US20060185022A1 - Authoring system, authoring key generator, authoring device, authoring method, and data supply device, information terminal and information distribution method - Google Patents

Abstract

An authoring system which authors content data to be distributed through an information terminal by encryption for copyright protection includes an authoring device and an authoring key generator. The authoring key generator generates a content identifier (CID) uniquely allocated to each of the content data (Content), an authoring key enabling key (CEK) uniquely allocated to the authoring device, and an authoring key (CED) obtained by encrypting a content key (Kc) for encrypting the content data and a second content key (EKc) using the CID and the CEK. The second content key (Ekc) is formed by encrypting the content key (Kc) using a root key (Kroot). The authoring device has a unit which decrypts the content key (Kc) and the second content key (Ekc) using the CID and the CEK, and a unit which encrypts the content data using the decrypted content key (Kc) to generate authored encrypted content data (E (Kc, Content)). For proper external authentication, a device which supplies the content data from an information terminal to a storage medium includes a unit which holds a first external authentication key securely; a unit which generates random numbers; a unit which encrypts the random numbers using the first external authentication key to generate first encrypted data; a unit which sends the random numbers to the information terminal; a unit which receives, from the information terminal, second encrypted data obtained by encrypting the random numbers using a second external authentication key equal to the first one; and a unit which compares the first and second encrypted data.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS
• The present application is a divisional of application Ser. No. 10/223,798, filed Aug. 20, 2002, and claims priority from Japanese Application No. 2001-251588 filed Aug. 22, 2001, the disclosures of which are hereby incorporated by reference herein.
BACKGROUND OF THE INVENTION
• The present invention relates to an information distribution system which securely distributes contents such as music, and particularly relates to an authoring system which authors, by encryption for copyright protection, content data to be distributed through a computer program and a storage medium, an authoring key generator which generates a key for authoring, an authoring device which encrypts content data to author it, and an authoring method therefor, and also to a data supply device, information terminal and information distribution method which enable content data to be securely downloaded onto a storage medium such as a memory stick.
• In recent years, with the spread of information networks such as the Internet, there have been suggested methods for the construction of an information distribution system which distributes various types of information such as music data, image data (still and animated), and game programs (hereinafter, such information is collectively called “content”) through a network to users. To realize such an information distribution system, it is a prerequisite to guarantee the protection of the copyright in each content. In other words, there is always the risk of large volumes of digital content data being copied. For this reason, several copyright protection techniques for preventing illegal copies of contents have been developed.
• Generally, it is said that two encryption stages are necessary in order to prevent a content for distribution from being illegally copied. The first encryption stage is a stage in which, in order to protect the content from illegal copying in the course of its distribution, the content is encrypted during authoring. The second encryption stage is a stage in which, when a user writes the content into his or her storage device through an information terminal such as a kiosk terminal, it is encrypted to prevent later illegal copying.
• Regarding these stages, in a conventional content distribution service, the encryption method for authoring is different from that for writing. Therefore, when writing the content into the user's storage device, the content must first be decrypted and again encrypted. This is time consuming. Here, another disadvantage is that the problem of security arises because the content decrypted during writing is temporarily raw data.
• Further, in conventional information distribution systems, the content writing module does not have the function of license authentication, so the content is vulnerable in a situation where the module is stolen. Namely, it is possible to make digital copies of large volumes of content data from a stolen writing module.
• Another problem of conventional information distribution systems is that protection of the authoring process is less effective and anyone who manages to obtain a copy of the specification for the authoring process can do authoring of the content.
• Further, in conventional information distribution systems, if the content is music data, even when the user is an authorized user and going to move it into another medium after downloading it into his/her storage device, he/she cannot move it without sound quality deterioration.
• Besides, in conventional information distribution systems, if the content is music data, only music and its title can be recorded into an MD or other medium; so-called fringe data such as jacket pictures and song lyrics cannot be recorded therein and the user has to print out the fringe data on a printer.
SUMMARY OF THE INVENTION
• In order to solve the above problems inherent to conventional information distribution systems, according to one aspect of the present invention, an authoring system authors content data (Content) to be distributed through an information terminal by encrypting it for copyright protection. This authoring system includes an authoring key generator and an authoring device.
• The authoring key generator generates a content identifier (CID) uniquely allocated to each of the content data (Content); an authoring key enabling key (CEK) uniquely allocated to the authoring device for authoring the content data (Content); and an authoring key (CED) obtained by encrypting a content key (Kc) and a second content key (EKc) using the content identifier (CID) and the authoring key enabling key (CEK), the content key (Kc) being for encrypting the content data (Content) and the second content key (EKc) being obtained by encrypting the content key using a root key (Kroot).
• The authoring device has decrypting means for decrypting the content key (Kc) and the second content key (EKc) from the authoring key (CED) using the content identifier (CID) and the authoring key enabling key (CEK), and encrypting means for encrypting the content data (Content) using the decrypted content key (Kc) to generate encrypted content data (E (Kc, Content)).
• The authoring device may further have packaging means for bundling the encrypted content data (E (Kc, Content)), the content identifier (CID) and the second content key (EKc) as a package.
• In order to solve the above problems, according to another aspect of the present invention, an authoring key generator is provided for generating an authoring key for authoring content data (Content), the authoring key generator including means for generating a content identifier (CID) uniquely allocated to each of the content data (Content); means for generating an authoring key enabling key (CEK) uniquely allocated to an authoring device for authoring the content data (Content); and means for generating an authoring key (CED) by encrypting a content key (Kc) and a second content key (EKc) using the content identifier (CID) and the authoring key enabling key (CEK), the content key (Kc) being for encrypting the content data (Content), and the second content key (EKc) being obtained by encrypting the content key using a root key (Kroot).
• According to another aspect of the present invention, an authoring device for authoring content data (Content) includes content storing means for storing the content data (Content); key data storing means for storing key data, the key data including a content identifier (CID) uniquely allocated to each of the content data (Content), an authoring key enabling key (CEK) uniquely allocated to the authoring device; and an authoring key (CED) obtained by encrypting a content key (Kc) and a second content key (EKc) using the content identifier (CID) and the authoring key enabling key (CEK), the content key (Kc) being for encrypting the content data (Content), and the second content key (EKc) being obtained by encrypting the content key using a root key (Kroot); decrypting means for decrypting the content key (Kc) and the second content key (EKc) from the authoring key (CED) using the content identifier (CID) and the authoring key enabling key (CEK); and encrypting means for encrypting the content data (Content) using the decrypted content key (Kc) to generate encrypted content data (E (Kc, Content)).
• The authoring device may further include packaging means for bundling the encrypted content data (E (Kc, Content)), the content identifier (CID) and the second content key (EKC) as a package.
• Also, the packaging means may bundle fringe data for the content data (Content) together with the package.
• Alternatively, the authoring key (CED) may be encrypted by an authorized authoring key generator which is separate from the authoring device.
• In the authoring system, authoring key generator and authoring device, the content key (Kc) may be designed to be obtained from the second content key (EKc) and the root key (Kroot), and to enable decryption of the encrypted content data (E (Kc, Content)) and reproduction of the content data (Content) in a reproducing device holding the root key (Kroot) securely.
• The root key (Kroot) may be incorporated in a content enabling key (EKB) encrypted by a device key (Kdevice) associated with the reproducing device, and the authoring key (CED) may further include the encrypted content enabling key (EKB).
• Also, the authoring key (CED) may further include encrypted checksum data.
• Nullifying means for, upon updating of the authoring key (CED), nullifying the authoring key (CED) which has not been updated may be further provided.
• The content data (Content) to be distributed by the information distribution system according to the present invention may include main content data and additional data for the main content data.
• According to another aspect of the present invention, a method for authoring content data (Content) includes generating a content identifier (CID) uniquely allocated to each of the content data (Content); generating an authoring key enabling key (CEK) uniquely allocated to an authoring device for authoring the content data (Content); generating an authoring key (CED) by encrypting a content key (Kc) and a second content key (EKc) using the content identifier (CID) and the authoring key enabling key (CEK), the content key (Kc) being for encrypting the content data (Content), and the second content key (EKc) being obtained by encrypting the content key using a root key (Kroot); decrypting the content key (Kc) and the second content key (EKc) from the authoring key (CED) using the content identifier (CID) and the authoring key enabling key (CEK); and encrypting the content data (Content) using the decrypted content key (Kc) to generate encrypted content data (E (Kc, Content)).
• The authoring method may further include bundling the encrypted content data (E (Kc, Content)), the content identifier (CID) and the second content key (EKc) as a package.
• The root key (Kroot) may be incorporated in a content enabling key (EKB) encrypted by a device key (Kdevice) associated with a reproducing device capable of generating the content data (Content), and the authoring key (CED) may further include the encrypted content enabling key (EKB).
• The authoring key (CED) may further include encrypted checksum data.
• The authoring method may further include nullifying the authoring key (CED) if the authoring key (CED) is not updated during a step of updating the authoring key (CED).
• According to another aspect of the present invention, a data supply device for supplying content data stored in an information terminal to a given storage medium includes key holding means for holding a first external authentication key securely; random number generating means for generating random numbers; encrypting means for encrypting the random numbers using the first external authentication key to generate first encrypted data; sending means for sending the random numbers to the information terminal; receiving means for receiving second encrypted data, the second encrypted data being obtained by encrypting the random numbers using a second external authentication key equal to the first external authentication key; and comparing means for comparing the first encrypted data with the second encrypted data.
• The comparing means may enable the content data to be supplied to the given storage medium when the first encrypted data coincides with the second encrypted data.
• The second external authentication key may be previously stored in the information terminal and the second encrypted data may be formed in the information terminal.
• Alternatively, the information terminal may acquire the second external authentication key from a key control unit and the second encrypted data may be formed in the information terminal.
• In yet another alternative, the random numbers may be sent through the information terminal to a key control unit, and the second encrypted data may be obtained by encrypting the random numbers within the key control unit using the second external authentication key.
• According to another aspect of the present invention, an information terminal for storing content data to be distributed includes first encrypting means for controlling encryption of random numbers generated within a data supply device using a first external authentication key securely held within the data supply device to generate first encrypted data; second encrypting means for receiving the random numbers from the data supply device and for acquiring second encrypted data by encrypting the random numbers using a second external authentication key equal to the first external authentication key; and licensing means for permitting the data supply device to supply the content data to a given storage medium only when the first encrypted data coincides with the second encrypted data.
• The second encrypting means may store the second external authentication key in advance and generate the second encrypted data within the information terminal.
• The second encrypting means may obtain the second external authentication key from a key control unit and generate the second encrypted data within the information terminal.
• The second encrypting means may send the random numbers to a key control unit and acquire the second encrypted data from the key control unit.
• According to another aspect of the present invention, a data supply device includes recording means for recording content data recorded in an information terminal to a given storage medium; data record control means for controlling operation of the recording means; first authentication means for determining whether the content data has been generated by a legal authoring system; and second authentication means for performing a mutual check between the recording means and the data record control means, wherein the data record control means controls the recording means to record the content data to the given storage medium only when the content data has been generated by a legal authoring system and the mutual check is successful.
• The first authentication means may determine whether the content data has been generated by a legal authoring system by referring to a Message Authentication Code (MAC hereinafter) written in the content data by the legal authoring system.
• The second authentication means may transfer a content enabling key (EKB), obtained by encrypting a root key (Kroot) using a device key (Kdevice) of the legal authoring system, to the data record control means and the recording means; the data record control means may decrypt the root key (Kroot) using a device key (Kdevice) of the data record control means to obtain a first decrypted root key; and the recording means may decrypt the root key (Kroot) using a device key (Kdevice) of the recording means; wherein the mutual check is successful when the first decrypted root key coincides with the second decrypted root key.
• The data supply device may include reproduction control means for controlling reproduction of the content data in the given storage medium.
• The recording means may record plural content data to the given storage medium, and the reproduction control means may permit reproduction of the plural content data only after the plural content data has been recorded to the given storage medium.
• According to another aspect of the present invention, a method for supplying content data stored in an information terminal to a given storage medium includes generating random numbers; encrypting the random numbers using a securely held first external authentication key to generate first encrypted data; sending the random numbers to the information terminal; encrypting the random numbers using a second external authentication key equal to the first external authentication key; receiving the second encrypted data from the information terminal; and comparing the first encrypted data with the second encrypted data.
• The method may further include supplying the content data to the given storage medium when the first encrypted data coincides with the second encrypted data.
• The method may alternatively include storing the second external authentication key in the information terminal prior to the step of encrypting the random numbers within the information terminal.
• The method may further include supplying the second external authentication key from a key control unit to the information terminal prior to the step of encrypting the random numbers within the information terminal.
• The method may alternatively include sending the random numbers through the information terminal to a key control unit, and encrypting the random numbers within the key control unit using the second external authentication key.
• Further, according to another aspect of the present invention, an information supply method used in a data supply device having recording means for recording content data from an information terminal to a given storage medium and data record control means for controlling operation of the recording means includes determining whether the content data has been generated by a legal authoring system; performing a mutual check between the recording means and the data record control means; and recording the content data to the given storage medium only when the content data has ben generated by a legal authoring system and the mutual check is successful.
• The step of determining whether the content data has been generated by a legal authoring system may include referring to a MAC written in the content data by the legal authoring system.
• The second authentication step may include transferring a content enabling key (EKB), obtained by encrypting a root key (Kroot) using a device key (Kdevice) of the legal authoring system, to the data record control means and the recording means; decrypting the root key (Kroot) using a device key (Kdevice) of the data record control means to obtain a first decrypted root key; and decrypting the root key (Kroot) using a device key (Kdevice) of the recording means to obtain a second decrypted root key; wherein the mutual check is successful when the first decrypted root key coincides with the second decrypted root key.
• The data supply method may further include reproducing the content data in the given storage medium.
• The recording step may include recording plural content data to the given storage medium, and the reproducing step may include reproducing the plural content data only after the plural content data has been recorded to the given storage medium.
• Other and further objects, features and advantages of the invention will appear more fully from the following description.
BRIEF DESCRIPTION OF THE DRAWINGS
• FIG. 1 is a block diagram showing the configuration of aninformation distribution system100 according to an embodiment of the present invention;
• FIG. 2 is a block diagram showing the general structure of acontent holder120 in theinformation distribution system100;
• FIG. 3 is a block diagram showing the general structure of acontent aggregator200 in theinformation distribution system100;
• FIG. 4 is a block diagram showing the general structure of anauthoring studio300 in theinformation distribution system100;
• FIG. 5 is a block diagram showing the general structure of anauthoring part310 in theauthoring studio300;
• FIG. 6 is a block diagram roughly showing the relationship between anauthoring device316 and an authoringkey generator160 in an authoring system for theinformation distribution system100;
• FIG. 7 is a block diagram showing an example of an authoring system configuration in theinformation distribution system100;
• FIG. 8 is a block diagram showing the general structure of aninformation terminal400 in theinformation distribution system100;
• FIG. 9 is a block diagram showing the general structure of adata supply section420 in theinformation distribution system100;
• FIG. 10 is a block diagram showing the general structure of anexternal authentication section422 of thedata supply section420;
• FIG. 11 is a block diagram showing the general structure of aninternal authentication section424 of thedata supply section420;
• FIG. 12 is a block diagram showing an example of the system configuration of aninformation terminal400 in theinformation distribution system100;
• FIG. 13 is a block diagram showing an example of external authentication (local) in theinformation terminal400;
• FIG. 14 is a block diagram showing an example of external authentication (remote) in theinformation terminal400;
• FIG. 15 is a block diagram showing an example of external authentication (semi-local) in theinformation terminal400;
• FIG. 16 is a flowchart showing the authoring key generating process in theinformation distribution system100;
• FIG. 17A illustrates the authoring key generating process andFIG. 17B illustrates the process of obtaining a content key and a second content key from an authoring key in theinformation distribution system100;
• FIG. 18 is a flowchart showing the authoring process in theinformation distribution system100;
• FIG. 19 illustrates how encrypted content data (E (Kc, Content)) to be distributed, a content key as encrypted by a root key (Ekc), and a content enabling key (EKB) are mutually related in theinformation distribution system100;
• FIG. 20 is a flowchart showing the information distribution process in theinformation terminal400;
• FIG. 21 is a flowchart showing the content decrypting process in theinformation terminal400;
• FIG. 22 is a flowchart showing the package downloading process in theinformation terminal400;
• FIG. 23 is a flowchart showing the process of downloading plural packages collectively in theinformation terminal400; and
• FIG. 24 illustrates how content, once downloaded, is processed in theinformation terminal400.
DETAILED DESCRIPTION
• Preferred embodiments of the present invention as an information distribution system or the like will be described below, focusing on an information distribution system which distributes music data as content data. In the explanation given below and the accompanying drawings, components which have virtually equivalent functions will be designated with the same reference numerals and duplication of their description will be avoided.
• 1. Information to be distributed
• For a better understanding of the information distribution system according to the present invention, the information to be distributed is explained first.
• The information to be distributed in the information distribution system according to an embodiment of the invention is “content data for distribution.” Content data for distribution includes both main content data and additional data. In this specification, what is merely called “content data” includes both main content data and additional data.
• “Main content data” is information which is mainly distributed in this information distribution system. More specifically, it may be music data, image data (still image data and animated image data), game programs or the like which are created in a content holder.
• “Additional data” is data pertaining to the main content data. If the main data is music data, the additional data may include fringe data such as jacket picture data and lyrics, and/or metadata such as music titles and artist names, and/or usage condition data such as the allowable number of checkouts to another device or the allowable number of imports into a computer.
• “Package data” is an encrypted and packaged form of the content data to be distributed through an information terminal, where it has been encrypted for copyright protection and bundled as a package. Package data is generated by apackage generator316 in anauthoring studio300. Each package contains encrypted content data (E (Kc, Content)) which is obtained by encrypting the main content data and the additional data, and also a second content key (EKc) and a content enabling key (EKB) which will be described later.
• 2. Outline of the Information Distribution System
• FIG. 1 shows the configuration of aninformation distribution system100 according to the present invention. As shown inFIG. 1, theinformation distribution system100 mainly consists of acontent holder section120, acontent distribution section140, akey control unit160, and auser device180. Next, each of the constituent parts will be explained.
• 2.1Content Holder Section120
• Thecontent holder section120 is a group of data processors such as servers belonging to a phonograph record company. Thecontent holder section120 consists ofplural content holders120ato120nwhich have a similar function. As shown inFIG. 2, each of thecontent holders120ato120nis, for example, a server as a computer having acontent administrator122, acontent generator124, acontent output part126 and acontent database128.
• Content Administrator122
• Thecontent administrator122 controls the content data, such as music data produced by a phonograph record company, etc., related to thecontent holder120a.If the content data to be controlled here concerns music, it contains additional data including fringe data such as jacket picture data and lyrics data, metadata such as music titles and artist names, and usage condition data, in addition to music data as the main content data.
• Content Generator124
• Thecontent generator124 generates the content data associated with thecontent holder120a.If the content data to be generated here concerns music, it contains additional data including fringe data such as jacket picture data and lyrics data, metadata such as music titles and artist names, and usage condition data, in addition to music data as the main content data.
• Content Output Dart126
• Thecontent output part126 transfers the content data which has been generated and controlled by thecontent holder120a,to acontent aggregator200 in the content distribution section140 (described later). Here, the content data may be transferred through a network like the Internet, or through a storage medium like a CD-R or DVD-RAM.
• Content Database128
• Thecontent database128 is a large capacity medium which stores the content data generated by thecontent generator124. If the content data to be stored and controlled here concerns music, it contains additional data including fringe data such as jacket picture data and lyrics data, metadata such as music titles and artist names, and usage condition data, in addition to music data as the main content data
• 2.2Content Distribution Section140
• Thecontent distribution section140 is the core of the information distribution system according to the invention. In thecontent distribution section140, content data for distribution is encrypted for copyright protection and bundled as package data. The package data is then sent through a network600 to aninformation terminal400 such as a kiosk terminal, from which it is supplied to astorage device182 owned by a user.
• Thecontent distribution section140 mainly consists of acontent aggregator200, anauthoring studio300, an information distributor (kiosk terminal)400, anauthentication server500, and a network600.
• 2.2.1Content Aggregator200
• Thecontent aggregator200 collects content data such as music data from thecontent holder section120 and edits it. If the content data to be collected here concerns music, it contains additional data including fringe data such as jacket picture data and lyrics data, metadata such as music titles and artist names, and usage condition data, in addition to music data as the main content data.
• As shown inFIG. 3, thecontent aggregator200 mainly consists of acontent administrator210, acontent collector220, acontent output part230, and acontent database240.
• Content Administration210
• Thecontent administrator210 selects an attractive and valuable content for distribution through theinformation distribution system100 from the contents held by thecontent holders120a to120n. Thecontent administrator210 instructs thecontent collector220 to access a specific content holder (for example, thecontent holder120a) directly or to access a medium distributed from thecontent holder120ato collect content data. At the same time, thecontent administrator210 edits the content data collected from thecontent holder section120.
• Content Collector220
• Thecontent collector220, upon receipt of an instruction from thecontent administrator210, accesses thecontent holder120adirectly or accesses a medium distributed from thecontent holder120ato load content data and store it in thecontent database240.
• Content Database240
• Thecontent database240 temporarily stores and controls the content data loaded by thecontent collector220. Thecontent database240 also stores and controls various records on operation of thecontent aggregator200.
• Content Output Part230
• Thecontent output part230 reads the content data collected by thecontent collector220 from thecontent database240 in response to a request from the authoring studio300 (described later), and outputs it to theauthoring studio300. Here, the output of the content data to theauthoring studio300 may be done through a public network such as the Internet or a more secure dedicated network, or through a storage medium such as a CD-R or DVD-RAM.
• 2.2.2Authoring Studio300
• Theauthoring studio300 has a function of modifying content data for distribution to make it compatible with the information distribution system according to the invention. More specifically, the process of modifying content data has two steps: a first step of compressing the content data to facilitate its distribution and a second step of authoring (encrypting) and packaging it.
• As illustrated inFIG. 4, theauthoring studio300 mainly consists of anauthoring part310, aproduct administrator330, and adatabase server340.
• Authoring Part310
• Theauthoring part310 is, for example, a computer program which runs on a computer. As illustrated inFIG. 5, it has acontent administrator312, adata compressor314, apackage generator module316, aGUI creator318, and adistributor320.
• Content Administrator312
• Thecontent administrator312 controls the content data received from thecontent aggregator200. If the content data to be controlled here concerns music, it contains additional data including fringe data such as jacket picture data and lyrics data, metadata such as music titles and artist names, and usage condition data, in addition to music data as the main content data.
• Data Compressor314
• Thedata compressor314 is, for example, software which compresses the content data received from thecontent administrator312. If the content data is music data, the compression method may be the ATRAC3 method which can compress the data to reduce it to approx. a tenth of the original size. It is needless to say that the compression method which can be used here is not limited to ATRAC3 (Adaptive Transform Acoustic Coding 3), but other audio compression methods such as MP3 (MPEG-1 Audio Layer 3), MC (Advanced Audio Coding), WMA (Windows Media Audio), Twin VQ (Transform-Domain Weighted Interleave Vector Quantization), and QDX may be used.
• Package Generator (Authoring Device)316 p The package generator (authoring device)316 is, for example, software which has a function to encrypt the content data as compressed by thedata compressor314 for authoring it, and package it. In other words, thepackage generator316 functions as an authoring device which authors content data.
• Theauthoring device316 and the various keys used in theauthoring device316 will be described in detail later in connection with an authoringkey generator160; here it is briefly outlined.
• As illustrated inFIG. 6, theauthoring device316 mainly consists of content key (Kc) decrypting means3162, content encrypting means3164, and packaging means3166.
• Content Key (Kc)Decrypting Means3162
• The content key (Kc) decrypting means3162 receives an authoring key (CED), a content identifier (CID) and an authoring key enabling key (CEK) from an authoring key generator160 (described later). Then, it decrypts the content key (Kc) and the second content key (EKc) from the authoring key (CED) using the content identifier (CID) and the authoring key enabling key (CEK).
• Content Encrypting Means3164
• The content encrypting means3164 encrypts content data using the above-said content key (Kc) as decrypted by the content key (Kc) decrypting means3162 to generate encrypted content data (E (Kc, Content)). In the information distribution system according to the present invention, this encrypted content data (E (Kc, Content)) is packaged together with prescribed information and sent to theinformation terminal400.
• Packaging Means3166
• The packaging means3166 bundles the encrypted content data (E (Kc, Content)) obtained by the content encrypting means3164, the content identifier (CID), and the second content key (EKc) as a data package. The package contains additional data including fringe data such as jacket picture data and lyrics data, metadata such as music titles and artist names, and usage condition data, in addition to music data as the main content data.
• Functional Structure of thePackage Generator316
• FIG. 7 is a block diagram showing the functions of thepackage generator316 in a more concrete form. As shown in the figure, thepackage generator316 is anauthoring application310bwhich runs on anoperating system310alikeWindows 2000. Theauthoring application310bincorporates adata compressor314 and apackage generator316 making up a DLL (Dynamic Link Library). In order to simplify the explanation, other applications which are incorporated in theauthoring application310b,such as acontent administrator312, are not shown.
• As illustrated in the figure, uncompressed music data in a given sound format (for example, WAV format) is sent to thedata compressor314 where it is compressed in a given compression format (for example, ATRAC3). Main content data, such as music data which has been compressed by thedata compressor314, is sent to thepackage generator316 and encrypted and packaged together with additional data including fringe data, metadata and usage condition data.
• In this way, the authoring device (package generator)316 according to the present invention can compress, encrypt and package data in the course of authoring it. As a consequence, it is possible to reduce the workload which is required for calculation or communication at the time of distribution or sale of content data. In particular, it can considerably reduce downloading time at an information terminal and the user can download authored content data within a time which is virtually the same as that required for copying it.
• GUI Creator318
• Again referring toFIG. 5, theGUI creator318 in theauthoring part310 has a function to create a GUI (Graphic User Interface) for display on a kiosk terminal as an information terminal (described later). The GUI created here is distributed through adistributor320 to the kiosk terminal. A user who wishes to download a content follows instructions displayed on the monitor screen of the kiosk terminal to purchase the content and download it to a given storage medium and can import the downloaded content to a computer and have it checked out from the computer to another reproducing device or storage medium.
• Distributor320
• Thedistributor320 distributes content data compressed and packaged by thedata compressor314, thepackage generator316 and other package applications as mentioned above, as well as the GUI created by theGUI creator318, to information terminals400 (kiosk terminals, etc).
• Product Administrator330
• Again referring toFIG. 4, theproduct administrator330 administers contents modified for distribution by theauthoring part310 as packaged products. More particularly, theproduct administrator330 monitors the distribution of packaged contents and works in conjunction with a sales administration division, etc. of the kiosk control center to sell products and collect bills. Theproduct administrator330 collects and administers statistical data on records of sales at thekiosk terminal400 as an information terminal and such statistical data will be referred to in product development in the future. The sales-related records in theproduct administrator330 are stored in thedatabase server340.
• Database Server340
• Thedatabase server340 stores and administers various data related to theauthoring studio300. More particularly, thedatabase server340 stores contents modified for distribution in theauthoring part310. If the content data to be administered here concerns music, it contains additional data including fringe data such as jacket picture data and lyrics data, metadata such as music titles and artist names, and usage condition data, in addition to music data as the main content data.
• Thedatabase server340 stores and administers sales-related records in theproduct administrator330, namely, packaged product sales data and records of sales at kiosk terminals.
• 2.2.3Information Terminal400
• Theinformation terminal400 is also called a kiosk terminal. It stores packaged contents distributed from theauthoring studio300 and, in response to a request from theuser180, downloads the requested content into his/herstorage medium182. Theinformation terminal400 may be a kiosk terminal installed in a place where many people come in and out, like a convenience store or gas station, or a personal computer installed in a place easily accessible by individual users.
• As shown inFIG. 8, theinformation terminal400 mainly consists of aninformation terminal administrator410, adata supply section420, a reader/writer (R/W)430, asales administrator440, abilling controller450, and adatabase460.
• Information Terminal Administrator410
• Theinformation terminal administrator410 is, for example, software which administers various tasks to be done at theinformation terminal400. Theinformation terminal administrator410 works in conjunction with thedata supply section420 and reader/writer (R/W)430 to administer external and internal authentication at the information terminal and, after authentication, gives permission to write content data into astorage medium182 such as a memory stick.
• Theinformation terminal administrator410 also has a function to administer sales of contents and billing to theuser180 in cooperation with thesales administrator440 and thebilling controller450. Theinformation terminal administrator410 also administers thedatabase460 which stores packaged contents or records of sales and billing.
• Data Supply Section420
• Thedata supply section420 checks or authenticates a package to see if it has been generated by a legal authoring system. If so (an affirmative authentication is made), it writes the content through the reader/writer (R/W)430 into thestorage medium182.
• Thedata supply section420 may be software which mainly consists of anexternal authentication section422, aninternal authentication section424, and areproduction controller428, as shown inFIG. 9.
• Thedata supply section420 may constitute a DLL (Dynamic Link Library) which is incorporated in theinformation terminal400.FIG. 12 shows an example of thedata supply section420 as an application running on a given operating system (for example, Windows 2000). For a better understanding, inFIG. 12, thedata supply section420 is shown in a simplified form with aGUI application423, asecure module425, and aninterface427 as the main components.
• External Authentication Section422
• Again referring toFIG. 9, theexternal authentication section422 checks to see if thedata supply section420 is legal or is authorized to supply the content data stored in theinformation terminal400 to the outside by comparing a first external authentication key (Kauth (1)) previously stored in thedata supply section420 with a second external authentication key (Kauth (2)) held by theauthentication server500.
• External authentication of thedata supply section420 must be carried out whenever it is activated. However, once its authenticity has been proven, no further external authentication is needed while it is running.
• As shown inFIG. 10, theexternal authentication section422 mainly consists of anexternal authentication administrator4221, key holding means4222, random number generating means4223, first encrypting means4224, second encrypting means4225, comparingmeans4226, and sending/receiving means4227.
• External Authentication Administrator4221
• Theexternal authentication administrator4221 totally administers the operation of theexternal authentication section422. Theexternal authentication administrator4221 carries out an external authentication process as mentioned later when thedata supply section420 is activated; when the result of the external authentication is successful, it transfers the work-in-process to theinternal authentication section424.
• Key Holding Means4222
• The key holding means4222 holds the first external authentication key (Kauth (1)) securely. The first external authentication key (Kauth (1)) is sent from theauthentication server500 to thedata supply section420 in advance; this first external authentication key (Kauth (1)) is hidden in the authenticating part (secure module) of thedata supply section420 in a tamper-resistant manner so that the key data cannot be easily detected even by reverse engineering.
• RandomNumber Generating Means4223
• The random number generating means4223 generates random numbers for external authentication. On one hand, the random numbers generated by the random number generating means4223 are sent to the first encrypting means4224 where they are encrypted using the first external authentication key (Kauth (1)), thus generating first encrypted data. On the other hand, they are sent to the second encrypting means4225 where they are encrypted using the second external authentication key (Kauth (2)), generating second encrypted data.
• First Encrypting Means4224
• The first encrypting means4224 is basically software which is incorporated in thedata supply section420. The first encrypting means4224 encrypts the random numbers generated by the random number generating means4223 using the first external authentication key (Kauth (1)) held securely by the key holding means4222 to generate first encrypted data.
• Second Encrypting Means4225
• The second encrypting means4225 encrypts the random numbers generated by the random number generating means4223 in a route other than the one used for the first encrypting means4224, using a second external authentication key (Kauth (2)) equal to the first external authentication key (Kauth (1)), to obtain second encrypted data.
• The second encrypting means4225 for obtaining second encrypted data may be embodied in various forms depending on the required security level.
• Local External Authentication
• A form of external authentication whose security level is lowest is as shown inFIG. 13 where external authentication is carried out in thedata supply section420. In this form, the second encrypting means4225 is also incorporated in thedata supply section420 and the random numbers are encrypted using the second external authentication key (Kauth (2)) previously stored in thedata supply section420 to obtain second encrypted data.
• However, this local form of external authentication has the risk that the second external authentication key (Kauth (2)) might be stolen by a person who operates theinformation terminal400 maliciously. In addition, if theinformation terminal400 itself is stolen, it is possible to download the package stored in theinformation terminal400. Therefore, this local form of external authentication is effective only when the information terminal is of the antitheft type or designed so that the data in it is destroyed if it is stolen. The external authentication process for this local form of embodiment as illustrated inFIG. 13 will be described later.
• Remote External Authentication
• On the other hand, a form of external authentication whose security level is highest is as shown inFIG. 14. This is a remote form of embodiment in which external authentication is carried out using theauthentication server500 which is outside thedata supply section420. In this remote form, theauthentication server500 receives the above-said random numbers and encrypts them using the second external authentication key (Kauth (2)) to generate second encrypted data.
• Therefore, there is no risk of the second external authentication key (Kauth (2)) being stolen. Even if theinformation terminal400 is stolen, it is impossible to download the package stored in theinformation terminal400. The external authentication process for the remote form of embodiment as illustrated inFIG. 14 will be described later.
• Semi-Local External Authentication
• FIG. 15 shows a form of external authentication which lies midway between the one shown inFIG. 13 and the one shown inFIG. 14. In this semi-local form, theauthentication server500 temporarily transfers the external authentication key (Kauth (2)) to thedata supply section420 when necessary, for example, when downloading. Thedata supply section420 encrypts the random numbers using the second external authentication key (Kauth (2)) transferred from theauthentication server500 to generate second encrypted data. After generation of the second encrypted data, or whenever theinformation terminal400 is turned off, the second external authentication key (Kauth (2)) is deleted from thedata supply section420.
• In this form of embodiment, the second external authentication key (Kauth (2)) is temporarily transferred to theinformation terminal400 only when necessary (downloading, etc), and therefore the risk of the second external authentication key (Kauth (2)) being stolen is remarkably reduced. When the second external authentication keyi(Kauth (2)) is designed to be deleted whenever theinformation terminal400 is turned off, it is impossible to download the package stored in the terminal400 even if it is stolen. The external authentication process for the semi-local form of embodiment as illustrated inFIG. 15 will be described later.
• ComparingMeans4226
• The comparing means4226 compares the first encrypted data generated by the first encrypting means4224 and the second encrypted data generated by the second encrypting means4225. As a result of this comparison, if it is found that the first encrypted data coincides with the second encrypted data, external authentication is successfully completed.
• Sending/ReceivingMeans4227
• The sending/receiving means4227 sends or receives data in theexternal authentication section422. The sending/receiving means4227 sends, for example, the random numbers generated by the random number generating means4223 to the outside, or receives the second encrypted data obtained by the second encrypting means4225 from theauthentication server500.
• Internal Authentication Section424
• Theinternal authentication section424 carries out internal authentication after completion of external authentication in thedata supply section420. Theinternal authentication section424 consists of afirst authentication section4242 and asecond authentication section4244 as shown inFIG. 11.
• First Authentication Section4242
• Thefirst authentication section4242 provides means to check if the content data to be distributed has been generated by a legal authoring system (authoring studio300). More particularly, the MAC written into the content data by a legal authoring system is checked for the first authentication.
• The MAC is calculated from the usage condition data as part of the additional data for the main content data using the content key (Kc). This means that unless the content key (Kc) and the root key (Kroot) are known, the MAC cannot be calculated, namely, only a person who has been given thedata supply section420 and the authoring key (CED) can create package data.
• Second Authentication Section4244
• Thesecond authentication section4244 provides means for performing a mutual check between the reader/writer430 as a recording means and thedata supply section420 as a data record control means. Thesecond authentication section4244 first transfers the content enabling key (EKB), which is obtained by encrypting the root key (Kroot) using the device key (Kdevice) in thelegal authoring system300, to both the reader/writer430 and thedata supply section420. The reader/writer430 and thedata supply section420 use their respective device keys (Kdevice), which they securely hold, to decrypt the root keys (Kroot). When the decrypted root keys coincide with each other, an affirmative authentication is made (the authenticity is proven).
• Reproduction Controller428
• Thereproduction controller428 enables content data to be reproduced in a given storage medium such as a memory stick for which, as a result of internal authentication, the root key (Kroot) is proven to be shared. Thereproduction controller428 is designed so that if the reader/writer430 is of the type which records plural contents in a storage medium collectively, the plural contents can be reproduced after the recording of all of the contents has been completed.
• Reader/Writer (R/W)430
• The reader/writer (R/W)430 is hardware which is used to download content data into a storage medium, such as a memory stick, memory card or smart media. As previously explained, before downloading, a mutual check between thedata supply section420 and the reader/writer (R/W)430 is done for internal authentication to confirm that the device concerned is legal.
• Sales Administrator440
• Thesales administrator440 administers various tasks to be performed for sale of packaged contents. Thesales administrator440 controls sales records and collects sales data. Thesales administrator440 collects statistical data by categorizing sales data according to, for example, time zone, sex, age group, price, content genre, sales quantity and other factors. This statistical data will be useful for product development in the future.
• Billing Controller450
• Thebilling controller450 controls billing-related tasks which have to be done for the sale of a packaged content. For example, when the user pays in cash, thebilling controller450 controls checkout operation (change, etc). It also controls personal identification or credit inquiries when the user pays by credit card.
• Database460
• Thedatabase460 stores and administers various kinds of information concerning theinformation terminal400. The information which is stored in thedatabase460 includes packaged contents to be distributed by theinformation distribution system100 according to the present invention, and various records such as sales records and billing records.
• 2.2.4Authentication Server500
• Theauthentication server500 performs external authentication to check if aninformation terminal400 is a legal terminal which is authorized to download content data. In theinformation distribution system100 according to the present invention, it is necessary to perform external authentication before downloading a given packaged content in order to check if thedata supply section420 of theinformation terminal400 is a legal device authorized to download it.
• Theauthentication server500 has a function to perform external authentication of thedata supply section420. For external authentication, in thedata supply section420, the random numbers generated by the random number generating means4223 are encrypted using the first external authentication key (Kauth (1)) securely held within the key holding means4222 to generate first encrypted data, which will be mentioned later. The first external authentication key (Kauth (1)) is sent from theauthentication server500 to thedata supply section420 beforehand; this external authentication key (Kauth (1)) is hidden in the authenticating part (secure module) of thedata supply section420 in a tamper-resistant manner so that the key data cannot be easily detected even by reverse engineering.
• On the other hand, in another route, similar random numbers are encrypted using a second external authentication key (Kauth (2)) equal to the first external authentication key (Kauth (1)) to obtain second encrypted data. Then, a comparison is made between the first encrypted data generated in thedata supply section420 and the second encrypted data generated in a route other than the one used for the first encrypted data. As a result of the comparison, if it is found that both encrypted data coincide with each other, thedata supply section420 is proven to be legal (external authentication).
• Theauthentication server500 basically controls the second external authentication key (Kauth (2)) in the above external authentication process. As described later, in one embodiment, theauthentication server500 receives the above random numbers and generates the second encrypted data using the second external authentication key (Kauth (2)). In another embodiment, theauthentication server500 transfers the second external authentication key (Kauth (2)) to thedata supply section420 to generate the second encrypted data. In a further embodiment in which the second external authentication key (Kauth (2)) is held securely in thedata supply section420, theauthentication server500 distributes the second external authentication key (Kauth (2)) in advance.
• Regarding the first and second external authentication keys (Kauth (1)), (Kauth (2)) to be controlled by theauthentication server500, it is also possible to place an authorizedkey control unit160 in charge of their issuance and management. Thekey control unit160 not only issues the first and second external authentication keys (Kauth (1)), (Kauth (2)), but also can update the first and second external authentication keys (Kauth (1)), (Kauth (2)) and disable thedata supply section420 if theinformation terminal400 is stolen.
• 2.2.5 Network600
• The network600 is a communication network which distributes content data packaged in theauthoring studio300 to theinformation terminal400. The network600 includes both aradio communication network600a,such as a satellite communication network, and adedicated network600b.For security, it is desirable that the network600 be a closed system comprising adedicated network600b,but the use of an open system like the Internet is acceptable. If the network distributes data tomany information terminals400 simultaneously, it is desirable that it be aradio communication network600alike a satellite communication network.
• 2.3Key Control Unit160
• Thekey control unit160 is an administrator authorized to control keys for use at various stages in the information distribution system according to the present invention. Thekey control unit160 serves as an authoring key generator for theauthoring device316. The keys and key-related data to be controlled here are described below. The key data is updated periodically or when necessary in order to accommodate environmental change and improve security.
• 2.3.1 Key Data for Use in theAuthoring Studio300
• The content key (Kc) is a key used to encrypt a content in theauthoring studio300. The content key (Kc) is encrypted using the root key (Kroot) to become the second content key (EKc).
• The content identifier (CID) is an identifier allocated to each content. The content ID (CID) is unique to a content and is never allocated to any other content. The content identifier (CID) is generated and controlled not at the site of authoring work but in the authoringkey generator160 so that the uniqueness of the content identifier (CID) can be fully guaranteed.
• The root key (Kroot) is a key which is used when the content key (Kc) is encrypted. The root key (Kroot) is sometimes called a “content key encrypting key.” The root key (Kroot) is a very important key which is shared. In this system, this root key (Kroot) is not directly given to theauthoring device316, but a key set which consists of a content key (Kc) and a second content key (EKc) as encrypted by the root key is transferred to theauthoring device316 as an authoring key (CED) so that security is improved and a wrong key combination can be prevented.
• The “second content key (EKc) as encrypted by the root key” is an encrypted form of the content key (Kc) made using the root key (Kroot). In short, the relation of EKc=E (Kroot, Kc) exists. When an authoring key (CED) is generated as a key set comprising a content key (Kc) and a second content key (Ekc) as encrypted by the root key, a wrong key combination can be prevented.
• The device key (Kdevice) is key data concerning a reproducing device capable of using a packaged content. The device key is key data securely held by hardware or tamper-resistant software of each reproducing device.
• The content enabling key (EKB (Enabling Key Block)) is an encrypted form of the root key (Kroot) made using the device key (Kdevice). The content enabling key (EKB) contains data such as E (KdeviceA, Kroot) and E (KdeviceB, Kroot); a reproducing device A (DeviceA) can know Kroot by solving E (KdeviceA, Kroot). Likewise, a reproducing device B (DeviceB) can know Kroot by solving E (KdeviceB, Kroot).
• The authoring key enabling key (CEK (Content Enabling Key)) is confidential information (key) shared between a content authoring company and an administrator. It varies from one authoring company to another and is issued and controlled by the administrator. It is used together with the authoring key (CED) for authoring.
• The authoring key (CED (Content Enabling Data)) is a key which is used to author a content. It is issued and controlled by an authorized administrator. It is associated with a content identifier (CID) and one content is authored using one authoring key (CED). The authoring key is made by encrypting a content key (Kc) and a second content key (EKc) as encrypted by the root key using the content identifier (CID) and the authoring key enabling key (CEK).
• The redundant content key block (RKcB (Redundant Kc Block)) is a data block which combines the content key (Kc), second content key (EKc) as encrypted by the root key, and content enabling key version data (EKB-Version), and also has redundant random number data which makes illegal decryption difficult. It is generated in the course of generating the authoring key (CED). It is data which is used in the authoring key (CED) generating process and the user or a person who develops an application is unaware of it.
• The redundant content key block with checksum data (CRKcB) is a data block which is obtained by calculating a checksum (CS) for the redundant content key block (RKcB) and adding it to the block.
• The final encrypting key (Kcid) is key data which is used for final encryption in the authoring key (CED) generating process. It is made from the content ID (CID) and authoring key enabling key (CEK). Since the final encrypting key (Kcid) is data which is used in the authoring key (CED) generating process, the user or a person who develops an application is unaware of it. When using the authoring key (CED), if the content identifier (CID) and the authoring key enabling key (CEK) are known, the content key (Kc), second content key (EKc) as encrypted by the root key, and content enabling key version data (EKB-Version) which are contained in the authoring key (CED) can be acquired by generating Kcid within the module.
• 2.3.2 Key Data and Key-Related Data for Use in theInformation Rerminal400
• In theinformation terminal400, key data and key-related data are used for decryption, external authentication or internal authentication of encrypted content data (E (Kc, Content)).
• Data for Decryption
• The encrypted content data (E (Kc, Content)) is decrypted using the device key (Kdevice), the content enabling key (EKB) and the content key (Kc) as obtained from the second content key (EKc).
• Key Data for External Authentication
• For external authentication of thedata supply section420, the first external authentication key (Kauth (1)) and the second external authentication key (Kauth (2)) are used.
• The first external authentication key (Kauth (1)) is distributed from theauthentication server500 to thedata supply section420 beforehand. This external authentication key (Kauth (1)) is hidden in the authenticating part (secure module) of thedata supply section420 in a tamper-resistant manner so that the key data cannot be easily detected even by reverse engineering. The first external authentication key (Kauth (1)) is used when the first encrypting means4224 encrypts random numbers to generate first encrypted data.
• The second external authentication key (Kauth (2)) is equal to the first external authentication key (Kauth (1)) which is issued by theauthentication server500. The second external authentication key (Kauth (2)) is used when the second encrypting means4225 encrypts random numbers to generate second encrypted data.
• Key Data for Internal Authentication
• For internal authentication of thedata supply section420, reference is made to the root key (Kroot) which is obtained by decrypting the content enabling key (EKB) using the device key (Kdevice) which thedata supply section420 and the reader/writer430 each have.
• 2.4User Device180
• Theuser device180 is an information terminal such as a computer which has a function to access an information terminal400 (kiosk terminal, etc) and download a desired content.
• As illustrated inFIG. 1, theuser device180 mainly consists of astorage medium182 and a reproducingdevice184. Theuser device180 may also be provided with another storage medium and/or reproducingdevice186. It can check out or move the content downloaded into thestorage medium182 to another storage medium and/or reproducingdevice186 repeatedly as many times as allowed.
• 3. Authoring Process
• Next, the authoring process in theauthoring studio300 will be described. Theinformation distribution system100 according to the present invention is characterized in that encryption and packaging of a content are done in the authoring process, that the authoringkey generator160 which generates an authoring key is separate from theauthoring device316 which actually encrypts the content using the authoring key, and that the content can be encrypted without directly giving the root key to theauthoring device316.
• Because it is unnecessary to know the content of the authoring key in authoring, the step of authoring key generation can be completely separated from the authoring process. Furthermore, this separation makes it possible to control the number of packages which can be generated correctly in the authoring process from outside the process.
• Besides, when an authoring key enabling key (CEK) which is arbitrarily specified for authoring key generation is added to the content identifier (CID) as an encrypting key for use in authoring key generation, it is possible to limit who can use the generated authoring key correctly to a person who knows the authoring key enabling key (CEK).
• Tampering of a package can be prevented by adding the MAC, based on a key which only legal systems can know, to usage condition data, etc. which is set in the authoring process.
• 3.1 Authoring Key Generation Process
• The authoring key generating process in the authoring key generator (key control unit)160 is described below.
• The authoring key (CED) basically contains a content key (Kc) and a second content key (EKc) as encrypted by the root key. EKc may be expressed as E (Kroot, Kc). The root key (Kroot) is a key which is used to encrypt the content key (Kc). The root key (Kroot) is a very important key for security. As described later, in this system, this root key (Kroot) which is shared is not directly given to theauthoring device316. Rather, a key set which consists of a content key (Kc) and a second content key (EKc) as encrypted by the root key is transferred to theauthoring device316 as an authoring key (CED) so that security is improved and a wrong key combination can be prevented.
• As illustrated inFIG. 17A, an authoring key (CED) is obtained by encrypting a content key (Kc) for encryption of the content data and a second content key (EKc) as encrypted by the root key (Kroot) using the content identifier (CID) and the authoring key enabling key (CEK), where the content identifier (CID) is uniquely allocated to each of the content data (Content) and the authoring key enabling key (CEK) is uniquely allocated to eachauthoring device316.
• For generation of an authoring key (CED), the authoring key generating means166 (FIG. 6) requires a content identifier (CID) generated by the content identifier generating means162, a content key (Kc), a second content key (EKc) as encrypted by the root key (Kroot), and an authoring key enabling key (CEK) generated by the authoring key enabling key generating means164.
• FIG. 16 is a flowchart showing the authoring key (CED) generating process in the authoring key generating means166.
• First, at step S1602, a redundant content key block (RKcB (Redundant Kc Block)) is generated as a data block by combining the content key (Kc), the second content key (EKc) as encrypted by the root key, and content enabling key version data (EKB-Version), which are all to be contained in the authoring key (CED), and adding redundant random number data which makes illegal decryption difficult.
• The content enabling key (EKB) is an encrypted form of the root key (Kroot) which is made using the device key (Kdevice), and the content key enabling key version data (EKB-Version) is version data on the content enabling key. In this way, data which shows the version of the root key (Kroot) to be specified for a certain content key (Kc) is included in the key set, so a wrong combination of the content key (Kc), second content key (EKc) as encrypted by the root key, and the root key (Kroot) can be prevented.
• Next, at step S1604, a checksum (CS) is calculated for the redundant content key block (RKcB) and the checksum (CS) is added, for example, after the redundant content key block (RKcB) to obtain a redundant content key block with checksum data (CRKcB).
• Thus, adding the checksum data in addition to the content key (Kc) and second content key (EKc) as encrypted by the root key in the authoring key (CED) generating process virtually prevents an authoring key (CED) with a wrong content identifier (CID) from being used.
• Next, step S1606 generates a final encrypting key (Kcid) from the content identifier (CID) and the authoring key enabling key (CEK). As described later in connection withFIG. 7B, when using the authoring key (CED), if the content identifier (CID) and the authoring key enabling key (CEK) are known, the content key (Kc), second content key (EKc) as encrypted by the root key, and content enabling key version data (EKB-Version) which are contained in the authoring key (CED) can be acquired by generating Kcid within the module.
• In the final encrypting key (Kcid) generating process, allocating a unique content identifier (CID) to each content permits the use of a correct content identifier (CID) in encryption by the authoring key to ensure correct authoring work. This enables authoring accuracy to increase. Also, controlling the generation of the content identifier (CID) in the authoringkey generator160 enables the uniqueness of the content ID (CID) to be fully guaranteed.
• Finally, at step S1608, an authoring key (CED) is generated by encrypting the redundant content key block with checksum data (CRKcB) using the final encrypting key (Kcid).
• 3.2 Encryption by the Authoring Key
• Next, referring toFIG. 18, how a content is encrypted using the authoring key generated by the authoringkey generator160 is explained.
• First, at step S1902, the content key decrypting means3162 of theauthoring device316 acquires an authoring key enabling key (CEK) as a shared confidential key from the authoring key generator (key control unit)160. Although the explanation given below assumes that the authoring key generator also serves as a key control unit responsible for control of the authoring key and other key data, it is also possible that the authoring key generator and the key control unit are separate devices.
• Next, at step S1904, the content key decrypting means3162 acquires from the authoring key generator (key control unit)160 a content identifier (CID) and an authoring key (CED) as a pair for a content to be authored.
• In connection with steps S1902 and S1904, the authoring key enabling key (CEK) need not be acquired at the same time when the pair (CID and CED) is acquired. While the pair (CID and CED) varies from one content to another, the authoring key enabling key (CEK) is unique to theauthoring device316; therefore once the authoring key enabling key (CEK) is acquired before the authoring process, no further operation to acquire it is necessary.
• Also, it is not always necessary to acquire such a pair (a content identifier (CID) and an authoring key (CED)) every time to author each content. When plural contents are to be authored, arrangements may be made such that a pair for all the contents is acquired at one time.
• Next, at step S1906, the content key decrypting means3162 decrypts the content key (Kc) and the second content key (EKc) as encrypted by the root key from the authoring key (CED) using the content identifier (CID) and the authoring key enabling key (CEK).
• Then, at step S1908, the content encrypting means3164 of theauthoring device316 encrypts content data using the content key (Kc) decrypted by the content key decrypting means3162 to generate encrypted content data E (Kc, Content).
• After that, at step S1910, the packaging means3166 bundles the encrypted content data E (Kc, Content), the content identifier (CID) and the second content key (EKc) as encrypted by the root key as a package to conclude the series of authoring steps.
• 4. Information distribution Process
• The content for which authoring has been finished in this way is sent through the specified network600 to the information terminal400 (kiosk terminal, etc.), as shown inFIG. 1. As shown inFIG. 19, the encrypted content data (E (Kc, Content)), the second content key (EKc) as encrypted by the root key, and the content enabling key (EKB) are sent to theinformation terminal400. In order to prevent tampering, the MAC which is calculated using the content key Kc is added to the header of the encrypted content data E (Kc, Content).
• At theinformation terminal400, after a specified authentication process comprising external authentication and internal authentication has been completed, the content data is decrypted and downloaded into a givenstorage medium182. Referring to the flowchart inFIG. 20, the information distribution process is explained in detail below.
• 4.1 External Authentication Process
• As mentioned earlier, theexternal authentication section422 of theinformation terminal400 checks if thedata supply section420 is legal, or authorized to supply the content stored in theinformation terminal400 to the outside, by comparing the first external authentication key (Kauth (1)) previously stored in thedata supply section420 with the second external authentication key (Kauth (2)) stored in the authentication server500 (step S2102). If the check for external authentication at step S2102 is successful, the process goes to step S2104 and subsequent steps for internal authentication; if the check is unsuccessful, distribution of content data (DL) is rejected (step S2112).
• External authentication must be carried out whenever thedata supply section420 is activated. However, once its authenticity has been proven, no further external authentication is needed while thedata supply section420 is running.
• The second encrypting means4225 for obtaining second encrypted data may be embodied in various forms depending on the required security level.
• 4.1.1 Local External Authentication Process
• A form of external authentication whose security level is lowest is as shown inFIG. 13; here external authentication is carried out locally or in thedata supply section420. In this form of external authentication, the second external authentication key (Kauth (2)) is incorporated in the application of thedata supply section420.
• First, thesecure module425 which securely holds the first external authentication key (Kauth (1)) encrypts the random numbers generated by the random number generating means4223 using the first external authentication key (Kauth (1)) to obtain first encrypted data.
• The random numbers generated by the random number generating means4223 are sent through anapplication interface423 to anapplication421. Theapplication421 encrypts the random numbers using the previously stored second external authentication key (Kauth (2)) to obtain second encrypted data.
• The second encrypted data is sent back through theapplication interface423 to thesecure module425. In thesecure module425, a comparison is made between the first encrypted data and the second encrypted data; if they coincide, the external authentication process according to the present invention is concluded.
• However, this local form of external authentication has the risk that the second external authentication key (Kauth (2)) may be stolen by a person who operates theinformation terminal400 maliciously. In addition, if theinformation terminal400 itself is stolen, it is possible to download the package stored in theinformation terminal400.
• 4.1.2 Remote External Authentication Process
• On the other hand, a form of external authentication whose security level is highest is as shown inFIG. 14; herein external authentication is carried out remotely, or using theauthentication server500 which is outside thedata supply section420.
• First, thesecure module425 which securely holds the first external authentication key (Kauth (1)) encrypts the random numbers generated by the random number generating means4223 using the first external authentication key (Kauth (1)) to obtain first encrypted data.
• The random numbers generated by the random number generating means4223 are sent through anapplication interface423 and through anapplication421 to theauthentication server500. Theauthentication server500 receives the random numbers to obtain second encrypted data using the second external authentication key (Kauth (2)).
• The second encrypted data is sent back through theapplication interface423 to thesecure module425. In thesecure module425, a comparison is made between the first encrypted data and the second encrypted data; if they coincide, the external authentication process according to the present invention is concluded.
• Therefore, in this form of external authentication, there is no risk of the second external authentication key (Kauth (2)) being stolen; even if theinformation terminal400 is stolen, it is impossible to download the package stored in theinformation terminal400.
• 4.1.3 Semi-Local External Authentication Process
• FIG. 15 shows a form of external authentication which lies midway between the one shown inFIG. 13 and the one shown inFIG. 14. In this form of external authentication, theauthentication server500 temporarily transfers the external authentication key (Kauth (2)) to thedata supply section420 when necessary, for example, when downloading.
• First, thesecure module425 which securely holds the first external authentication key (Kauth (1)) encrypts the random numbers generated by the random number generating means4223 using the first external authentication key (Kauth (1)) to obtain first encrypted data.
• The random numbers generated by the random number generating means4223 are sent through anapplication interface423 to anapplication421. Theapplication421 encrypts the random numbers using the previously stored second external authentication key (Kauth (2)) to obtain second encrypted data.
• The second external authentication key (Kauth (2)) is under the control of theauthentication server500; whenever thedata supply section420 is activated, theapplication421 receives the second external authentication key (Kauth (2)) from theauthentication server500 and encrypts the random numbers. After the generation of the second encrypted data, or whenever theinformation terminal400 is turned off, the second external authentication key (Kauth (2)) is deleted from thedata supply section420.
• The second encrypted data is sent back through theapplication interface423 to thesecure module425. In thesecure module425, a comparison is made between the first encrypted data and the second encrypted data; if they coincide, the external authentication process according to the present invention is concluded.
• In this form of external authentication, the second external authentication key (Kauth (2)) is temporarily transferred to theinformation terminal400 only when necessary (downloading, etc.), and therefore the risk of the second external authentication key (Kauth (2)) being stolen is remarkably reduced. If the key (Kauth (2)) is thus designed to be deleted whenever theinformation terminal400 is turned off, it is impossible to download the package stored in theinformation terminal400 even if theinformation terminal400 is stolen.
• 4.2 Internal Authentication Process
• Theinternal authentication section424 carries out internal authentication after completion of external authentication in thedata supply section420. The internal authentication process consists of a first authentication step where content data is checked by thefirst authentication section4242 and a second authentication step by thesecond authentication section4244.
• As shown inFIG. 20, the content check at step S2104 is a step to check if the content data to be distributed has been generated by a legal authoring system (authoring studio300). More particularly, the first authentication refers to the MAC written into the content data by a legal authoring system. At step S2104, if the content check is successful, the process goes to step S2106 for the second internal authentication; if the content check is unsuccessful, distribution of content data (DL) is rejected (step S2112).
• At step S2106, thesecond authentication section4244 provides means for performing a mutual check between the reader/writer430 as a recording means and thedata supply section420 as a data record control means. Thesecond authentication section4244 first transfers the content enabling key (EKB), which is obtained by encrypting a root key (Kroot) using a device key (Kdevice) in thelegal authoring system300, to both the reader/writer430 and thedata supply section420. The reader/writer430 and thedata supply section420 use their respective device keys (Kdevice), which they securely hold, to decrypt the root keys (Kroot). When the decrypted root keys coincide with each other, an affirmative authentication is made (the authenticity is proven). At step S2106, if the second internal authentication is successful, downloading at step S2108 is permitted; if the second internal authentication is unsuccessful, distribution of content data (DL) is rejected (step S2112).
• 4.3 Downloading Process
• As shown inFIG. 20, after internal authentication has been completed in this way at step S2106, the content data is downloaded into a given storage medium such as a memory stick at step S2108.
• Next, how the internal authentication, decryption and downloading processes are associated with each other is explained referring toFIG. 22.
• the data supply section (device)420, which securely holds the device key (KdeviceA), checks the MAC of the package to be downloaded and confirms that the package has been generated by a legal authoring system and has never been tampered with or otherwise modified.
• Thedata supply section420 obtains a root key (KrootA) by decrypting the content enabling key (EKB) contained in the package using the device key (KdeviceA). Thedata supply section420 sends the content enabling key (EKB) to the reader/writer430. The reader/writer430 also holds the device key (KdeviceB) securely like thedata supply section420. The reader/writer430 obtains a root key (KrootB) by decrypting the content enabling key received from thedata supply section420 using the device key (KdeviceB).
• Thedata supply section420 and the reader/writer430 compare both root keys (KrootA, KrootB) for internal authentication. If the result of the comparison for internal authentication is successful, the authenticity of the content is checked and then the content is copied into a storage medium such as a memory stick by means of the reader/writer430.
• At this stage, the content remains encrypted by the content key (Kc) and cannot be reproduced. Therefore, the content (copy) is made reproducible using the content key (Kc) by a reproduction controller so that the user can reproduce and enjoy the content on his/her reproducingdevice184.
• 4.4 Downloading Plural Contents Collectively
• AlthoughFIG. 22 shows the case in which one content is copied, the information distribution system according to the present invention permits plural contents to be downloaded at the same time.
• Next, how plural contents are downloaded collectively is explained referring toFIG. 23. After a prescribed series of authentication steps has been completed successfully, the data supply section (device)420 copies the first package into a givenstorage medium182 through the reader/writer430. At this stage, the content in the first package cannot be reproduced. Then thedata supply section420 copies the second and third contents into thestorage medium182 through the reader/writer430. After plural contents have been downloaded collectively in this way, the reproduction controller makes all the downloaded contents reproducible at one time.
• As mentioned above, downloaded contents are made reproducible not one by one but collectively; for example, if there is a request for downloading of three tunes, the three tunes are copied and then made all reproducible collectively. This remarkably reduces the workload of authentication and other steps required for downloading plural contents.
• 4.5 Flow of a Downloaded Content
• Next, how a content flows after being downloaded by the information distribution system according to the present invention is explained referring toFIG. 24.
• As shown inFIG. 24, in this system, a content package is downloaded into a storage medium such as a memory stick from a kiosk terminal (information terminal)400. The package also contains content usage condition data; how the downloaded content is processed is determined according to this condition data.
• Usually, the content is imported from the storage medium182 (memory stick, etc) into terminal equipment190 (personal computer, etc). Then the content can be checked out from theterminal equipment190 tomobile devices192,194,196 with a reproduction function. The number of checkouts is limited for the purpose of copyright protection. In the example shown here, up to three checkouts are allowed. Therefore, the downloaded content can be copied into threemobile devices192,194,196.
• If the user wishes to copy the content into a reproducing device other than the abovemobile devices192,194,196, it can be copied repeatedly within the allowable number of checkouts after being checked into thepersonal computer190 from one of themobile devices192,194,196.
• As discussed so far, in the information distribution system according to the present invention, the content is encrypted in the course of authoring so the downloading time at the information terminal can be shortened, thereby reducing the workload on the information terminal.
• The information distribution system according to the present invention is designed so that only a content which is generated by a legal authoring device can be downloaded at the information terminal. This means that an illegal act such as manual rewriting of some of an authored content can be prevented. Also, an illegally authored content which is sent to the information terminal cannot be downloaded.
• In the information distribution system according to the present invention, even if the content is legal, it cannot be reproduced from a simple copy of it which is made in the storage medium; only after completion of external authentication and internal authentication in the data supply device can it be reproduced. This prevents illegal copying.
• In the information distribution system according to the present invention, a legally purchased content file can be downloaded as many times as desired and a legally downloaded content file can be moved to a PC where a checkout to another device or a checkin to it can be made.
• In the information distribution system according to the present invention, additional data such as jacket picture data can also be processed together and in association with the main content data such as a music file.
• The above preferred embodiments assume that an information distribution system according to the present invention is used as a system which distributes music data as contents. However, the invention is not limited to such an application. It is needless to say that the system can be used as an information distribution system which distributes, for example, image (still image and animated image) data, game programs and other various types of content data in addition to music data through a network to users.
• As can be understood from the foregoing explanation, the present invention provides an information distribution system which distributes music data and other various types of content data while preventing illegal copying effectively. In other words, according to the present invention, it is possible to effectively prevent unauthorized authoring, unauthorized data distribution, unauthorized use of an information terminal, and unauthorized downloading. Furthermore, according to the present invention, data is compressed and encrypted so that an information distribution system which features shorter downloading time can be realized.
• Although the invention herein has been described with reference to particular embodiments, it is to be understood that these embodiments are merely illustrative of the principles and applications of the present invention. It is therefore to be understood that numerous modifications may be made to the illustrative embodiments and that other arrangements may be devised without departing from the spirit and scope of the present invention as defined by the appended claims.

Claims (24)

1. A data supply device for supplying content data stored in an information terminal to a given storage medium, the device comprising:

key holding means for holding a first external authentication key securely;

random number generating means for generating random numbers;

encrypting means for encrypting the random numbers using the first external authentication key to generate first encrypted data;

sending means for sending the random numbers to the information terminal;

receiving means for receiving second encrypted data, the second encrypted data being obtained by encrypting the random numbers using a second external authentication key equal to the first external authentication key; and

comparing means for comparing the first encrypted data with the second encrypted data.

2. The data supply device as claimed inclaim 1, wherein the comparing means enables the content data to be supplied to the given storage medium when the first encrypted data coincides with the second encrypted data.

3. The data supply device as claimed inclaim 1, wherein the second external authentication key is previously stored in the information terminal and the second encrypted data is formed in the information terminal.

4. The data supply device as claimed inclaim 1, wherein the information terminal acquires the second external authentication key from a key control unit and the second encrypted data is formed in the information terminal.

5. The data supply device as claimed inclaim 1, wherein the random numbers are sent through the information terminal to a key control unit, and the second encrypted data is obtained by encrypting the random numbers within the key control unit using the second external authentication key.

6. An information terminal for storing content data to be distributed, comprising:

first encrypting means for controlling encryption of random numbers generated within a data supply device using a first external authentication key securely held within the data supply device to generate first encrypted data;

second encrypting means for receiving the random numbers from the data supply device and for acquiring second encrypted data by encrypting the random numbers using a second external authentication key equal to the first external authentication key; and

licensing means for permitting the data supply device to supply the content data to a given storage medium only when the first encrypted data coincides with the second encrypted data.

7. The information terminal as claimed inclaim 6, wherein the second encrypting means stores the second external authentication key in advance and generates the second encrypted data within the information terminal.

8. The information terminal as claimed inclaim 6, wherein the second encrypting means obtains the second external authentication key from a key control unit and generates the second encrypted data within the information terminal.

9. The information terminal as claimed inclaim 6, wherein the second encrypting means sends the random numbers to a key control unit and acquires the second encrypted data from the key control unit.

10. A data supply device, comprising:

recording means for recording content data recorded in an information terminal to a given storage medium;

data record control means for controlling operation of the recording means;

first authentication means for determining whether the content data has been generated by a legal authoring system; and

second authentication means for performing a mutual check between the recording means and the data record control means,

wherein the data record control means controls the recording means to record the content data to the given storage medium only when the content data has been generated by a legal authoring system and the mutual check is successful.

11. The data supply device as claimed inclaim 10, wherein the first authentication means determines whether the content data has been generating by a legal authoring system by referring to a MAC written in the content data by the legal authoring system.

12. The data supply device as claimed inclaim 10, wherein the second authentication means transfers a content enabling key (EKB), obtained by encrypting a root key (Kroot) using a device key (Kdevice) of the legal authoring system, to the data record control means and the recording means; the data record control means decrypts the root key (Kroot) using a device key (Kdevice) of the data record control means to obtain a first decrypted root key; and the recording means decrypts the root key (Kroot) using a device key (Kdevice) of the recording means to obtain a second decrypted root key; wherein the mutual check is successful when the first decrypted root key coincides with the second decrypted root key.

13. The data supply device as claimed inclaim 10, further comprising reproduction control means for controlling reproduction of the content data in the given storage medium.

14. The data supply device as claimed inclaim 13, wherein the recording means records plural content data to the given storage medium, and the reproduction control means permits reproduction of the plural content data only after the plural content data has been recorded to the given storage medium.

15. A method for supplying content data stored in an information terminal to a given storage medium, the method comprising:

generating random numbers;

encrypting the random numbers using a securely held first external authentication key to generate first encrypted data;

sending the random numbers to the information terminal;

encrypting the random numbers using a second external authentication key equal to the first external authentication key;

receiving the second encrypted data from the information terminal; and

comparing the first encrypted data with the second encrypted data.

16. The content data supply method as claimed inclaim 15, further comprising:

supplying the content data to the storage medium when the first encrypted data coincides with the second encrypted data.

17. The content data supply method as claimed inclaim 15, further comprising:

storing the second external authentication key in the information terminal prior to the step of encrypting the random numbers within the information terminal.

18. The content data supply method as claimed inclaim 15, further comprising:

supplying the second external authentication key from a key control unit to the information terminal prior to the step of encrypting the random numbers within the information terminal.

19. The content data supply method as claimed inclaim 15, further comprising:

sending the random numbers through the information terminal to a key control unit; and

encrypting the random numbers within the key control unit using the second external authentication key.

20. An information supply method used in a data supply device having recording means for recording content data from an information terminal to a given storage medium and data record control means for controlling operation of the recording means, the method comprising:

determining whether the content data has been generated by a legal authoring system;

performing a mutual check between the recording means and the data record control means; and

recording the content data to the given storage medium only when the content data has been generated by a legal authoring system and the mutual check is successful.

21. The information supply method as claimed inclaim 20, wherein the step of determining whether the content data has been generated by a legal authoring system includes referring to a MAC written in the content data by the legal authoring system.

22. The information supply method as claimed inclaim 20, wherein the second authentication step includes transferring a content enabling key (EKB), obtained by encrypting a root key (Kroot) using a device key (Kdevice) of the legal authoring system, to the data record control means and the recording means; decrypting the root key (Kroot) using a device key (Kdevice) of the data record control means to obtain a first decrypted root key; and decrypting the root key (Kroot) using a device key (Kdevice) of the recording means to obtain a second decrypted root key; and wherein the mutual check is successful when the first decrypted root key coincides with the second decrypted root key.

23. The information supply method as claimed inclaim 20, further comprising:

reproducing the content data in the given storage medium.

24. The information supply method as claimed inclaim 23, wherein the recording step includes recording plural content data to the given storage medium, and the reproducting step reproduces the plural content data only after the plural content data has been recorded to the given storage medium.

Images