can be reproduced and used.

Fig. 72 shows a flow illustrating a process for reproducing the save data stored by the save data storing process of fig. 20.

In step S711, the recording and reproducing apparatus 300 reads out a content ID such as a game ID. This is a procedure similar to the step S701 of reading out data contained in the identification information of the content data described in fig. 70,

such IDs are previously shown in fig. 4, 26, 27 and 32 to 35. Upon receiving a command for storing save data through the interface shown in fig. 2, the main CPU106 instructs the control section 301 to read the content ID.

In step S712, the data management file shown with reference to fig. 71 is read out from one of the recording apparatuses 400 to C shown in fig. 69, and the content ID read out in step S711 and the program localization of the corresponding settings are extracted therefrom. If the data management file has the program localization set to "yes", the processing proceeds to step S714, whereas if the data management file has the program localization set to "no", the processing proceeds to step S717.

In step S714, a content-unique key such as the content key Kcon is read out from the content data and used as the stored data decryption key Ksav, or the stored data decryption key Ksav is generated from the content-unique key. Such a decryption key generation process uses a processing algorithm corresponding to the encryption key generation process, that is, a decryption key generation algorithm capable of decrypting data encrypted according to a certain content unique key with a decryption key generated according to the same content unique key.

On the other hand, if it is determined in step S712 that the data management file has program localization set to "no", the system common key stored in the recording and reproducing apparatus 300 is read out from the internal memory 307 of the recording and reproducing apparatus 300 and used as the save data decryption key Ksav in step S717, or the save data decryption key Ksav is generated from the system signature key Ksys. In addition, a different cryptographic translation key from the other keys that have been separately saved to the internal memory 307 of the recording and reproducing apparatus 300 may be used as the saved data cryptographic translation key Ksav.

In step S715, the process of decrypting the save data is performed with the save data decryption key Ksav selected or generated in step S714 or S717, and in step S716, the decrypted save data is reproduced and executed in the recording and reproducing apparatus 300.

Thus, the reproduction process for save data is completed. If the data management file has program localization set to "yes", the save data decryption key is generated from the content unique key, and if the data management file has program localization set to "no", the save data decryption key is generated from the system common key. If the data management file has program localization set to "yes", the decryption key cannot decrypt the saved data without the same content ID for the content.

Fig. 73 and 74 show the save data storage and reproduction flow that generates the save data encryption and decryption keys with the content IDs, respectively.

In fig. 73, steps S721 to 722 are similar to steps S701 and 702 in fig. 70, and therefore, their description is omitted.

In the save data storage flow in fig. 73, if the program localization is set to yes in step S722, in step S723, the content ID is read out from the content data and used as the save data decryption key Ksav, or the save data decryption key Ksav is generated based on the content ID. For example, the password translation processing section 307 of the recording and reproducing apparatus 300 may apply the master key MKx stored in the internal memory of the recording and reproducing apparatus 300 to the content ID read out from the content data to obtain the held data decryption key Ksav, for example, according to DES (MKx, content ID). In addition, a different cryptographic translation key from the other keys that have been separately saved to the internal memory 307 of the recording and reproducing apparatus 300 may be used as the saved data cryptographic translation key Ksav.

On the other hand, if the program localization is set to "no" in step S722, in step S727, the system common key, e.g., the system signing key Ksys, stored in the recording and reproducing device 300 is read out from the content data and used as the save data encryption key Ksav, or the save data encryption key Ksav is generated from the system signing key. In addition, a different cryptographic translation key from the other keys that have been separately saved to the internal memory 307 of the recording and reproducing apparatus 300 may be used as the saved data decryption key Ksav.

The processes of step S724 and subsequent steps are similar to those of step S704 and subsequent steps of the flow of fig. 70, and the description thereof is omitted.

Fig. 74 shows a flow for reproducing and executing the save data stored in the recording apparatus in the save data storing flow shown in fig. 73, and steps S731 to S733 are similar to the corresponding processes described in fig. 72 except for step S734. In step S734, the content ID is read out from the content data and used as the stored data decryption key Ksav, or the stored data decryption key Ksav is generated from the content ID. Such a decryption key generation process uses a processing algorithm corresponding to the encryption key generation process, that is, a decryption key generation algorithm capable of decrypting data encrypted according to a certain content ID with a decryption key generated according to the same content ID.

Subsequent process steps S735, S736, and S737 are similar to the corresponding processes in fig. 72, and therefore, their description is omitted. According to the stored data storing and reproducing process of fig. 73 and 74, if the program localization is set to "yes", the content ID is used to generate the stored data encryption and decryption key, and therefore, as in the above-described stored data storing and reproducing process using the content unique key, in the case where the respective content programs do not match, the stored data cannot be obtained, so that the stored data can be stored more securely.

Fig. 75 and 77 show the save data storage (fig. 75) and reproduction (fig. 77) flows for generating the save data encryption and decryption keys with the recording and reproduction apparatus unique key, respectively.

In fig. 75, step S741 is similar to step S701 in fig. 70, and a description thereof will be omitted. In step S742, localization is set or not set for the recording and reproducing apparatus. In the case where a specific recording and reproducing apparatus which can use the save data is localized, that is, in the case where the recording and reproducing apparatus is localized, that is, the save data is used only by the recording and reproducing apparatus which has generated and stored the data, the recording and reproducing apparatus is localized to yes, and, in order to enable other recording and reproducing apparatuses to use the save data, the recording and reproducing apparatus is localized to no. If the localization of the recording and reproducing apparatus is set to "yes" in step S742, the process proceeds to step S743, and if the localization is set to "no," the process proceeds to step S747.

Fig. 76 shows an example of the data management file. The data management file is generated as a table containing entries including a data number, a content ID, a recording and reproducing apparatus ID, and a recording and reproducing apparatus localization. The content ID is a content program for which save data is saved. The recording and reproducing apparatus ID indicates a recording and reproducing apparatus in which the save data has been stored, and an example thereof is [ IDdev ] shown in fig. 69. The recording and reproducing apparatus localization is set to yes in order to limit the use of the save data to a specific recording and reproducing apparatus, i.e., to make the save data used only by the recording and reproducing apparatus that has generated and stored the data, or the recording and reproducing apparatus localization is set to no in order to make other recording and reproducing apparatus use the save data. The recording and reproducing apparatus localization may be arbitrarily set by a user with a content program or may be set by a content producer and stored in the content program.

In the save data storage flow of fig. 75. If the recording and reproducing apparatus localization is set to "yes" in step S742, a key unique to the recording and reproducing apparatus, such as the recording and reproducing apparatus signature key Kdev, is read out from the internal memory 307 of the recording and reproducing apparatus 300 and used as the save data encryption key Ksav, or the save data encryption key Ksav is generated from the recording and reproducing apparatus signature key. In addition, a different cryptographic translation key from the other keys that have been separately saved to the internal memory 307 of the recording and reproducing apparatus 300 may be used as the saved data decryption key Ksav.

On the other hand, if it is determined in step S742 that the recording and reproducing apparatus localization is set to "no", the system common key, e.g., the system signature key Ksys, stored in the recording and reproducing apparatus 300 is read out from the internal memory 307 of the recording and reproducing apparatus 300 and used as the save data encryption key Ksav in step S747, or the save data encryption key Ksav is generated from the system signature key. In addition, a different cryptographic translation key from the other keys that have been separately saved to the internal memory 307 of the recording and reproducing apparatus 300 may be used as the saved data decryption key Ksav.

The processing in steps S744 to 725 is similar to the corresponding processing in the flow of fig. 72 described above, and the description thereof is omitted.

In step S746, the content ID, the recording and reproducing apparatus ID, and the recording and reproducing apparatus localization yes/no set by the user in step S742 are written to the data management file (see fig. 76).

Further, fig. 77 shows a flow for reproducing and executing the save data stored in the recording apparatus during the save data storing flow shown in fig. 73. In step S751, the content ID is read out as in the above-described corresponding procedure of fig. 72. Then, in step S752, the recording and reproducing apparatus id (iddev) stored in the memory of the recording and reproducing apparatus 300 is read out.

In step S753, the content ID, the recording and reproducing apparatus ID, and the recording and reproducing apparatus localization yes/no set by the user in step S742 are read out from the data management file (see fig. 76). If any entry in the data management file having the same content ID localizes the recording and reproducing device to yes, the processing ends if the table entry has a different recording and reproducing device ID from that read out in step S752.

If it is determined in step S754 that the data management file localizes the recording and reproducing apparatus to "YES", the process proceeds to step S755. If the data management file localizes the recording and reproducing apparatus to "no", the processing proceeds to step S758.

In step S755, the recording and reproducing apparatus signature key Kdev is read out from the internal memory 307 of the recording and reproducing apparatus 300 and used as the held data decryption key Ksav, or the held data encryption key Ksav is generated from the recording and reproducing apparatus signature key Kdev. Such a decryption key generation process uses a processing algorithm corresponding to the encryption key generation process, i.e., a decryption key generation algorithm that can decrypt data encrypted according to a certain recording and reproducing apparatus unique key with a decryption key generated according to the same recording and reproducing apparatus unique key. In addition, a different cryptographic translation key from the other keys that have been separately saved to the internal memory 307 of the recording and reproducing apparatus 300 may be used as the saved data decryption key Ksav.

On the other hand, the system common key such as the system signing key Ksys stored in the recording and reproducing apparatus 300 is read out from the internal memory 307 of the recording and reproducing apparatus 300 and used as the held data decryption key Ksav in step S758, or the held data decryption key Ksav is generated from the system signing key. In addition, a different cryptographic translation key from the other keys that have been separately saved to the internal memory 307 of the recording and reproducing apparatus 300 may be used as the saved data decryption key Ksav. The processing in the subsequent steps S756 to 757 is similar to the processing in the corresponding steps in the above-described stored data reproduction flow, and the description thereof is omitted.

According to the save data storage and reproduction procedures shown in fig. 75 and 77, save data for which the recording and reproduction apparatus is localized to "yes" is encrypted with the recording and reproduction apparatus unique key. These saved data can be decrypted and used only by a recording and reproducing apparatus having a key unique to the same recording and reproducing apparatus, i.e., the same recording and reproducing apparatus.

Fig. 78 and 79 show the flow for generating the encryption and decryption keys of the save data with the recording and reproducing device ID and storing and reproducing the save data.

In fig. 78, the recording and reproducing apparatus ID is used to encrypt the save data in the recording apparatus and store it. In step S764, the recording and reproducing apparatus id (iddev) read out from the recording and reproducing apparatus is used to generate the held data encryption key Ksav. The save data encryption key Ksav is obtained according to IDdev by, for example, using IDdev as the save data encryption key Ksav or using the master key MKx stored in the internal storage of the recording and reproducing apparatus 300, thereby obtaining the save data encryption key Ksav according to DES (MKx, IDdev). In addition, a different cryptographic translation key from the other keys that have been separately saved to the internal memory 307 of the recording and reproducing apparatus 300 may be used as the saved data decryption key Ksav.

Subsequent steps S765 to S768 are similar to the corresponding processing flow of fig. 75, and the description thereof is omitted.

Fig. 79 illustrates a procedure for reproducing and executing save data stored in the recording apparatus by the processing procedure of fig. 78. Steps S771 to 774 are similar to the corresponding processing procedures in fig. 77, and therefore their description is omitted.

In step S775, the recording and reproducing apparatus id (iddev) read out from the recording and reproducing apparatus is used to generate the saved data decryption key Ksav. The save data encryption key Ksav is obtained from IDdev by, for example, using IDdev as the key Ksav or using the master key MKx stored in the internal storage of the recording and reproducing apparatus 300, thereby obtaining the key Ksav according to DES (MKx, IDdev). Such a decryption key generation process uses a processing algorithm corresponding to the encryption key generation process, i.e., a decryption key generation algorithm that can decrypt data encrypted according to a certain recording and reproducing apparatus unique key with a decryption key generated according to the same recording and reproducing apparatus unique key. In addition, a different cryptographic translation key from the other keys that have been separately saved to the internal memory 307 of the recording and reproducing apparatus 300 may be used as the saved data decryption key Ksav.

The subsequent process steps S776 to S778 are similar to the corresponding process in fig. 76.

According to the stored data storing and reproducing flow shown in fig. 78 and 79, the stored data for which the recording and reproducing apparatus is localized to "yes" is encrypted and decrypted with the recording and reproducing apparatus unique key. These saved data can be decrypted and used only by a recording and reproducing apparatus having a key unique to the same recording and reproducing apparatus, i.e., the same recording and reproducing apparatus.

The save data storage and reproduction process performing the localization of the above-described programs and the localization of the recording and reproducing apparatus is described below with reference to fig. 80 to 82.

FIG. 80 shows a save data store flow. In step S781, the content ID is read from the content data, in step S782, it is determined whether program localization is set, and in step S783, it is determined whether recording and reproducing device localization is set.

If both the program localization and the recording and reproducing apparatus localization are set to "yes", the held data encryption key Ksav is generated from the content unique key (Kcon, for example) and the recording and reproducing apparatus unique key (Kdev) in step S785. The save data encryption key is generated, for example, from Ksav ═ (Kcon XORKdev) or by using the master key MKx stored in the memory of the recording and reproducing apparatus 300, so that the above-described key is obtained from Ksav ═ DES (MKx, Kcon XOR Kdev). In addition, a different cryptographic translation key from the other keys that have been separately saved to the internal memory 307 of the recording and reproducing apparatus 300 may be used as the saved data decryption key Ksav.

If the program localization is set to "yes" and the recording and reproducing apparatus localization is set to "no", the content unique key (e.g., Kcon) is used as the held data encryption key Ksav or the held data encryption key Ksav is generated from the content unique key (e.g., Kcon) in step S786.

If the program localization is set to "no" and the recording and reproducing apparatus localization is set to "yes", the recording and reproducing apparatus unique key (Kdev) is used as the held data encryption key Ksav, or the held data encryption key Ksav is generated from the recording and reproducing apparatus unique key (Kdev) in step S787. In addition, a different cryptographic translation key from the other keys that have been separately saved to the internal memory 307 of the recording and reproducing apparatus 300 may be used as the saved data decryption key Ksav.

If both the program localization and the recording and reproducing apparatus localization are set to "no", in step S787, a system common key such as the system signing key Ksys is used as the save data encryption key Ksav, or the save data encryption key Ksav is generated from the system signing key Ksys. In addition, a different cryptographic translation key from the other keys that have been separately saved to the internal memory 307 of the recording and reproducing apparatus 300 may be used as the saved data decryption key Ksav.

In step S789, the save data encryption key Ksav generated in one of steps S785 to S788 is used to decrypt the save data, which is then stored in the recording apparatus.

Further, in step S790, the localization set in steps S782 and S783 is stored in the data management file. The data management file is configured as shown in fig. 81, for example, and contains entries including a data number, a content ID, a recording and reproducing apparatus ID, program localization, and recording and reproducing apparatus localization.

Fig. 82A and 82B show a procedure for reproducing and executing save data stored in the recording device by the processing procedure of fig. 80. In step S791, the content ID and the recording and reproducing apparatus ID are read out from the execution program, and in step S792, the content ID, the recording and reproducing apparatus ID, the program localization, and the recording and reproducing apparatus localization are read out from the data management file. In this case, if the program localization is set to "yes" and the content ID is different, or if the recording and reproducing apparatus localization is set to "yes" and the recording and reproducing apparatus ID is different, the processing procedure ends.

Then, in steps S793, S794, and S795, the decryption key generation process is set to one of the four ways in steps 796 to S799, based on the data recorded in the data management file.

If both the program localization and the recording and reproducing apparatus localization are set to "yes", the held data encryption key Ksav is generated from the content unique key (Kcon, for example) and the recording and reproducing apparatus unique key (Kdev) in step S796. In addition, a different cryptographic translation key from the other keys that have been separately saved to the internal memory 307 of the recording and reproducing apparatus 300 may be used as the saved data decryption key Ksav. If the program localization is set to "yes" and the recording and reproducing apparatus localization is set to "no", the content unique key (e.g., Kcon) is used as the held data encryption key Ksav, or the held data encryption key Ksav is generated from the content unique key (e.g., Kcon) in step S797. In addition, a different cryptographic translation key from the other keys that have been separately saved to the internal memory 307 of the recording and reproducing apparatus 300 may be used as the saved data decryption key Ksav.

If the program localization is set to "no" and the recording and reproducing apparatus localization is set to "yes", the recording and reproducing apparatus unique key (Kdev) is used as the held data encryption key Ksav, or the held data encryption key Ksav is generated from the recording and reproducing apparatus unique key (Kdev) in step S798. In addition, a different cryptographic translation key from the other keys that have been separately saved to the internal memory 307 of the recording and reproducing apparatus 300 may be used as the saved data decryption key Ksav. If both the program localization and the recording and reproducing apparatus localization are set to "no", a system common key such as the system signing key Ksys is used as the save data encryption key Ksav in step S799, or the save data encryption key Ksav is generated from the system signing key Ksys. In addition, a different cryptographic translation key from the other keys that have been separately saved to the internal memory 307 of the recording and reproducing apparatus 300 may be used as the saved data decryption key Ksav.

These decryption key generation processes use a processing algorithm corresponding to the encryption key generation process, that is, a decryption key generation algorithm capable of decrypting data encrypted according to the same content unique key and recording and reproducing apparatus unique key with a decryption key generated according to the same content unique key and recording and reproducing apparatus unique key.

In step S800, a decryption process is performed with the save data encryption key Ksav generated in one of steps S796 to S799, and the decrypted save data is reproduced and executed in the recording and reproducing apparatus.

According to the stored data storing and reproducing flow shown in fig. 80 and 82, the stored data for which the program localization is set to "yes" is encrypted and decrypted with the content unique key, and therefore, these stored data can be decrypted and used only in the case of using the same content unique key. In addition, the save data for which the recording and reproducing apparatus is localized to yes is encrypted and decrypted with the recording and reproducing apparatus ID, and therefore, these save data can be decrypted and used only by the recording and reproducing apparatus having the same recording and reproducing apparatus ID, i.e., the same recording and reproducing apparatus. Therefore, the content and the recording and reproducing apparatus can be set localized so as to improve the confidentiality of the saved data.

Although fig. 80 and 82 show the configuration for generating the held data encryption key and the decryption key using the content unique key and the recording and reproducing apparatus unique key, the content unique key and the recording and reproducing apparatus ID may be used instead of the content unique key and the recording and reproducing apparatus unique key, respectively, to generate the held data encryption key and the decryption key based on these IDs.

The structure for generating encryption and decryption keys based on a password input by a user is described below with reference to fig. 83 to 85.

Fig. 83 shows a flow for generating encryption and decryption keys from a password input by a user and storing save data in the recording apparatus.

In step S821, the content ID is read out from the content data as in the above-described respective procedures. In step S822, the user determines whether program localization is set. The data management file set in such a structure has, for example, a structure shown in fig. 84.

As shown in fig. 84, the data includes a data number, a content ID, a recording and reproducing apparatus ID, and program localization set by the user. "program localization of user settings" is an entry that judges whether or not the use of a program is limited to a specific user.

If the localization is set to "yes" in step S822 of the flow of FIG. 83, the user password is input in step S823. The password is entered from an input device such as the keyboard shown in fig. 2.

The input password is output to the password translation processing section 302 under the control of the main CPU106 and the control section 301, and the processing procedure in step S824 is executed, that is, the save data encryption key Ksav is generated in accordance with the input user password. The save data encryption key Ksav may be generated by, for example, setting the password itself as the key Ksav or using the master key MKx of the recording and reproducing apparatus, so as to generate the key Ksav from the save data encryption key Ksav ═ DE (MKx, password). In addition, a one-way function may be applied using a password as an input, so that an encryption key may be generated from an output from the function.

If the user localization is set to "no" in step S822, a save data encryption key is generated from the system common key of the recording and reproducing apparatus 300 in step S828.

In step S825, the save data is encrypted with the save data encryption key Ksav generated in steps S824 to S828, and in step S826, the encrypted save data is stored into the recording apparatus.

In step S827, the user is programmed to localize the data management file to be written to fig. 84 in step S822 so as to be associated with the content ID, the recording and reproducing apparatus ID.

Fig. 85 shows a procedure for reproducing the save data stored by the processing procedure of fig. 83. In step S831, the content ID is read out from the content data, and in step S832, the content ID, the recording and reproducing apparatus ID, and the program localization set by the user are read out from the data management file of fig. 84.

In step S833, a determination is made based on the data in the data management file. If "program localization set by user" is set to "yes", the user is prompted to enter a password in step S834, and a decryption key is generated from the entered password in step S835. Such a decryption key generation process uses a processing algorithm corresponding to the encryption key generation process, that is, a decryption key generation algorithm capable of decrypting data encrypted according to the same password with a decryption key generated according to the same password is used.

If it is judged in step S833 that the program localization set by the user is set to "no", the system common key stored in the internal memory of the recording and reproducing apparatus 300 is used to generate the save data decryption key Ksav by using the system signing key Ksys in step S837. In addition, an encryption key different from other keys that have been separately saved to the internal memory 307 of the recording and reproducing apparatus 300 may be used as the saved data encryption key Ksav.

In step S836, the decryption key Ksav generated in step S835 or S839 is used to decrypt the save data stored in the recording apparatus, and in step S836, the recording and reproducing apparatus reproduces and executes the save data.

According to the save data storage and reproduction flow shown in fig. 83 and 85, the save data for which "program localization set by user" is selected as "yes" is encrypted and decrypted with a key in accordance with the password input by the user, and therefore, these save data can be decrypted and used only in the case where the same password is input, thereby improving the confidentiality of the save data.

Several aspects of the save data storage and reproduction process have been described, but a process obtained by combining the above-described processes, for example, aspects of generating save data encryption and decryption keys using passwords, recording and reproduction device IDs, content IDs, and the like, may also be implemented.

(17) Structure for eliminating (revoking) illegal device

As described earlier, the data processing apparatus of the present invention improves the confidentiality of provided content and makes such content available only to valid users, with a structure in which the recording and reproducing apparatus 300 performs processing such as authentication and encryption on a variety of content data provided by the medium 500 (see fig. 3) or the communication device 600 and then stores the data into the recording apparatus.

As seen from the above description, the input content is authenticated, encrypted, and decrypted with various signature keys, master keys, and integrity check value generation keys (see fig. 8) stored in the internal memory 307 of the crypto-translation processing section 302 of the recording and reproducing apparatus 300. The internal memory 307 storing the key information is optimally characterized in that it is protected from external illegal reading because it comprises a semiconductor chip that can be substantially denied external access and has a multilayer structure, an internal memory between dummy layers made of aluminum or the like or disposed on the lowest layer, and a narrow range of operating voltages and/or frequencies. However, if key data or the like is to be read out from the internal memory and copied to an unauthorized recording and reproducing apparatus, the copied key information can be used to uselessly use the content.

The following describes a configuration for preventing invalid use of content based on invalid copying of a key.

Fig. 86 is a block diagram for explaining "(17) a structure for eliminating (revoking) an illegal device". The recording and reproducing device 300 is similar to the recording and reproducing device shown in fig. 2 and 3 described above, and has an internal memory and the aforementioned various key data (see fig. 18) and a recording and reproducing device ID. Here, the recording and reproducing apparatus ID, the key data, or the like copied by the third party is not necessarily stored in the internal memory 307, but the key data in the recording and reproducing apparatus 300 shown in fig. 86 is stored in a collective manner or a distributed manner in a storage section accessible to the password translation processing section 302 (see fig. 2 and 3).

In order to realize a structure for excluding invalid devices, a list of invalid recording and reproducing device IDs is stored in the header part of the content data. As shown in fig. 86, the content data holds a revocation list serving as a list of invalid recording and reproducing apparatus ids (iddev). Again, the list integrity check value ICVrev is used to undo tampering with the list. The list of invalid recording and reproducing apparatuses id (iddev) contains the identifier IDvev of the invalid recording and reproducing apparatus determined by the content provider or manager according to the distribution state of the invalid copies or the like. The revocation list may be encrypted prior to storage with the issuance key Kdis. The decryption process performed by the recording and reproducing apparatus is similar to that of the content download process in fig. 22, for example.

Here, for better understanding, the revocation list is shown as a single data in the content data of fig. 86, but the revocation list may be contained, for example, within the aforementioned usage policy (see, for example, fig. 32 to 35) which is a component of the header part contained in the content. In this case, the integrity check value ICVa is used to check tampering with the usage policy data containing the revocation list. If the revocation list is contained within the usage policy, the integrity check value A: ICVa is used for the above check and the integrity check value a in the recording and reproducing apparatus is used to generate the key Kicva, thereby eliminating the need to store the integrity check value generation key Kicv-rev.

If the revocation list is included as independent data in the content data, the revocation list is checked with a list integrity check value ICVrev to check the revocation list for tampering, and an intermediate integrity check value is generated from the list integrity check value ICVrev and other partial integrity check values in the content data and used to perform a verification process.

The method for checking revocation lists with the list integrity check value ICVrev to check for tampering of revocation lists is similar to the process used to generate integrity check values such as ICVa or ICVb as described in fig. 23 and 24. That is, the ICV calculation method shown in fig. 23 and 24 and others is performed in the case where the integrity check value generation key Kicv-rev stored in the internal storage 307 of the recording and reproducing device password translation processing portion 302 is used as a key and the revocation list contained in the data is used as a message. The calculated integrity check value Kicv-rev' is compared with the check value integrity check value Kicv-rev stored in the header, and if they are equal, it is determined that the list has not been tampered with.

The content integrity check value is increased according to the format shown in fig. 25, for example, by using the integrity check value generation key Kicvt stored in the internal storage 307 of the recording and reproducing device cryptographic translation processing section 302 as a key and applying the ICV calculation method shown in fig. 7 and other figures to a message string containing the list integrity check value ICVrev, which includes the integrity check values a and B and the list integrity check value ICVrev in the verified header, thereby generating an intermediate integrity check value containing the list integrity check value ICVrev.

The revocation list and the list integrity check value are provided to the recording and reproducing apparatus 300 through the medium 500 such as a DVD or a CD or the communication device 600 or the recording apparatus 400 such as a memory card. In this case, the recording and reproducing apparatus 300 holds the ID in the valid key content or in the illegal copy.

Fig. 87 and 88 show the flow of procedures for excluding an invalid recording and reproducing apparatus in the present configuration. Fig. 87 shows a flow of a procedure for excluding (revoking) an invalid recording and reproducing device in the case where content is provided through the medium 500 such as a DVD or CD or the communication apparatus 600, and fig. 88 shows a flow of a procedure for excluding (revoking) an invalid recording and reproducing device in the case where content is provided through the recording device 400 such as a memory card.

The flow in fig. 87 is explained first. In step S901, a medium is installed and a content is requested, i.e., a reproduction or download process is requested. The process shown in fig. 87 corresponds to, for example, a step before a medium such as a DVD or the like is mounted to the recording apparatus, and the mounting process is followed by a download process. The download process is as described with reference to fig. 22 and is performed as a step before the flow of fig. 22 or as a process inserted into this flow.

If the recording and reproducing apparatus 300 receives the content through a communication means such as a network, a communication session with the content distribution service party is formed in step S911, and then the processing proceeds to step S902.

In step S902, a revocation list is obtained from the header of the content data (see fig. 86). In this list acquisition process, if a content exists in the medium, the control section 301 shown in fig. 3 reads out the content from the medium through the reading section 304. If the content is acquired from the control unit, the communication device 301 shown in fig. 3 receives the content from the content distribution unit through the communication unit 305.

In step S903, the control part 301 passes the revocation list obtained from the medium 500 or the communication apparatus 600 to the password translation processing part 302, and then the password translation processing part 302 executes the check value generation process. The recording and reproducing apparatus 300 internally has the revocation integrity check value generation key Kicv-rev, calculates the integrity check value Kicv-rev' using the received revocation list as a message by applying the integrity check value generation key Kicv-rev according to the ICV calculation method described in fig. 23 and 24, and compares the calculation result with the integrity check value ICV-rev stored in the header to judge that the list has not been tampered with if they are equal (yes in step S904). If the values are not equal, the recording and reproducing apparatus judges that the list has been tampered with, and the process proceeds to step S909 to indicate a process error, thereby ending the process.

In step S905, the control section 306 of the recording and reproducing device password translation processing section 302 causes the encryption/decryption section 308 of the recording and reproducing device password translation processing section 302 to calculate the global integrity check value ICVt'. As shown in fig. 25, the overall integrity check value ICVt is generated by using the system signature key Ksys stored in the internal storage 307 of the recording and reproducing device crypto-interpretation processing section 302 as a key so as to encrypt the intermediate integrity check value according to DES. The flow shown in fig. 87 omits the verification process with the respective partial integrity check values such as ICVa or ICVb, but the verification process with these partial check values may be performed as in the flows shown in fig. 39 to 45 according to the data format.

Then, in step S906, the generated integrity check value ICVt' and the integrity check value ICVt in the header are compared, and if they are equal (yes in step S906), the process proceeds to step S907. If these values are not equal, the recording and reproducing apparatus can judge that the list has been tampered with, and the processing proceeds to step S909 to indicate that the process is erroneous, thereby ending the processing.

As described above, the integrity check value ICVt is used to check all partial integrity check values, such as ICVa and ICVb, included in the contents data and the integrity check value for the corresponding contents block depending on the data format. However, in this case, the list integrity check value ICVrev for checking the falsification of the revocation list is added to the partial integrity check values, and the falsification of all these integrity check values is checked. If the integrity check value is equal to the integrity check value ICVt stored in the header, it can be judged that neither ICVa nor ICVb, the content block integrity check value, or the list integrity check value ICVrev has been tampered.

In step S907, the revocation list that has been judged to be falsified is compared with the recording and reproducing apparatus id (iddev) stored in the recording and reproducing apparatus 300.

If the list of invalid recording and reproducing apparatus IDs IDdev read out from the content data contains the identifier IDdev of the recording and reproducing apparatus, it can be determined that the recording and reproducing apparatus 300 has illegally copied key data. Then, the processing proceeds to step S909 to interrupt the subsequent processes. For example, the execution of the process such as the content download process in fig. 22 is not effective.

In step S907, if it is judged that the list of invalid recording and reproducing apparatus IDs IDdev does not contain the identifier IDdev of the recording and reproducing apparatus, it can be judged that the recording and reproducing apparatus 300 has valid key data. The process proceeds to step S908 to validate the subsequent process such as the program execution process or the content download process in fig. 22 or other figures.

Fig. 88 shows reproduction of content data stored in a recording apparatus 400 such as a memory card. As described previously, the recording apparatus 40 such as the memory card and the recording and reproducing apparatus 300 perform the mutual authentication process shown in fig. 20 (step S921). If the mutual authentication is successful in step S922, the process proceeds to step S923 and subsequent processes, and if the mutual authentication fails, an error occurs in step S930 to prevent the subsequent processes from being performed.

In step S923, a revocation list is obtained from the header of the content data (see fig. 86). The processing procedures in subsequent steps S924 to S930 are similar to those in fig. 87. That is, the above list is verified with the list integrity check values (S924 and S9257) and with the overall integrity check values (S926 and S927), and, the list entry is compared with the recording and reproducing apparatus ID IDdev (S928) — if the list of invalid recording and reproducing apparatus iddevs contains the identifier IDdev of the recording and reproducing apparatus, it can be determined that the recording and reproducing device 300 has an illegal copy of the key data, then, the process proceeds to step S930, in order to interrupt subsequent processes, for example, the execution of the processes such as the content download process in fig. 22 is ineffective, on the other hand, if it is judged that the list of invalid recording and reproducing apparatus IDs IDdev does not contain the identifier IDdev of the recording and reproducing apparatus, it can be determined that the recording and reproducing device 300 has valid key data and the process proceeds to step S929 to validate the subsequent process.

As described earlier, according to the content processing apparatus of the present invention, data identifying an invalid recording and reproducing apparatus, i.e., a revocation list containing an identifier IDdev of the invalid recording and reproducing apparatus, is contained in content provided by a content provider or management as component data of a header part of the content data. Before using the content in the recording and reproducing apparatus, the user of the recording and reproducing apparatus compares the recording and reproducing apparatus ID IDdev stored in the memory of the recording and reproducing apparatus with the IDs in the list and blocks the subsequent processing in the case where matching data is found. Accordingly, an invalid recording and reproducing apparatus that stores copy key data in its memory can be prevented from using content.

(18) Method for configuring and producing a security chip

As described above, the internal memory 307 of the recording and reproducing device password translation processing section 302 or the internal memory 405 of the recording device 400 holds important information such as a password translation key, and thus needs to be constructed so as to be able to reject external invalid reading. Therefore, the recording and reproducing device password interpretation processing section 302 and the recording device password interpretation processing section 401 are configured as a tamper-proof memory, which is characterized by preventing external illegal reading because it includes, for example, a semiconductor chip that can substantially deny external access and has a multilayer structure, an internal memory between dummy layers made of aluminum or the like or provided on the lowest layer, and an operating voltage and/or frequency in a narrow range.

However, as can be seen from the above description, data that varies with the recording and reproducing device, such as the recording and reproducing device signature key Kdev, must be written to the internal memory 307 of the recording and reproducing device password translation processing section 302. Further, after individual information such as identification Information (ID) and encryption key information for each chip has been written to a nonvolatile storage area of the chip such as a block erase memory or an FeRAM, for example, after shipment, rewriting data or reading data must be made difficult.

Common methods for making data reading and rewriting difficult include, for example, making the data write command protocol secret or separating a signal line used on a chip after completion of production for receiving a data write command from a communication signal line, and therefore, the data write command is invalid unless a signal is directly transmitted to the chip on the base layer.

However, with this general method, a person having knowledge of the technology of the memory section can output a signal to the data writing area of the chip with a tool and a technology for driving the circuit, and there is always a possibility that the protocol can be analyzed even if the data writing command protocol is confidential.

The entire cryptographic handling system may be compromised by issuing a component for storing cryptographic handling data that enables the secret data to be modified. Furthermore, to prevent data from being read out, implementation of a data read command may be avoided. However, even if legitimate data writing is performed, it is not possible to determine whether written data has been written accurately, resulting in providing a chip in which inappropriate data has been written.

In view of these general techniques, the present invention provides a security chip structure that enables data to be accurately written to a nonvolatile memory such as a block-erase memory or an FeRAM while preventing data from being read out therefrom, and a method for manufacturing the same.

Fig. 89 shows a security chip applicable to, for example, the above-described recording and reproducing device password translation processing section 302 or the password translation processing section 401 of the recording device 400. Fig. 89(a) shows a security chip structure in the form during chip manufacturing, that is, during data writing, and fig. 89(B) shows an example of a structure of a product such as the recording and reproducing device 300 or the recording device 400 having a security chip mounted in the above product and having data written therein.

In the manufacturing process, the processing portion 8001 of the security chip has a mode designation signal line 8003 and a plurality of types of command signal lines 8004 connected thereto, and writes or reads data to or from the storage portion 8002 depending on whether the chip is in a data write mode or a data read mode, for example, and the storage portion 8002 includes a nonvolatile memory.

On the other hand, in the product in which the security chip is mounted in fig. 89(B), the security chip is connected to an interface, a peripheral device, and other components connected from the outside through a general-purpose signal line, and the mode signal line 8003 is not connected. Specific processing procedures for the mode signal lines 8003 include grounding the signal lines 8003, increasing the voltage on these signal lines to Vcc, cutting these signal lines, sealing these signal lines with insulating resin, and the like. This process can prevent access to the mode signal line in the security chip after shipment, thereby preventing data from being read out from the chip or data from being written to the chip externally.

Further, the security chip 8000 having such a configuration can prevent data from being written to the storage portion 8002 and read out written data from the storage portion, and thus can prevent invalid data from being written or read out even if a third party successfully accesses the mode signal line 8003. Fig. 90 shows a flow of writing data to or reading data from the security chip of the above-described structure.

In step S951, the mode signal line 8003 is set for a data write or read mode.

In step S952, authentication information is read out from the chip. The security chip of such a structure stores information such as a password required for an authentication process and key information for the authentication process of the crypt translation technique, for example, by a continuous or mask ROM structure. In step S952, the authentication information is read to perform an authentication process. For example, if a general data writing device and a data reading device are connected to a common signal line to perform the authentication process, the authentication process is successful (yes in step S953). However, if the invalid data writing means and data reading means are connected to the common signal line to perform the authentication process, the authentication process fails (no in step S953), and the processing is stopped. For example, the authentication process may be performed in accordance with the mutual authentication processing described previously with respect to fig. 13. The processing portion 8001 shown in fig. 89(a) has such a structure that it can perform such a discrimination process. This can be realized, for example, with a similar configuration to the command register included in the control section 407 of the password translation processing section 401 shown in fig. 29 previously. For example, the processing section of the chip of fig. 89(a) has a similar structure to the command register included in the control section 407 of the password translation processing section 401 of the recording apparatus 400 shown previously in fig. 29 and performs an appropriate processing procedure so that the authentication process sequence is executed in response to a predetermined command input from the apparatus connected to the plurality of command signal lines 8004.

If the authentication process is successful, the processing section 8001 accepts a data write or read command to perform data write (step S955) or read (step S956) processing.

As described above, the security chip of this structure is configured to perform an authentication process for data writing or reading, thereby preventing an unauthorized third party from reading data from or writing data into the memory portion of the security chip.

FIG. 91 illustrates one embodiment of a security component structure. In this example, the storage portion 8200 of the security chip is divided into two regions: one is a read-write (RW) area 8201 in which data can be written and read out, and the other is a write-only (WO) area 8202 in which data can only be written.

In this configuration, the cryptographic translation key data, ID data, and other data that require high confidentiality are written to the write-only (WO) area 8202, and the integrity check value and other data that do not require such high confidentiality are written to the read-write (RW) area 8201.

As a process of reading out data from the read-write (RW) area 8201, the processing section 8001 performs a data reading process including the authentication process described in fig. 90. However, the data writing process is performed after the flow of fig. 92.

In step S961 of fig. 92, the mode setting signal line 8003 is written, and in step S962, the discrimination process similar to that described above with reference to fig. 90 is executed. When the authentication process is successful, the processing proceeds to step S963, so that a command for writing information requiring high confidentiality such as key data into the write-only (WO) area 8202 is output to the processing section 8001 through the command signal line 8004, while check data or other data not requiring such high confidentiality is written into the read-write (RW) area 8201.

In step S964, upon receiving the command, processing unit 8001 executes a data write process to Write Only (WO) area 8202 or read/write (RO) area 8201 in accordance with the command.

Further, fig. 93 shows a flow for verifying data written to the Write Only (WO) area 8202.

In step S971 of fig. 93, processing unit 8001 causes a write-only (WO) area to execute a cryptographic translation process according to the written data. Similar to the authentication process execution structure described above, the present execution structure is realized by a structure that sequentially executes a sequence of cryptographic translation processes stored in a command register. Note that the cipher translation processing algorithm executed in the processing unit 8001 is not particularly limited, and for example, the DES algorithm may be executed.

In step S972, the authentication device connected to the security chip receives the result of the password translation process from the processing unit 8001. In step S973, the result of application of the cipher translation process similar to the algorithm executed by processing unit 8001 on the legitimate write data written to the storage unit in step S973 is compared with the result of encryption from processing unit 8001.

If the results of the comparison are the same, it is verified that the data written to the write-only (WO) area 8202 is correct.

With this structure, if the authentication process should be interpreted as executing a read command, data can be read out only from the read-write (RW) area 8201, and at the same time, data written to the write-only (WO) area 8202 cannot be read out, so that this structure can provide high confidentiality. Further, unlike a chip which prevents data reading, the present chip includes a read-write (RW) area 8201 so as to surely access a memory.

The invention has been described with reference to specific embodiments. It will be apparent, however, to one skilled in the art that modifications and alternatives to the present invention can be made without departing from the spirit of the invention. That is, the present invention has been disclosed for illustrative purposes only, and should not be construed in a limiting sense. Further, in the above-described embodiments, the recording and reproducing device capable of recording and reproducing content has been described by way of example. However, the structure of the present invention is applicable to an apparatus capable of recording or reproducing only data, and the present invention can be implemented in a personal computer, a game apparatus, and other various data processing apparatuses as a whole. For determining the gist of the present invention, reference should be made to the claims of the present application.

Industrial applicability

The present invention is applicable to an apparatus and a system capable of reproducing a variety of contents such as sounds, images, games, and programs, which are obtained through a storage medium such as DVDs and CDs or through a variety of wired and wireless communications such as CATV, the internet, and satellite communications, and storing the contents into a specific recording apparatus such as a memory card, a hard disk, and a CD-R during recording and reproduction, and at the same time, capable of providing confidentiality in which the contents are provided with intended use restrictions with respect to use of the contents stored in the recording apparatus, and preventing illegal use of the provided contents by a third party other than a legitimate user.

Description of the reference symbols

106. Main CPU 500 and medium

107. RAM 600 and communication device

108. ROM 2101, 2102, 2103, recording and reproducing apparatus

109. AV processor 2104, 2105, 2106, and recording apparatus

110. Input processing unit 2901 and command number management unit

111. PIO 2902 and command register

112. SIO 2903, 2904, authentication mark

300. Recording and reproducing device 3001, speaker

301. Control unit 3002 and monitor

302. Cryptographic translation processing unit 3090 and memory

303. Recording device controller 3091, content analysis unit

304. Reading unit 3092 and data storage unit

305. Communication unit 3093 and program storage unit

306. Control unit 3094 and compression/decompression processing unit

307. Internal memory 7701, content data

308. Encryption/decryption unit 7702, revocation list

401. Cryptographic translation processing section 7703, list check value

402. External memory 8000, secret chip

403. Control unit 8001 and processing unit

404. Communication unit 8002 and storage unit

405. Internal memory 8003, mode signal line

406. Encryption/decryption unit 8004, and command signal line

407. External memory control unit 8201 and read/write area

8202. Write-only area

Claims (15)

1. A data recording/reproducing player capable of performing reproduction of a program content, comprising:

a recording means for recording saved data of the program contents;

an encryption processing unit that performs encryption processing on save data to be stored to the recording apparatus and decryption processing on save data to be reproduced retrieved from the recording apparatus;

input means for inputting the use restriction information and the type information so as to perform encryption and decryption processes corresponding to each of the different data formats on the save data; and

a control unit for determining an encryption processing method or a decryption processing method of the stored data;

wherein the control unit includes means for determining an encryption processing method of save data to be stored to the recording apparatus in accordance with the usage restriction information and the type information input from the input means, and determining a method of decryption processing of save data to be reproduced retrieved from the recording apparatus, based on the usage restriction information and the type information of save data set in a data management file stored in a memory or a recording apparatus accessible by the control unit; and

Wherein the encryption unit includes means for performing encryption processing or decryption processing on the save data using a different encryption key suitable for the encryption processing method or the decryption processing method determined by the control unit.

2. A data recording reproduction player according to claim 1, wherein said save data use restriction information is a program restriction which permits use of the save data under the condition that the content program is equivalent, and said management file is constructed as a table storing program restriction information based on the content program identifier; and

wherein when input usage restriction information from the input means or usage restriction information set in the data management file is input or set to restrict a program, the encryption processing unit performs encryption processing or decryption processing on save data using a save data encryption key of a program created from at least one of a dedicated encryption key of the content program and a dedicated encryption key of the content program or dedicated information; and

when input usage restriction information from the input device or usage restriction information set in the data management file is input or set to not restrict a program, the encryption processing unit performs encryption processing or decryption processing on save data using a system shared encryption key stored in the data recording and reproducing player or a system save data encryption key created from the encryption key shared by the system.

3. The data recording reproduction player of claim 2, wherein the private encryption key of the content program is a content key Kcon stored in a header portion of content data including the content program; and

the system shared encryption key is a system signature key Ksys commonly stored in a plurality of different data record reproduction players.

4. The data recording/reproducing player according to claim 1, wherein

The data use restriction information is a record reproduction player restriction allowing use of the saved data under a condition equivalent to a record reproduction player, and the data management file is constructed as a table storing restriction information on the record reproduction player derived from the content program identifier; and

wherein when input usage restriction information from the input means or usage restriction information set in the data management file is input or set to restrict the recording reproduction player, the encryption processing unit performs encryption processing or decryption processing on the save data with use of a special save data encryption key of the recording reproduction player created based on at least one of a special encryption key of the data recording reproduction player and a special encryption key or special information of the data recording reproduction player; and

When the usage restriction information input from the input means or the usage restriction information set in the data management file is input or set not to restrict the recording reproduction player, the encryption processing unit performs encryption processing or decryption processing on the save data using a system shared encryption key stored in the data recording reproduction player or a shared save data encryption key created from an encryption key shared by the system.

5. The data recording/reproducing player according to claim 4, wherein

The private encryption key of the data recording reproduction player is a private signature key Kdvv of the corresponding data recording reproduction player stored in the recording reproduction player; and

the system shared encryption key is a system signing key Ksys that is commonly stored in a plurality of data record reproduction players.

6. The data recording/reproducing player according to claim 1, wherein

The saved data use restriction information is a user restriction allowing use of the saved data under a condition equivalent to a user; and

the data management file is constructed as a table storing user restriction information derived from identifiers of content programs; and

Wherein when input use restriction information from the input device or use restriction information set in the data management file is input or set to restrict a user, the encryption processing unit performs encryption processing or decryption processing on save data with use of a user's private save data encryption key created from a password input from the input device or a user's private save data encryption key generated based on the password; and

when input usage restriction information from the input device or usage restriction information set in the data management file is input or set not to restrict the recording reproduction player, the encryption processing unit performs encryption processing or decryption processing on save data using a system shared encryption key stored in the recording reproduction player or a shared save data encryption key created from an encryption key shared by the system.

7. The data recording and reproducing player as claimed in claim 6, wherein

The system shared encryption key is a system signing key Ksys that is commonly stored in a plurality of data record reproduction players.

8. A saved data processing method in a data recording reproduction player capable of reproducing a program content, comprising:

An encryption processing mode determining step of determining an encryption processing mode for storing the save data to the recording apparatus based on the input use restriction information and the type information from the input means; and

an encryption key selection step of selecting an encryption key to be applied to encryption processing in accordance with the encryption processing mode determined in the encryption processing mode determination step; and

wherein the encryption process is performed on the save data using the encryption key selected in the encryption key selection step.

9. The save data processing method as claimed in claim 8, wherein

The saved data use restriction information is program restriction that allows use of the saved data under a condition equivalent to a content program; and

when a program restriction is set, in the encryption key selection step, an encryption key to be applied to encryption processing is selected from a private encryption key of the content program or a program-specific stored data encryption key generated based on at least one of the private encryption key of the content program or the private information; and

when the program restriction is not set, an encryption key to be applied to the encryption process is selected from a system shared encryption key stored in the data recording/reproducing player or a shared data encryption key generated based on the system shared encryption key.

10. The save data processing method as claimed in claim 8, wherein

The save data use restriction information is a record reproduction player restriction that allows a record reproduction player to use save data under a condition equivalent to the data record reproduction player; and

when the record reproduction player restriction is set, in the encryption key selection step, an encryption key to be applied to the encryption process is selected from a private encryption key of the data reproduction player or a private held data encryption key of the record reproduction player generated based on at least one of the private encryption key of the data record reproduction player or the private information; and

when the record reproduction player restriction is not set, an encryption key is selected from a system shared encryption key stored in the record reproduction player or a shared save data encryption key generated from the system shared encryption key as a key to be applied to encryption processing.

11. The save data processing method as claimed in claim 8,

the saved data use restriction information is a user restriction allowing use of the saved data under a condition equivalent to a user; and

when user restriction is set, in the encryption key selection step, an encryption key to be applied to encryption processing is selected from a password input by a user or a user-specific stored data encryption key generated from the password; and

When the record/reproduction player restriction is not set, an encryption key to be applied to encryption processing is selected from a system shared encryption key stored in the record/reproduction player or a shared save data encryption key generated from the system shared encryption key.

12. A save data processing method in a data recording reproduction player capable of reproducing a content program, comprising:

a decryption processing mode determining step of determining a decryption mode for reproducing the saved data retrieved from the recording apparatus, based on the usage restriction information and the type information set in the data management file stored in the memory apparatus or the recording apparatus; and

a decryption key selection step of selecting a decryption key in accordance with the decryption mode determined at the decryption processing mode determination step; and

wherein the decryption process is performed on the save data using the decryption key selected in the decryption key selection step.

13. The save data processing method as claimed in claim 12, wherein

The saved data use restriction information is program restriction that allows use of the saved data under a condition equivalent to a content program; and

when program restriction is set, in the decryption key selection step, a decryption key to be applied to decryption processing is selected from a private encryption key of the content program or a private stored data decryption key of the program generated based on at least one of the private encryption key of the content program or private information; and

When the program restriction is not set, a decryption key to be applied to decryption processing is selected from a system shared encryption key stored in the recording/reproducing player or a shared save data encryption key generated based on the system shared encryption key.

14. The save data processing method as claimed in claim 12, wherein

The saved data use restriction information is a record reproduction player restriction that allows use of saved data under a condition equivalent to a data record reproduction player; and

when the recording/reproducing player restriction is set, in the decryption key selection step, a decryption key to be applied to the decryption process is selected from a private encryption key of the data reproducing player or a private held data decryption key of the recording/reproducing player generated based on at least one of the private encryption key of the data recording/reproducing player or the private information; and

when the record/reproduction player restriction is not set, a decryption key to be applied to decryption processing is selected from a system shared encryption key stored in the record/reproduction player or a shared save data decryption key generated from the system shared encryption key.

15. The save data processing method as claimed in claim 12, wherein

The saved data use restriction information is user restriction allowing use of the saved data under the condition that the user is equivalent; and

when user restriction is set, in the decryption key selection step, a decryption key to be applied to decryption processing is selected from a password input by a user or a user-specific stored data decryption key generated from the password; and

when the record reproduction player restriction is not set, a decryption key to be applied to decryption processing is selected from a system shared encryption key stored in the data record reproduction player or a shared save data decryption key generated from the system shared encryption key.