Digital work protection system, key management apparatus, and user apparatus

US 7,272,229 B2
Filed: 10/23/2002
Issued: 09/18/2007
Est. Priority Date: 10/26/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A user apparatus that is assigned one or more device keys by a key management apparatus that has at least one device key in association with an n-ary tree (n being a integer equal to or greater than 2), and encrypts or decrypts based on the assigned device key,wherein the key management apparatus (a) stores the at least one device key in one-to-one correspondence with at least one node in the n-ary tree, a plurality of the nodes on at least one path from a root node to a leaf node having been revoked, (b) encrypts a media key respectively using a plurality of common device keys to generate a plurality of encrypted media keys, each common device key being one of the at least one device key that is in correspondence with a valid node and that is commonly assigned to at least one user apparatus, and writes the generated plurality of encrypted media keys to a recording medium in an order relating to the structure of the n-ary tree, and (c) generates a piece of revocation information for each revoked node excluding the leaf nodes showing (i) whether each of n directly subordinate nodes of the revoked node is respectively revoked or not and (ii) whether the media key has been encrypted using a device key in correspondence with the revoked node, to obtain a plurality of pieces of revocation information, and writes the obtained pieces of revocation information to the recording medium in the order relating to the structure of the n-ary tree,the user apparatus comprising:

a specification unit operable to specify one encrypted media key using the plurality of pieces of revocation information, from amongst the plurality of encrypted media keys that has been encrypted based on one of the device keys assigned to the user apparatus;

a decryption unit operable to generate the media key by decrypting the specified encrypted media key based on the device key assigned to the user apparatus; and

an encryption/decryption unit operable to perform at least one of (d) encrypting content based on the generated media key and writing the encrypted content to the recording medium, and (e) decrypting, based on the obtained media key, encrypted content read from the recording medium to generate content,wherein the specification unit is operable to (1) check, in accordance with the order relating to the structure of the n-ary tree and starting from the root node of the n-ary tree, each of the plurality of pieces of revocation information recorded on the recording medium, and (2) count how many of the checked pieces of revocation information show existence of a media key encrypted using a device key, andwherein, when a node corresponding to a piece of revocation information that is a current checking target of the specification unit exists on a path from the leaf node allocated to the user apparatus to the root node, the specification unit is operable to specify, as the encrypted media key encrypted by a device key allocated to the user apparatus, an encrypted media key that exists in a position determined according to how many pieces of revocation information have been counted since the checking by the specification unit started.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a system composed of a recording apparatus that records digitized content such as a movie, or a reproduction apparatus that reproduces the digitized content, and a recording medium, a media key for use in recording or reproduction is encrypted by a plurality of device keys and recorded on the recording medium. Here, the recording apparatus or the reproduction apparatus specifies the encrypted media key that it is to decrypt, from amongst the plurality of encrypted media keys. A key management apparatus records node revocation patterns assigned to nodes in a tree structure to the recording medium in a particular order, as header information of key information, together with the encrypted media keys. The recording apparatus or the reproduction apparatus specifies the encrypted media key to be decrypted, by analyzing the node revocation patterns sequentially.

Citations

10 Claims

1. A user apparatus that is assigned one or more device keys by a key management apparatus that has at least one device key in association with an n-ary tree (n being a integer equal to or greater than 2), and encrypts or decrypts based on the assigned device key,wherein the key management apparatus (a) stores the at least one device key in one-to-one correspondence with at least one node in the n-ary tree, a plurality of the nodes on at least one path from a root node to a leaf node having been revoked, (b) encrypts a media key respectively using a plurality of common device keys to generate a plurality of encrypted media keys, each common device key being one of the at least one device key that is in correspondence with a valid node and that is commonly assigned to at least one user apparatus, and writes the generated plurality of encrypted media keys to a recording medium in an order relating to the structure of the n-ary tree, and (c) generates a piece of revocation information for each revoked node excluding the leaf nodes showing (i) whether each of n directly subordinate nodes of the revoked node is respectively revoked or not and (ii) whether the media key has been encrypted using a device key in correspondence with the revoked node, to obtain a plurality of pieces of revocation information, and writes the obtained pieces of revocation information to the recording medium in the order relating to the structure of the n-ary tree,the user apparatus comprising:
- a specification unit operable to specify one encrypted media key using the plurality of pieces of revocation information, from amongst the plurality of encrypted media keys that has been encrypted based on one of the device keys assigned to the user apparatus;
  
  a decryption unit operable to generate the media key by decrypting the specified encrypted media key based on the device key assigned to the user apparatus; and
  
  an encryption/decryption unit operable to perform at least one of (d) encrypting content based on the generated media key and writing the encrypted content to the recording medium, and (e) decrypting, based on the obtained media key, encrypted content read from the recording medium to generate content,wherein the specification unit is operable to (1) check, in accordance with the order relating to the structure of the n-ary tree and starting from the root node of the n-ary tree, each of the plurality of pieces of revocation information recorded on the recording medium, and (2) count how many of the checked pieces of revocation information show existence of a media key encrypted using a device key, andwherein, when a node corresponding to a piece of revocation information that is a current checking target of the specification unit exists on a path from the leaf node allocated to the user apparatus to the root node, the specification unit is operable to specify, as the encrypted media key encrypted by a device key allocated to the user apparatus, an encrypted media key that exists in a position determined according to how many pieces of revocation information have been counted since the checking by the specification unit started.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The user apparatus of claim 1, whereinthe n-ary tree is composed of a plurality of layers,the order in which the plurality of encrypted media keys are written to the recording medium is an order of the layers from a root-side layer corresponding to the root node to a leaf-side layer corresponding to the leaf nodes, the root being a starting point of the order,the pieces of revocation information are written to the recording medium in the order, and the specification unit specifies the encrypted media key from amongst the plurality of encrypted media keys written in the order, with use of the plurality of pieces of revocation information written in the order.
  - 3. The user apparatus of claim 1, whereinthe n-ary tree is composed of a plurality of layers,the order in which the plurality of encrypted media keys are written to the recording medium is an order in which the nodes are positioned on the paths from the root node to the leaf nodes, the root node being a starting point of the order, and each node being included only once in the order,the pieces of revocation information are written to the recording medium in the order, and the specification unit specifies the encrypted media key from amongst the plurality of encrypted media keys written in the order, with use of the plurality of pieces of revocation information written in the order.
  - 4. The user apparatus of claim 1, whereina piece of revocation information is generated and written to the recording medium for each revoked node excluding the leaf nodes, andthe specification unit specifies the encrypted media key with use of the pieces of revocation information.
  - 5. The user apparatus of claim 1, whereina piece of special revocation information is generated for each revoked node, excluding the leaf nodes, whose subordinate nodes are all revoked, showing that the subordinate nodes are all revoked,generation of revocation information for the revoked subordinate nodes is suppressed,a piece of revocation information is generated for each revoked node, excluding the leaf nodes, whose n subordinate nodes are not all revoked, showing whether each of n subordinate nodes of the revoked node is respectively revoked or not, andthe specification unit specifies the encrypted media key with use of the pieces of special revocation information and the pieces of revocation information.
  - 6. The user apparatus of claim 5, whereinthe special revocation information is composed of first attached information showing that all the subordinate nodes are revoked and n-digit information showing that each of n directly subordinate nodes is respectively revoked,generation of revocation information is suppressed for all the revoked subordinate nodes,each piece of revocation information for revoked nodes whose n directly subordinate nodes are not all revoked is composed of second attached information that shows that not all the subordinate nodes are revoked, and n-digit information showing whether each of n directly subordinate nodes is respectively revoked or not, andthe specification unit specifies the encrypted media key with use of the pieces of special revocation information and the pieces of revocation information.
  - 7. The user apparatus of claim 5, whereinthe special revocation information is composed of an n-digit special value showing that each of n directly subordinate nodes is respectively revoked,generation of revocation information is suppressed for all the revoked subordinate nodes,each piece of revocation information for nodes whose n directly subordinate nodes are not all revoked is composed of n-digits showing whether each of n directly subordinate nodes is respectively revoked or not, andthe specification unit specifies the encrypted media key with use of the pieces of special revocation information and the pieces of revocation information.

8. A user apparatus that is assigned one or more device keys by a key management apparatus that has at least one device key in association with an n-ary tree (n being a integer equal to or greater than 2), and encrypts or decrypts with use of the assigned device key,wherein the key management apparatus:
- (a) stores the at least one device key in one-to-one correspondence with at least one node in the n-ary tree, one or more of the nodes on at least a path from a root node to a leaf node having been revoked,(b) encrypts a media key respectively using a plurality of common device keys to generate a plurality of encrypted media keys, each common device key being one of the at least one device key that is in correspondence with a valid node and that is commonly assigned to at least one user apparatus, and writes the generated plurality of encrypted media keys to a recording medium in an order relating to the structure of the n-ary tree,(c) for each node excluding the leaf nodes,(c1) when at least one of n directly subordinate nodes of the revoked node is revoked, generate first revocation information showing (i) whether each of the n subordinate nodes is respectively revoked or not, and (ii) whether the media key has been encrypted using a device key in correspondence with the revoked node,(c2) when none of the n directly subordinate nodes is revoked, generate second revocation information showing that none of the n subordinate nodes is revoked,to obtain one of (i) at least one piece of first revocation information, (ii) at least one piece of second revocation information, and (iii) at least one piece of first revocation information and at least one piece of second revocation information, and(d) write the obtained one of (i) at least one piece of first revocation information, (ii) at least one piece of second revocation information, and (iii) at least one piece of first revocation information and at least one piece of second revocation information to the recording medium in the order relating to the structure of the n-ary tree,the user apparatus comprising;
  
  a specification unit operable to use the one of (i) at least one piece of first revocation information, (ii) at least one piece of second revocation information, and (iii) at least one piece of first revocation information and at least one piece of second revocation information to specify one encrypted media key, from amongst the plurality of encrypted media keys, encrypted based on one of the device keys assigned to the user apparatus;
  
  a decryption unit operable to generate the media key by decrypting the specified encrypted media key based on the device key assigned to the user apparatus; and
  
  an encryption/decryption unit operable to perform at least one of (e) encrypting content based on the generated media key, and writing the encrypted content to the recording medium, and (f) decrypting, based on the obtained media key, encrypted content read from the recording medium to generate content,wherein the specification unit is operable to (1) check, in accordance with the order relating to the structure of the n-ary tree and starting from the root node of the n-ary tree, each of the at least one piece of first revocation information recorded on the recording medium, and (2) count how many of the checked pieces of first revocation information show existence of a media key encrypted using a device key, andwherein, when a node corresponding to a piece of first revocation information that is a current checking target of the specification unit exists on a path from the leaf node allocated to the user apparatus to the root node, the specification unit is operable to specify, as the encrypted media key encrypted by a device key allocated to the user apparatus, an encrypted media key that exists in a position determined according to how many pieces of first revocation information have been counted since the checking by the specification unit started.

9. A usage method that is used in a user apparatus that is assigned one or more device keys by a key management apparatus that has at least one device key in association with an n-ary tree (n being a integer equal to or greater than 2), and encrypts or decrypts based on one of the assigned device keys,wherein the key management apparatus (a) stores the at least one device key in one-to-one correspondence with at least one node in the n-ary tree, a plurality of the nodes on at least one path from a root node to a leaf node having been revoked, (b) encrypts a media key respectively using a plurality of common device keys to generate a plurality of encrypted media keys, each common device key being one of the at least one device key that is in correspondence with a valid node and that is commonly assigned to at least one user apparatus, and writes the generated plurality of encrypted media keys to a recording medium in an order relating to the structure of the n-ary tree, and (c) generates a piece of revocation information for each revoked node excluding the leaf nodes showing (i) whether each of n directly subordinate nodes of the revoked node is respectively revoked or not and (ii) whether the media key has been encrypted using a device key in correspondence with the revoked node, to obtain a plurality of pieces of revocation information, and writes the obtained pieces of revocation information to the recording medium in the order relating to the structure of the n-ary tree,the user method comprising:
- a specification step of specifying one encrypted media key using the plurality of pieces of revocation information, from amongst the plurality of encrypted media keys that has been encrypted based on one of the device keys assigned to the user apparatus;
  
  a decryption step of generating the media key by decrypting the specified encrypted media key based on the device key assigned to the user apparatus; and
  
  an encryption/decryption step of performing at least one of (d) encrypting content based on the generated media key and writing the encrypted content to the recording medium, and (e) decrypting, based on the obtained media key, encrypted content read from the recording medium to generate contents,wherein the specification step comprises;
  
  checking, in accordance with the order relating to the structure of the n-ary tree and starting from the root node of the n-ary tree, each of the plurality of pieces of revocation information recorded on the recording medium;
  
  counting how many of the checked pieces of revocation information show existence of a media key encrypted using a device key; and
  
  specifying, when a node corresponding to a piece of revocation information that is a current checking target exists on a path from the leaf node allocated to the user apparatus to the root node, as the encrypted media key encrypted by a device key allocated to the user apparatus, an encrypted media key that exists in a position determined according to how many pieces of revocation information have been counted since the checking by the specification unit started.

10. A computer-readable recording medium having stored thereon a user program that is used in a user apparatus that is assigned at least one device key by a key management apparatus that has at least one device key in association with an n-ary tree (n being a integer equal to or greater than 2), and encrypts or decrypts based on one of the assigned device keys,wherein the key management apparatus (a) stores the at least one device key in one-to-one correspondence with at least one node in the n-ary tree, a plurality of the nodes on at least one path from a root node to a leaf node having been revoked, (b) encrypts a media key respectively using a plurality of common device keys to generate a plurality of encrypted media keys, each common device key being one of the at least one device key that is in correspondence with a valid node and that is commonly assigned to at least one user apparatus, and writes the generated plurality of encrypted media keys to a recording medium in an order relating to the structure of the n-ary tree, and (c) generates a piece of revocation information for each revoked node excluding the leaf nodes showing (i) whether each of n directly subordinate nodes of the revoked node is respectively revoked or not and (ii) whether the media key has been encrypted using a device key in correspondence with the revoked node, to obtain a plurality of pieces of revocation information, and writes the obtained pieces of revocation information to the recording medium in the order relating to the structure of the n-ary tree,the user program causing the user apparatus to execute a method comprising:
- a specification step of specifying one encrypted media key using the plurality of pieces of revocation information, from amongst the plurality of encrypted media keys that has been encrypted based on one of the device keys assigned to the user apparatus;
  
  a decryption step of generating the media key by decrypting the specified encrypted media key based on the device key assigned to the user apparatus; and
  
  an encryption/decryption step of performing at least one of (d) encrypting content based on the generated media key and writing the encrypted content to the recording medium, and (e) decrypting, based on the obtained media key, encrypted content read from the recording medium to generate content,wherein the specification step comprises;
  
  checking, in accordance with the order relating to the structure of the n-ary tree and starting from the root node of the n-ary tree, each of the plurality of pieces of revocation information recorded on the recording medium;
  
  counting how many of the checked pieces of revocation information show existence of a media key encrypted using a device key; and
  
  specifying, when a node corresponding to a piece of revocation information that is a current checking target exists on a path from the leaf node allocated to the user apparatus to the root node, as the encrypted media key encrypted by a device key allocated to the user apparatus, an encrypted media key that exists in a position determined according to how many pieces of revocation information have been counted since the checking by the specification unit started.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sovereign Peak Ventures, LLC (Dominion Harbor Enterprises, LLC)
Original Assignee
Matsushita Electric Industrial Company Limited (Panasonic Holdings Corporation)
Inventors
Nakano, Toshihisa, Tatebayashi, Makoto, Matsuzaki, Natsume
Primary Examiner(s)
TRUONG, THANHNGA B

Application Number

US10/278,082
Publication Number

US 20030081792A1
Time in Patent Office

1,791 Days
Field of Search

380277-279, 380 28- 30, 380/286, 380/281, 713/158, 713/171, 713/168
US Class Current

380/277
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G11B 20/00086   Circuits for prevention of ...

G11B 20/00094   involving measures which re...

G11B 20/00137   involving measures which re...

G11B 20/00188   involving measures which re...

G11B 20/0021   involving encryption or dec...

G11B 20/00246   wherein the key is obtained...

G11B 20/00253   wherein the key is stored o...

G11B 20/00333   the key being stored in hea...

H04L 2209/605   Copy protection

H04L 9/0822   using key encryption key

H04L 9/0836   using tree structure or hie...

H04L 9/0891   Revocation or update of sec...

Digital work protection system, key management apparatus, and user apparatus

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

Digital work protection system, key management apparatus, and user apparatus

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links