Satou, Tomoya (Nara, JP)
Fujiwara, Makoto (Kyoto, JP)
Shiomi, Kentaro (Kyoto, JP)
Nemoto, Yusuke (Hyogo, JP)
Torisaki, Yuishi (Hyogo, JP)
Shimizu, Kazuya (Osaka, JP)
Inoue, Shinji (Osaka, JP)
Fujimura, Kazuya (Nara, JP)
Ochi, Makoto (Osaka, JP)

Plaque It! Sponsored by: Flash of Genius

11/793702

09/04/2008

12/20/2005

Images are available in PDF form when logged in. To view PDFs, Login  or  Create Account (Free!)

View patents that cite this patent

Click for automatic bibliography generation

MATSUSHITA ELECTRIC INDUSTRIAL CO., LTD. (KADOMA-SHI, OSAKA, JP)

380/44

H04L9/06

MCDERMOTT WILL & EMERY LLP (600 13TH STREET, NW, WASHINGTON, DC, 20005-3096, US)

1. A key information generating method performed by a host apparatus comprising a data generating section for generating key information including domain key information and m (m is a natural number) pieces of content key information, the presence or absence of tampering being detected in the key information, and a data writing section for writing the key information generated by the data generating section into a target apparatus, wherein the target apparatus includes a first memory area and a second memory area having a higher security level than that of the first memory area, each of the m pieces of content key information includes a content key used for encryption and decryption of a content, the domain key information includes a domain key used for encryption and decryption of the m pieces of content key information, and the method comprises the steps: (A) the data generating section adds first data corresponding to partial-check data used for a tampering detecting process to each of the m pieces of content key information, and subjects each of the m pieces of content key information to cipher block chaining using the domain key; (B) the data generating section extracts the first data as it is encrypted from each of the m pieces of content key information encrypted in the step (A); (C) the data generating section executes a predetermined operation with respect to concatenated data including the m pieces of first data extracted in the step (B) to generate second data; (D) the data generating section adds the second data generated in the step (C) as whole-check data to the domain key information; and (E) the data writing section writes the m pieces of encrypted content key information into the first memory area and the domain key information into the second memory area.

2. The key information generating method of claim 1, wherein the predetermined operation is a hash operation.

3. The key information generating method of claim 2, wherein an algorithm of the cipher block chaining and an algorithm of the hash operation partially overlap each other.

4. A key information generating method performed by a host apparatus comprising a data generating section for generating key information including domain key information and m (m is a natural number) pieces of content key information, the presence or absence of tampering being detected in the key information, and a data writing section for writing the key information generated by the data generating section into a target apparatus, wherein the target apparatus includes a first memory area and a second memory area having a higher security level than that of the first memory area, each of the m pieces of content key information includes a content key used for encryption and decryption of a content, the domain key information includes a domain key used for encryption and decryption of the m pieces of content key information, and the method comprises the steps: (A) the data generating section adds first data corresponding to partial-check data used for a tampering detecting process to each of the m pieces of content key information, and subjects each of the m pieces of content key information to cipher block chaining using the domain key; (B) the data generating section extracts the first data as it is encrypted from each of the m pieces of content key information encrypted in the step (A); (C) the data generating section executes cipher block chaining with respect to concatenated data including second data and the m pieces of first data extracted in the step (B) and extracts the second data as it is encrypted from the encrypted concatenated data; (D) the data generating section adds the second data extracted in the step (C) as whole-check data to the domain key information; and (E) the data writing section writes the m pieces of encrypted first data included in the concatenated data encrypted in the step (C) into the first memory area, the m pieces of encrypted content key information into the first memory area, and the domain key information into the second memory area.

5. The key information generating method of claim 1, wherein, in each of the m pieces of content key information, the first data is provided at a previously designated position in the content key information.

6. The key information generating method of claim 1, wherein, in each of the m pieces of content key information, the first data is provided as data having a predetermined length at a least significant position in the content key information.

7. The key information generating method of claim 1, further comprising the step of: (F) putting additional information in which the partial-check data is stored at a predetermined position in correspondence with the m pieces of content key information, wherein, in the step (E), further, the data writing section writes the m pieces of additional information into the first memory area.

8. A key information generating method performed by a host apparatus comprising a data generating section for generating key information including domain key information and m (m is a natural number) pieces of content key information, the presence or absence of tampering being detected in the key information, and a data writing section for writing the key information generated by the data generating section into a target apparatus, wherein the target apparatus includes a first memory area and a second memory area having a higher security level than that of the first memory area, each of the m pieces of content key information includes a content key used for encryption and decryption of a content, the domain key information includes a domain key used for encryption and decryption of the m pieces of content key information, and the method comprises the steps: (A) the data generating section encrypts each of the m pieces of content key information using the domain key; (B) the data generating section executes a first operation with respect to each of the m pieces of content key information encrypted in the step (A) to generate m pieces of first data; (C) the data generating section executes a second operation with respect to concatenated data including the m pieces of first data generated in the step (B) to generate second data; (D) the data generating section adds the second data generated in the step (C) as whole-check data to the domain key information; and (E) the data writing section writes the m pieces of first data as m pieces of partial-check data into the first memory area, the m pieces of encrypted content key information into the first memory area, and the domain key information into the second memory area.

9. The key information generating method of claim 8, wherein the first and second operations are each a hash operation.

10. The key information generating method of claim 1, wherein the key information further includes an authentication key used for encryption and decryption of the domain key information, the target apparatus further includes a third memory area having a higher security level than that of the second area and for storing the authentication key, and the method further comprises the step: (F) the data generating section encrypts the domain key information using the authentication key, in the step (E), the data writing section writes the domain key information encrypted in the step (F) into the second memory area.

11. The key information generating method of claim 10, wherein the first memory area can be arbitrarily accessed by the host apparatus, the second memory area can be accessed by the host apparatus if authentication is successful between the host apparatus and the target apparatus, and the third memory area is used to execute mutual authentication between the host apparatus and the target apparatus.

12. The key information generating method of claim 11, wherein the third memory area is caused not to be rewritable after the authentication key is written thereinto.

13. The key information generating method of claim 1, wherein the target apparatus is a portable memory device which is operated in accordance with a clock and an operation instruction from the host apparatus.

14. A key information generating apparatus for generating key information including domain key information and m (m is a natural number) pieces of content key information, the presence or absence of tampering being detected in the key information, and writing the key information into a target apparatus, wherein the target apparatus includes a first memory area and a second memory area having a higher security level than that of the first memory area, each of the m pieces of content key information includes a content key used for encryption and decryption of a content, the domain key information includes a domain key used for encryption and decryption of the m pieces of content key information, and the generating apparatus comprises: an encryption section for adding first data corresponding to partial-check data used for a tampering detecting process to each of the m pieces of content key information, and subjecting each of the m pieces of content key information to cipher block chaining using the domain key; a data extracting section for extracting the first data as it is encrypted from each of the m pieces of content key information encrypted by the encryption section; a data generating section for executing a predetermined operation with respect to concatenated data including the m pieces of first data extracted by the data extracting section to generate second data; a data adding section for adding the second data generated by the data generating section as whole-check data to the domain key information; and a data writing section for writing the m pieces of encrypted content key information into the first memory area and the domain key information into the second memory area.

15. A key information generating apparatus for generating key information including domain key information and m (m is a natural number) pieces of content key information, the presence or absence of tampering being detected in the key information, and writing the key information into a target apparatus, wherein the target apparatus includes a first memory area and a second memory area having a higher security level than that of the first memory area, each of the m pieces of content key information includes a content key used for encryption and decryption of a content, the domain key information includes a domain key used for encryption and decryption of the m pieces of content key information, and the generating apparatus comprises: an encryption section for adding first data corresponding to partial-check data used for a tampering detecting process to each of the m pieces of content key information, and subjecting each of the m pieces of content key information to cipher block chaining using the domain key; a data extracting section for extracting the first data as it is encrypted from each of the m pieces of content key information encrypted by the encryption section; a data processing section for executing cipher block chaining with respect to concatenated data including second data and the m pieces of first data extracted by the data extracting section and extracts the second data as it is encrypted from the encrypted concatenated data; a data adding section for adding the second data extracted by the data processing section as whole-check data to the domain key information; and a data writing section for writing the m pieces of encrypted first data included in the concatenated data encrypted by the data processing section into the first memory area, the m pieces of encrypted content key information into the first memory area, and the domain key information into the second memory area.

16. A key information generating apparatus for generating key information including domain key information and m (m is a natural number) pieces of content key information, the presence or absence of tampering being detected in the key information, and writing the key information into a target apparatus, wherein the target apparatus includes a first memory area and a second memory area having a higher security level than that of the first memory area, each of the m pieces of content key information includes a content key used for encryption and decryption of a content, the domain key information includes a domain key used for encryption and decryption of the m pieces of content key information, and the generating apparatus comprises: an encryption section for encrypting each of the m pieces of content key information using the domain key; a first operation section for executing a first operation with respect to each of the m pieces of content key information encrypted by the encryption section to generate m pieces of first data; a second operation section for executing a second operation with respect to concatenated data including the m pieces of first data generated by the first operation section to generate second data; a data adding section for adding the second data generated by the second operation section as whole-check data to the domain key information; and a data writing section for writing the m pieces of first data as m pieces of partial-check data into the first memory area, the m pieces of encrypted content key information into the first memory area, and the domain key information into the second memory area.

17. A key information updating method performed by a host apparatus comprising a data updating section for adding new content key information to key information and updating the key information, the presence or absence of tampering being detected in the key information, and a data writing section for writing the key information updated by the data updating section into a target apparatus, wherein the target apparatus includes a first memory area and a second memory area having a higher security level than that of the first memory area, the key information includes domain key information and m (m is a natural number) pieces of content key information, each of the m pieces of content key information includes a content key used for encryption and decryption of a content, and first data corresponding to partial-check data used for a tampering detecting process, the domain key information includes a domain key used for encryption and decryption of the m pieces of content key information, and whole-check data, each of the m pieces of content key information is encrypted, and the updating method comprises the steps: (A) the data updating section adds the first data to the new content key information and executes cipher block chaining with respect to the content key information using the domain key; (B) the data updating section extracts the first data as it is encrypted from the content key information encrypted in the step (A); (C) the data updating section executes a predetermined operation with respect to concatenated data including the first data extracted in the step (B) and the first data included in each of the m pieces of encrypted content key information, to generate second data; (D) the data updating section rewrites the whole-check data included in the domain key information with the second data generated in the step (C); and (E) the data writing section writes the m pieces of encrypted content key information and the encrypted new content key information into the first memory area and the domain key information into the second memory area.

18. A key information updating method performed by a host apparatus comprising a data updating section for adding new content key information to key information and updating the key information, the presence or absence of tampering being detected in the key information, and a data writing section for writing the key information updated by the data updating section into a target apparatus, wherein the target apparatus includes a first memory area and a second memory area having a higher security level than that of the first memory area, the key information includes domain key information, m (m is a natural number) pieces of content key information, m pieces of encrypted first data, and second data, each of the m pieces of content key information includes a content key used for encryption and decryption of a content, and first data corresponding to partial-check data used for a tampering detecting process, the domain key information includes a domain key used for encryption and decryption of the m pieces of content key information, and whole-check data, each of the m pieces of content key information is encrypted, and the updating method comprises the steps: (A) the data updating section adds the first data to the new content key information and executes cipher block chaining with respect to the content key information using the domain key; (B) the data updating section extracts the first data as it is encrypted from the content key information encrypted in the step (A); (C) the data updating section executes cipher block chaining using the domain key with respect to concatenated data including the second data, the m pieces of encrypted first data, and the first data extracted in the step (B), and extracts the second data as it is encrypted from the encrypted concatenated data; (D) the data updating section rewrites the whole-check data included in the domain key information with the second data generated in the step (C); and (E) the data writing section writes the (m+1) pieces of first data included in the concatenated data encrypted in the step (C) into the first memory area, the m pieces of encrypted content key information and the encrypted new content key information into the first memory area, and the domain key information into the second memory area.

19. A key information updating method performed by a host apparatus comprising a data updating section for adding new content key information to key information and updating the key information, the presence or absence of tampering being detected in the key information, and a data writing section for writing the key information updated by the data updating section into a target apparatus, wherein the target apparatus includes a first memory area and a second memory area having a higher security level than that of the first memory area, the key information includes domain key information, m (m is a natural number) pieces of content key information, and m pieces of partial-check data, each of the m pieces of content key information includes a content key used for encryption and decryption of a content, the domain key information includes a domain key used for encryption and decryption of the m pieces of content key information, and whole-check data, each of the m pieces of content key information is encrypted, and the updating method comprises the steps: (A) the data updating section encrypts the new content key information; (B) the data updating section executes a first operation with respect to the new content key information encrypted in the step (A) to generate first data; (C) the data updating section executes a second operation with respect to concatenated data including the m pieces of partial-check data and the first data generated in the step (B), to generate second data; (D) the data updating section rewrites the whole-check data included in the domain key information with the second data generated in the step (C); and (E) the data writing section writes the m pieces of partial-check data and the first data as (m+1) pieces of partial-check data into the first memory area, the m pieces of encrypted content key information and the encrypted new content key information into the first memory area, and the domain key information into the second memory area.

20. A key information updating method performed by a host apparatus comprising a data updating section for deleting any one piece of content key information from key information and updating the key information, the presence or absence of tampering being detected in the key information, and a data writing section for writing the key information updated by the data updating section into a target apparatus, wherein the target apparatus includes a first memory area and a second memory area having a higher security level than that of the first memory area, the key information includes domain key information and m (m is a natural number) pieces of content key information, each of the m pieces of content key information includes a content key used for encryption and decryption of a content, and first data corresponding to partial-check data used for a tampering detecting process, the domain key information includes a domain key used for encryption and decryption of the m pieces of content key information, and whole-check data, each of the m pieces of content key information is encrypted, and the updating method comprises the steps: (A) the data updating section deletes any one of the m pieces of encrypted content key information; (B) the data updating section extracts first data as it is encrypted from each of the (m−1) pieces of encrypted content key information which are not deleted in the step (A); (C) the data updating section executes a predetermined operation with respect to concatenated data including the (m−1) pieces of first data extracted in the step (B) to generate second data; (D) the data updating section rewrites the whole-check data included in the domain key information with the second data generated in the step (C); and (E) the data writing section writes the (m−1) pieces of encrypted content key information into the first memory area and the domain key information into the second memory area.

21. A key information updating method performed by a host apparatus comprising a data updating section for deleting any one piece of content key information from key information and updating the key information, the presence or absence of tampering being detected in the key information, and a data writing section for writing the key information updated by the data updating section into a target apparatus, wherein the target apparatus includes a first memory area and a second memory area having a higher security level than that of the first memory area, the key information includes domain key information, m (m is a natural number) pieces of content key information, m pieces of encrypted first data, and second data, each of the m pieces of content key information includes a content key used for encryption and decryption of a content, and first data corresponding to partial-check data used for a tampering detecting process, the domain key information includes a domain key used for encryption and decryption of the m pieces of content key information, and whole-check data, the m pieces of encrypted first data are in one-to-one correspondence with the m pieces of content key information, each of the m pieces of content key information is encrypted, and the updating method comprises the steps: (A) the data updating section deletes any one of the m pieces of content key information; (B) the data updating section extracts first data as it is encrypted from each of the (m−1) pieces of encrypted content key information which are not deleted in the step (A); (C) the data updating section deletes first data corresponding to content key information deleted in the step (A) of the m pieces of encrypted first data; (D) the data updating section executes cipher block chaining using the domain key with respect to concatenated data including the second data and the (m−1) encrypted first data which are not deleted in the step (C), and extracts the second data as it is encrypted from the encrypted concatenated data; (E) the data updating section rewrites the whole-check data included in the domain key information with the second data extracted in the step (D); and (F) the data writing section writes the (m−1) pieces of first data included in the concatenated data encrypted in the step (D) into the first memory area, the (m−1) pieces of encrypted content key information into the first memory area, and the domain key information into the second memory area.

22. A key information updating method performed by a host apparatus comprising a data updating section for deleting any one piece of content key information from key information and updating the key information, the presence or absence of tampering being detected in the key information, and a data writing section for writing the key information updated by the data updating section into a target apparatus, wherein the target apparatus includes a first memory area and a second memory area having a higher security level than that of the first memory area, the key information includes domain key information, m (m is a natural number) pieces of content key information, and m pieces of partial-check data, each of the m pieces of content key information includes a content key used for encryption and decryption of a content, the domain key information includes a domain key used for encryption and decryption of the m pieces of content key information, and whole-check data, the m pieces of partial-check data are in one-to-one correspondence with the m pieces of content key information, each of the m pieces of content key information is encrypted, the updating method comprises the steps: (A) the data updating section deletes any one of the m pieces of encrypted content key information; (B) the data updating section deletes partial-check data corresponding to the content key information deleted in the step (A) of the m pieces of partial-check data; (C) the data updating section executes a second operation with respect to concatenated data including the (m−1) partial-check data which are not deleted in the step (B) to generate second data; (D) the data updating section rewrites the whole-check data included in the domain key information with the second data generated in step (C); and (E) the data writing section writes the (m−1) partial-check data which are not deleted in the step (B) into the first memory area, the (m−1) pieces of encrypted content key information into the first memory area, and the domain key information into the second memory area.

23. A tampering detecting method performed by a host apparatus for detecting the presence or absence of tampering in key information stored in a target apparatus, wherein the key information includes domain key information and m (m is a natural number) pieces of content key information, each of the m pieces of content key information includes a content key used for encryption and decryption of a content, and first data corresponding to partial-check data used for a tampering detecting process, the domain key information includes a domain key used for encryption and decryption of the m content keys, and whole-check data, each of the m pieces of content key information is encrypted, and the detecting method comprises the steps: (A) executing chaining decryption using the domain key with respect to any one of the m pieces of encrypted content key information, and extracting the first data from the decrypted content key information; (B) comparing the first data extracted in the step (A) with previously prepared partial-check data; (C) extracting the first data as it is encrypted from each of the m pieces of content key information, and executing a predetermined operation with respect to concatenated data including the m pieces of extracted first data to generate second data; (D) comparing the second data generated in the step (C) with the whole-check data included in the domain key information; and (E) determining that the key information has not been tampered if the first data matches the partial-check data in the step (B) and the second data matches the whole-check data in the step (D).

24. The tampering detecting method of claim 23, wherein the whole-check data corresponds to data which is obtained by extracting m pieces of first data as they are encrypted from m pieces of encrypted content key information which have not been tampered, and executing a predetermined operation with respect to concatenated data including the m pieces of extracted first data.

25. The tampering detecting method of claim 23, wherein the target apparatus includes: a first memory area for storing the m pieces of encrypted content key information; and a second memory area having a higher security level than that of the first memory area and for storing the domain key information.

26. The tampering detecting method of claim 23, wherein the predetermined operation is a hash operation.

27. The tampering detecting method of claim 26, wherein an algorithm of the hash operation and an algorithm of the cipher block chaining partially overlap each other.

28. A tampering detecting method performed by a host apparatus for detecting the presence or absence of tampering in key information stored in a target apparatus, wherein the key information includes domain key information, m (m is a natural number) pieces of content key information, m pieces of encrypted first data, and second data, each of the m pieces of content key information includes a content key used for encryption and decryption of a content, and first data corresponding to partial-check data used for a tampering detecting process, the domain key information includes a domain key used for encryption and decryption of the m content keys, and whole-check data, each of the m pieces of content key information is encrypted, and the detecting method comprises the steps: (A) executing chaining decryption using the domain key with respect to any one of the m pieces of encrypted content key information, and extracting the first data from the decrypted content key information; (B) comparing the first data extracted in the step (A) with previously prepared partial-check data; (C) executing chaining decryption using the domain key with respect to concatenated data including the whole-check data included in the domain key information and the m pieces of encrypted first data, and extracting the whole-check data from the decrypted concatenated data; (D) comparing the second data with the whole-check data extracted in the step (C); and (E) determining that the key information has not been tampered if the first data matches the partial-check data in the step (B) and the second data matches the whole-check data in the step (D).

29. The tampering detecting method of claim 28, wherein the whole-check data corresponds to second data which is obtained by executing cipher block chaining using the domain key with respect to concatenated data including m pieces of encrypted first data which have not been tampered and the second data, and extracting the second data as it is encrypted from the encrypted concatenated data.

30. The tampering detecting method of claim 28, wherein the target apparatus includes: a first memory area for storing the m pieces of encrypted content key information, the m pieces of encrypted first data, and the second data; and a second memory area having a higher security level than that of the first memory area and for storing the domain key information.

31. The tampering detecting method of claim 23, wherein, in each of the m pieces of content key information, the first data is provided at a previously designated position in the content key information.

32. The tampering detecting method of claim 23, wherein, in each of the m pieces of content key information, the first data is provided as data having a predetermined length at a least significant position in the content key information.

33. The tampering detecting method of claim 23, wherein the key information further includes m pieces of additional information in one-to-one correspondence with m pieces of content key information, the partial-check data is stored at a predetermined position in each of the m pieces of additional information, and in the step (B), the first data extracted in the step (A) is compared with partial-check data stored in additional information corresponding to content key information from which the first data is extracted.

34. A tampering detecting method performed by a host apparatus for detecting the presence or absence of tampering in key information stored in a target apparatus, wherein the key information includes domain key information, m (m is a natural number) pieces of content key information, and m pieces of partial-check data, each of the m pieces of content key information includes a content key used for encryption and decryption of a content, the domain key information includes a domain key used for encryption and decryption of the m content keys, and whole-check data, the m pieces of partial-check data are in one-to-one correspondence with the m pieces of content key information, each of the m pieces of content key information is encrypted, and the detecting method comprises the steps: (A) executing a first operation with respect to any one of the m pieces of encrypted content key information to generate first data; (B) comparing the first data generated in the step (A) with partial-check data corresponding to content key information subjected to the first operation in the step (A) of the m pieces of partial-check data; (C) executing a second operation with respect to concatenated data including the m pieces of partial-check data to generate second data; (D) comparing the second data generated in the step (C) with the whole-check data included in the domain key information; and (E) determining that the key information has not been tampered if the first data matches the partial-check data in the step (B) and the second data matches the whole-check data in the step (D).

35. The tampering detecting method of claim 34, wherein each of the m pieces of partial-check data corresponds to data which is obtained by executing the first operation with respect to content key information which corresponds to the partial-check data and has not been tampered, and the whole-check data corresponds to data which is obtained by executing the second operation with respect to concatenated data including m pieces of partial-check data which have not been tampered.

36. The tampering detecting method of claim 34, wherein the target apparatus includes: a first memory area for storing the m pieces of encrypted content key information and the m pieces of partial-check data; and a second memory area having a higher security level than that of the first memory area and for storing the domain key information.

37. The tampering detecting method of claim 34, wherein the first and second operations are each a hash operation.

38. The tampering detecting method of claim 25, wherein the key information further includes an authentication key used for encryption and decryption of the domain key information, the target apparatus further includes a third memory area having a higher security level than that of the second area and for storing the authentication key, and the domain key information is encrypted.

39. The tampering detecting method of claim 38, wherein the first memory area can be arbitrarily accessed by the host apparatus, the second memory area can be accessed by the host apparatus if authentication is successful between the host apparatus and the target apparatus, and the third memory area is used to execute mutual authentication between the host apparatus and the target apparatus.

40. The tampering detecting method of claim 39, wherein the third memory area is caused not to be rewritable after the authentication key is written thereinto.

41. The tampering detecting method of claim 23, wherein the target apparatus is a portable memory device which is operated in accordance with a clock and an operation instruction from the host apparatus.

42. A tampering detecting apparatus for detecting the presence or absence of tampering in key information stored in a target apparatus, wherein the key information includes domain key information and m (m is a natural number) pieces of content key information, each of the m pieces of content key information includes a content key used for encryption and decryption of a content, and first data corresponding to partial-check data used for a tampering detecting process, the domain key information includes a domain key used for encryption and decryption of the m content keys, and whole-check data, each of the m pieces of content key information is encrypted, and the detecting apparatus comprises: a data processing section for executing chaining decryption using the domain key with respect to any one of the m pieces of encrypted content key information, and extracting the first data from the decrypted content key information; a first comparison section for comparing the first data extracted by the data processing section with previously prepared partial-check data; a data generating section for extracting the first data as it is encrypted from each of the m pieces of content key information, and executing a predetermined operation with respect to concatenated data including the m pieces of extracted first data to generate second data; a second comparison section for comparing the second data generated by the data generating section with the whole-check data included in the domain key information; and a tampering determining section for determining that the key information has not been tampered if the first data matches the partial-check data in the first comparison section and the second data matches the whole-check data in the second comparison section.

43. A tampering detecting apparatus for detecting the presence or absence of tampering in key information stored in a target apparatus, wherein the key information includes domain key information, m (m is a natural number) pieces of content key information, m pieces of encrypted first data, and second data, each of the m pieces of content key information includes a content key used for encryption and decryption of a content, and first data corresponding to partial-check data used for a tampering detecting process, the domain key information includes a domain key used for encryption and decryption of the m content keys, and whole-check data, each of the m pieces of content key information is encrypted, and the detecting apparatus comprises: a first data processing section for executing chaining decryption using the domain key with respect to any one of the m pieces of encrypted content key information, and extracting the first data from the decrypted content key information; a first comparison section for comparing the first data extracted by the first data processing section with previously prepared partial-check data; a second data processing section for executing chaining decryption using the domain key with respect to concatenated data including the whole-check data included in the domain key information and the m pieces of encrypted first data, and extracting the whole-check data from the decrypted concatenated data; a second comparison section for comparing the second data with the whole-check data extracted by the second data processing section; and a tampering determining section for determining that the key information has not been tampered if the first data matches the partial-check data in the first comparison section and the second data matches the whole-check data in the second comparison section.

44. A tampering detecting apparatus for detecting the presence or absence of tampering in key information stored in a target apparatus, wherein the key information includes domain key information, m (m is a natural number) pieces of content key information, and m pieces of partial-check data, each of the m pieces of content key information includes a content key used for encryption and decryption of a content, the domain key information includes a domain key used for encryption and decryption of the m content keys, and whole-check data, the m pieces of partial-check data are in one-to-one correspondence with the m pieces of content key information, each of the m pieces of content key information is encrypted, and the detecting apparatus comprises: a first operation section for executing a first operation with respect to any one of the m pieces of encrypted content key information to generate first data; a first comparison section for comparing the first data generated by the first operation section with partial-check data corresponding to content key information subjected to the first operation by the first operation section of the m pieces of partial-check data; a second operation section for executing a second operation with respect to concatenated data including the m pieces of partial-check data to generate second data; a second comparison section for comparing the second data generated by the second operation section with the whole-check data included in the domain key information; and a tampering determining section for determining that the key information have not been tampered if the first data matches the partial-check data in the first comparison section and the second data matches the whole-check data in the second comparison section.

45. A data structure of key information, wherein the key information is stored in a target apparatus including a first memory area and a second memory area having a higher security level than that of the first memory area, and the presence or absence of tampering is detected therein by a host apparatus, the key information comprises: m (m is a natural number) pieces of content key information stored in the first memory area; and domain key information stored in the second memory area, each of the m pieces of content key information includes a content key used for encryption and decryption of a content, and first data corresponding to partial-check data used for a tampering detecting process by the host apparatus, the domain key information includes a domain key used for encryption and decryption of the m pieces of content key information, and whole-check data used for the tampering detecting process by the host apparatus, each of the m pieces of content key information is encrypted, and the whole-check data corresponds to data which is obtained by extracting the first data as it is encrypted from each of m pieces of encrypted content key information which have not been tampered, and executing a predetermined operation with respect to concatenated data including the m pieces of extracted first data.

46. The key information data structure of claim 45, wherein the predetermined operation is a hash operation.

47. A data structure of key information, wherein the key information is stored in a target apparatus including a first memory area and a second memory area having a higher security level than that of the first memory area, and the presence or absence of tampering is detected therein by a host apparatus, the key information comprises: m (m is a natural number) pieces of content key information, m pieces of encrypted first data, and second data stored in the first memory area; and domain key information stored in the second memory area, each of the m pieces of content key information includes a content key used for encryption and decryption of a content, and first data corresponding to partial-check data used for a tampering detecting process by the host apparatus, the domain key information includes a domain key used for encryption and decryption of the m pieces of content key information, and whole-check data used for the tampering detecting process by the host apparatus, the m pieces of encrypted first data are in one-to-one correspondence with the m pieces of content key information, each of the m pieces of content key information is encrypted, and the whole-check data corresponds to second data which is obtained by executing cipher block chaining using the domain key with respect to concatenated data including m pieces of encrypted first data which have not been tampered and the second data, and extracting the second data as it is encrypted from the encrypted concatenated data.

48. The key information data structure of claim 45, wherein, in each of the m pieces of content key information, the first data is provided at a previously designated position in the content key information.

49. The key information data structure of claim 45, wherein, in each of the m pieces of content key information, the first data is provided as data having a predetermined length at a least significant position in the content key information.

50. The key information data structure of claim 45, wherein the key information further includes m pieces of additional information in one-to-one correspondence with m pieces of content key information, the partial-check data is stored at a predetermined position in each of the m pieces of additional information.

51. A data structure of key information, wherein the key information is stored in a target apparatus including a first memory area and a second memory area having a higher security level than that of the first memory area, and the presence or absence of tampering is detected therein by a host apparatus, the key information comprises: m (m is a natural number) pieces of content key information and m pieces of partial-check data stored in the first memory area; and domain key information stored in the second memory area, each of the m pieces of content key information includes a content key used for encryption and decryption of a content, the domain key information includes a domain key used for encryption and decryption of the m pieces of content key information, and whole-check data used for a tampering detecting process by the host apparatus, the m pieces of partial-check data are in one-to-one correspondence with the m pieces of content key information, each of the m pieces of partial-check data corresponds to data which is obtained by executing a first operation with respect to content key information which corresponds to the partial-check data and has not been tampered, and the whole-check data corresponds to data which is obtained by executing a second operation with respect to concatenated data including m pieces of partial-check data which have not been tampered.

52. The key information data structure of claim 51, wherein the first and second operations are each a hash operation.

53. The key information generating method of claim 4, wherein, in each of the m pieces of content key information, the first data is provided at a previously designated position in the content key information.

54. The key information generating method of claim 4, wherein, in each of the m pieces of content key information, the first data is provided as data having a predetermined length at a least significant position in the content key information.

55. The key information generating method of claim 4 further comprising the step of: (F) putting additional information in which the partial-check data is stored at a predetermined position in correspondence with the m pieces of content key information, wherein, in the step (E), further, the data writing section writes the m pieces of additional information into the first memory area.

56. The key information generating method of claims 4, wherein the key information further includes an authentication key used for encryption and decryption of the domain key information, the target apparatus further includes a third memory area having a higher security level than that of the second area and for storing the authentication key, and the method further comprises the step: (F) the data generating section encrypts the domain key information using the authentication key, in the step (E), the data writing section writes the domain key information encrypted in the step (F) into the second memory area.

57. The key information generating method of claim 56, wherein the first memory area can be arbitrarily accessed by the host apparatus, the second memory area can be accessed by the host apparatus if authentication is successful between the host apparatus and the target apparatus, and the third memory area is used to execute mutual authentication between the host apparatus and the target apparatus.

58. The key information generating method of claim 57, wherein the third memory area is caused not to be rewritable after the authentication key is written thereinto.

59. The key information generating method of claims 4, wherein the target apparatus is a portable memory device which is operated in accordance with a clock and an operation instruction from the host apparatus.

60. The key information generating method of claims 8, wherein the key information further includes an authentication key used for encryption and decryption of the domain key information, the target apparatus further includes a third memory area having a higher security level than that of the second area and for storing the authentication key, and the method further comprises the step: (F) the data generating section encrypts the domain key information using the authentication key, in the step (E), the data writing section writes the domain key information encrypted in the step (F) into the second memory area.

61. The key information generating method of claim 60, wherein the first memory area can be arbitrarily accessed by the host apparatus, the second memory area can be accessed by the host apparatus if authentication is successful between the host apparatus and the target apparatus, and the third memory area is used to execute mutual authentication between the host apparatus and the target apparatus.

62. The key information generating method of claim 61, wherein the third memory area is caused not to be rewritable after the authentication key is written thereinto.

63. The key information generating method of claims 8, wherein the target apparatus is a portable memory device which is operated in accordance with a clock and an operation instruction from the host apparatus.

64. The tampering detecting method of claim 28, wherein, in each of the m pieces of content key information, the first data is provided at a previously designated position in the content key information.

65. The tampering detecting method of claim 28, wherein, in each of the m pieces of content key information, the first data is provided as data having a predetermined length at a least significant position in the content key information.

66. The tampering detecting method of claim 28, wherein the key information further includes m pieces of additional information in one-to-one correspondence with m pieces of content key information, the partial-check data is stored at a predetermined position in each of the m pieces of additional information, and in the step (B), the first data extracted in the step (A) is compared with partial-check data stored in additional information corresponding to content key information from which the first data is extracted.

67. The tampering detecting method of claim 30, wherein the key information further includes an authentication key used for encryption and decryption of the domain key information, the target apparatus further includes a third memory area having a higher security level than that of the second area and for storing the authentication key, and the domain key information is encrypted.

68. The tampering detecting method of claim 67, wherein the first memory area can be arbitrarily accessed by the host apparatus, the second memory area can be accessed by the host apparatus if authentication is successful between the host apparatus and the target apparatus, and the third memory area is used to execute mutual authentication between the host apparatus and the target apparatus.

69. The tampering detecting method of claim 68, wherein the third memory area is caused not to be rewritable after the authentication key is written thereinto.

70. The tampering detecting method of claim 28, wherein the target apparatus is a portable memory device which is operated in accordance with a clock and an operation instruction from the host apparatus.

71. The tampering detecting method of claim 36, wherein the key information further includes an authentication key used for encryption and decryption of the domain key information, the target apparatus further includes a third memory area having a higher security level than that of the second area and for storing the authentication key, and the domain key information is encrypted.

72. The tampering detecting method of claim 71, wherein the first memory area can be arbitrarily accessed by the host apparatus, the second memory area can be accessed by the host apparatus if authentication is successful between the host apparatus and the target apparatus, and the third memory area is used to execute mutual authentication between the host apparatus and the target apparatus.

73. The tampering detecting method of claim 72, wherein the third memory area is caused not to be rewritable after the authentication key is written thereinto.

74. The tampering detecting method of claim 34, wherein the target apparatus is a portable memory device which is operated in accordance with a clock and an operation instruction from the host apparatus.

75. The key information data structure of claim 47, wherein, in each of the m pieces of content key information, the first data is provided at a previously designated position in the content key information.

76. The key information data structure of claim 47, wherein, in each of the m pieces of content key information, the first data is provided as data having a predetermined length at a least significant position in the content key information.

77. The key information data structure of claim 47, wherein the key information further includes m pieces of additional information in one-to-one correspondence with m pieces of content key information, the partial-check data is stored at a predetermined position in each of the m pieces of additional information.

TECHNICAL FIELD

The present invention relates to a method and a device for detecting the presence or absence of tampering in confidential information stored in a target apparatus or the like, a method and a device for generating confidential information for which the presence or absence of tampering is detected, and a data structure of confidential information for which the presence or absence of tampering is detected.

BACKGROUND ART

It is necessary to protect contents relating to works, private information or the like (e.g., contents representatively including music data or video data) from unauthorized copying or external leakage. Such contents are stored in an encrypted state in a target apparatus. A host apparatus, when handling an encrypted content stored in the target apparatus, executes an authentication process between the host apparatus and the target apparatus. If the authentication is not successful, the host apparatus cannot obtain a content key for decrypting the encrypted content from the target apparatus. On the other hand, if the authentication is successful, the host apparatus can access and use the content stored in the target apparatus. With such a technique, encrypted contents are prevented from being decrypted by unauthorized host apparatuses. Note that, here, the target apparatus is, for example, a memory card (e.g., an SD card, etc.). The host apparatus is a semiconductor integrated circuit for reading data from the memory card, a set apparatus in which the semiconductor integrated circuit is mounted, or a content distributing apparatus for distributing a content to the target apparatus.

Next, a storage area in a conventional target apparatus and confidential information stored in the storage area will be described with reference to FIG. 32. Note that, hereinafter, the confidential information refers to information (e.g., key information, etc.) required to play a content.

The storage area in the target apparatus is divided into a system area 901 , a protected area 902 , and an ordinary area 903 . The system area 901 is an area for storing information for performing authentication between the target apparatus and the host apparatus. The host apparatus can access the system area 901 only in a predetermined process in which access to the system area 901 is permitted. The protected area 902 is an area which a user (host apparatus) cannot arbitrarily access and can access only after authentication is successful. The ordinary area 903 is an area which a user can arbitrarily access. The system area 901 stores an authentication key. The protected area 902 stores an encrypted content key. The ordinary area 903 stores an encrypted content.

Also, in order to be able to store a number of contents in the target apparatus, the storage size of the ordinary area 903 for storing contents is set to be larger than the storage size of the protected area 902 . Therefore, the amount of data which can be stored in the protected area 902 is smaller than the amount of data which can be stored in the ordinary area 903 .

Next, a method by which the host apparatus decrypts and uses an encrypted content in the target apparatus, will be described. Initially, the host apparatus uses an authentication key stored in itself and an authentication key stored in the target apparatus to perform authentication. If the authentication is successful, the host apparatus uses these authentication keys to generate an authentication intermediate key. The authentication intermediate key is defined as a key for decrypting an encrypted content key. Therefore, the host apparatus obtains an encrypted content key from the target apparatus and decrypts the encrypted content key using the authentication intermediate key to generate a content key in plain text (in unencrypted form). Further, the host apparatus obtains an encrypted content from the target apparatus and decrypts the encrypted content using the content key in plain text to generate the content in plain text. Thereby, the content becomes usable. By executing the process as described above, only a host apparatus for which authentication is successful can use an encrypted content stored in the target apparatus.

In the above-described content decryption, if authentication is successful, an authentication intermediate key is generated. Therefore, if authentication is successful, an encrypted content can be decrypted. In other words, an encrypted content stored in the target apparatus can be used by any authentic host apparatus.

On the other hand, in recent years, there is an active trend in which, electronic distribution is used to transmit an encrypted content to a specific user so that the content is used only by the specific user. However, when such use of electronic distribution is assumed, the encrypted content to be transmitted to the specific user is required to be decrypted only by a specific host apparatus possessed by the specific user. However, the above-described method cannot satisfy the requirement.

Therefore, a method of setting a valid domain key only for a specific user has been newly contemplated. When the domain key is set, a content is encrypted using a content key, and the content key is encrypted using the domain key set only for the specific user, but not an authentication intermediate key. Also, the domain key itself is encrypted using an authentication intermediate key or another key which is generated using information about the authentication intermediate key before being stored into the target apparatus. Thereby, the confidentiality of the domain key itself is secured.

Confidential information which is stored in the storage area of the target apparatus when the domain key is set, will be described with reference to FIG. 33. Even when the domain key is set, the same method of dividing the area in the target apparatus needs to be used so as to maintain compatibility with conventional target apparatuses. Also, when both the domain key and the content key are stored in the protected area 902 , the domain key is stored in an area having the same security level as that of the content key, though the domain key is a key for decrypting the content key. Therefore, in order to maintain compatibility with security, when the domain key is set, the domain key is stored in an encrypted state in the protected area 902 . Also, the content key is stored in an encrypted state in the ordinary area 903 .

The confidential information stored in the target apparatus will be described in more detail with reference to FIG. 34. In the protected area 902 of the target apparatus, n (n is an integer of 1 or more) encrypted domain keys Ku( 1 ) to Ku(n) are stored. The domain keys Ku( 1 ) to Ku(n) are given n pieces of domain key management information UR[u]( 1 ) to UR[u](n) in one-to-one correspondence.

In the ordinary area 903 of the target apparatus, a plurality of content keys are stored. Each content key corresponds to any one of the domain keys Ku( 1 ) to Ku(n). In other words, one domain key can be used to decrypt a plurality of encrypted content keys. For example, m (m is an integer of 1 or more) content keys Kt( 1 - 1 ) to Kt( 1 -m) correspond to the domain key Ku( 1 ). The content keys Kt( 1 - 1 ) to Kt( 1 -m) are given m pieces of content key management information UR[t]( 1 - 1 ) to UR[t]( 1 -m) and m pieces of additional information info( 1 - 1 ) to info( 1 -m) in one-to-one correspondence.

Note that, in FIG. 34, a set of the domain keys Ku( 1 ) to Ku(n) and the domain key management information UR[u]( 1 ) to UR[u](n) is indicated by a “domain key group UKURE”, and a set of the content keys Kt( 1 - 1 ) to Kt( 1 -m), the content key management information UR[t]( 1 - 1 ) to UR[t]( 1 -m), and the additional information info( 1 - 1 ) to info( 1 -m) is indicated by a “content key group TKURE( 1 )”.

A content key in plain text is required so as to decrypt an encrypted content. Also, a domain key is required so as to decrypt an encrypted content key. In order to quickly search for what content key is decrypted by what domain key, a key correspondence table Address List is also stored in the ordinary area. In the key correspondence table Address List, a correspondence relationship between domain keys and content keys is described. For example, the content keys Kt( 1 - 1 ) to Kt( 1 -m) which can be decrypted using the domain key Ku( 1 ) are put in correspondence with the domain key.

Thus, the encrypted content keys are stored in the ordinary area 903 . Since the ordinary area 903 is an area which can be arbitrarily accessed by the user, it is important to guarantee the authenticity of the encrypted content keys stored in the ordinary area 903 . In other words, it is important to check tampering.

When tampering is checked in confidential information stored in the target apparatus, there is a method which employs a hash function for each piece of confidential information. Here, a procedure for detecting the presence or absence of tampering in confidential information by executing a hash operation with respect to all information relating to the confidential information, will be described. Note that, here, “Enc” is used as a prefix indicating an encrypted state. For example, “EncUR[u]( 1 )” indicates encrypted domain key management information UR[u]( 1 ).

Initially, the encrypted content keys EncKt( 1 - 1 ) to EncKt( 1 -m) which can be decrypted using the domain key Ku( 1 ), the encrypted content key management information EncUR[t]( 1 - 1 ) to EncUR[t]( 1 -m) corresponding to the encrypted content keys EncKt( 1 - 1 ) to EncKt( 1 -m), and the additional information info( 1 - 1 ) to info( 1 -m) corresponding to the encrypted content keys EncKt( 1 - 1 ) to EncKt( 1 -m) are all concatenated together and are subjected to a hash operation. A hash value Hash(Ku( 1 )) obtained by the hash operation is stored into the domain key management information UR[u]( 1 ).

Next, when tampering is checked in the encrypted content key EncKt( 1 - 1 ), the host apparatus references the key correspondence table Address List to read out the content key group TKURE( 1 ) from the ordinary area 903 of the target apparatus, and executes a hash operation. On the other hand, the host apparatus uses an authentication intermediate key obtained by authentication to decrypt the encrypted domain key management information EncUR[u]( 1 ) stored in the protected area 902 of the target apparatus. Next, the host apparatus extracts the hash value Hash(Ku( 1 )) from the domain key management information UR[u]( 1 ) obtained by the decryption. Next, the host apparatus compares the hash value obtained by the hash operation with the hash value extracted from the domain key management information UR[u]( 1 ). When both the values are equal to each other, the host apparatus determines that there is not tampering and decrypts the encrypted content key. On the other hand, when both the values are not equal to each other, the host apparatus determines that there is tampering and does not decrypt the encrypted contents. Patent Document 1: Japanese Unexamined Patent Application Publication No. 2001-203686

DISCLOSURE OF THE INVENTION

Problems to be Solved by the Invention

However, the processing amount is considerably large in the tampering detecting method as shown in FIG. 34. Specifically, in order to check tampering in one content key (the content key Kt( 1 - 1 )), the host apparatus needs to read out, from the target apparatus, all content keys which can be decrypted using the same domain key and all information (the content key group TKURE( 1 )) associated with the content keys, and subject the information thus read out to a hash operation. In particular, as the number of contents stored in the target apparatus is increased, the number of content keys is also increased. As a result, the number of content keys corresponding to one domain key is increased, so that the processing time further increases.

Also, it is contemplated that a content and a content key are distributed as a set of data via a network or the like. In such a case, a content key corresponding to one domain key is added/deleted. However, according to conventional methods, when a content key is added/deleted, all content keys corresponding to one domain key (the domain key Ku( 1 )) and all information (the content key group TKURE( 1 )) associated with the content keys need to be subjected to a hash operation again, and the calculated hash value need to be buried in domain key management information (domain key management information UR[u]( 1 )) associated with the domain key. Thus, a huge process needs to be executed every time a content key is added/deleted.

Here, it is also contemplated that a hash operation is executed for not all content keys which can be decrypted using the domain key and not all information (the content key group TKURE( 1 )) associated with the content keys, a hash operation is previously executed each of a plurality of content keys related to one domain key to calculate hash values, and the calculated hash values are buried in domain key management information.

However, as the number of content keys is increased, the number of calculated hash values also increases. Therefore, it is difficult to store all the hash values in the protected area 902 having a small storage size. In this case, the storage size of the protected area 902 needs to be increased, so that the storage size of the ordinary area 903 is reduced, which is not preferable.

Therefore, an object of the present invention is to reduce the amount of data to be stored in a predetermined area and reduce a processing amount during detection of tampering. More specifically, an object of the present invention is to provide a data structure of key information with which the amount of data to be stored in a predetermined area is small and the processing amount during detection of tampering is small, a method and a device for generating the key information, a method and a device for detecting tampering in the key information, and a method for updating the key information.

Solution to the Problems

According to one aspect of the present invention, in a key information generating method, key information is generated by a host apparatus. The key information includes domain key information and m (m is a natural number) pieces of content key information. The presence or absence of tampering is detected in the key information. The host apparatus comprises a data generating section and a data writing section. The data generating section generates the key information. The data writing section writes the key information generated by the data generating section into a target apparatus. The target apparatus includes a first memory area and a second memory area having a higher security level than that of the first memory area. Each of the m pieces of content key information includes a content key used for encryption and decryption of a content. The domain key information includes a domain key used for encryption and decryption of the m pieces of content key information. The method comprises the steps (A) to (E). In the step (A), the data generating section adds first data to each of the m pieces of content key information, and subjects each of the m pieces of content key information to cipher block chaining using the domain key. The first data corresponds to partial-check data used for a tampering detecting process. In the step (B), the data generating section extracts the first data as it is encrypted from each of the m pieces of content key information encrypted in the step (A). In the step (C), the data generating section executes a predetermined operation with respect to concatenated data including the m pieces of first data extracted in the step (B) to generate second data. In the step (D), the data generating section adds the second data generated in the step (C) as whole-check data to the domain key information. In the step (E), the data writing section writes the m pieces of encrypted content key information into the first memory area and the domain key information into the second memory area.

In the key information generating method, data used for the tampering detecting process is generated in a plurality of separate stages. Also, not all the data used for the tampering detecting process is stored in a predetermined area (the second memory area having a higher security level), and check data for the final stage is stored in the predetermined area. Thereby, the amount of data to be stored in the predetermined area can be reduced. Also, if first data obtained by executing a predetermined process with respect to one piece of content key information is compared with previously prepared partial-check data, the presence or absence of tampering can be detected in the content key information. Also, if second data generated based on m pieces of first data is compared with whole-check data, the presence or absence of tampering can be detected in the whole key information. Therefore, not the whole key information needs to be subjected to the process, thereby making it possible to reduce a processing amount during the tampering detecting process.

Also, in a key information generating method, key information is generated by a host apparatus. The key information includes domain key information and m pieces of content key information. The presence or absence of tampering is detected in the key information. The host apparatus comprises a data generating section and a data writing section. The data generating section generates the key information. The data writing section writes the key information generated by the data generating section into a target apparatus. The target apparatus includes a first memory area and a second memory area having a higher security level than that of the first memory area. Each of the m pieces of content key information includes a content key used for encryption and decryption of a content. The domain key information includes a domain key used for encryption and decryption of the m pieces of content key information. The method comprises the steps (A) to (E). In step (A), the data generating section adds first data to each of the m pieces of content key information, and subjects each of the m pieces of content key information to cipher block chaining using the domain key. The first data corresponds to partial-check data used for a tampering detecting process. In the step (B), the data generating section extracts the first data as it is encrypted from each of the m pieces of content key information encrypted in the step (A). In the step (C), the data generating section executes cipher block chaining with respect to concatenated data including second data and the m pieces of first data extracted in the step (B) and extracts the second data as it is encrypted from the encrypted concatenated data. In the step (D), the data generating section adds the second data extracted in the step (C) as whole-check data to the domain key information. In the step (E), the data writing section writes the m pieces of encrypted first data included in the concatenated data encrypted in the step (C) into the first memory area. Also, in the step (E), the data writing section writes the m pieces of encrypted content key information into the first memory area and the domain key information into the second memory area.

Also, in a key information generating method, key information is generated by a host apparatus. The key information includes domain key information and m pieces of content key information. The presence or absence of tampering is detected in the key information. The host apparatus comprises a data generating section and a data writing section. The data generating section generates the key information. The data writing section writes the key information generated by the data generating section into a target apparatus. The target apparatus includes a first memory area and a second memory area having a higher security level than that of the first memory area. Each of the m pieces of content key information includes a content key used for encryption and decryption of a content. The domain key information includes a domain key used for encryption and decryption of the m pieces of content key information. The method comprises the steps (A) to (E). In the step (A), the data generating section encrypts each of the m pieces of content key information using the domain key. In the step (B), the data generating section executes a first operation with respect to each of the m pieces of content key information encrypted in the step (A) to generate m pieces of first data. In the step (C), the data generating section executes a second operation with respect to concatenated data including the m pieces of first data generated in the step (B) to generate second data. In the step (D), the data generating section adds the second data generated in the step (C) as whole-check data to the domain key information. In the step (E), the data writing section writes the m pieces of first data as m pieces of partial-check data into the first memory area. Also, in the step (E), the data writing section writes the m pieces of encrypted content key information into the first memory area and the domain key information into the second memory area.

According to another aspect of the present invention, in a key information updating method, key information is updated by a host apparatus. The presence or absence of tampering is detected in the key information. The host apparatus comprises a data updating section and a data writing section. The data updating section adds new content key information to the key information and updates the key information. The data writing section writes the key information updated by the data updating section into a target apparatus. The target apparatus includes a first memory area and a second memory area having a higher security level than that of the first memory area. The key information includes domain key information and m pieces of content key information. Each of the m pieces of content key information includes a content key used for encryption and decryption of a content, and first data corresponding to partial-check data used for a tampering detecting process. The domain key information includes a domain key used for encryption and decryption of the m pieces of content key information, and whole-check data. Each of the m pieces of content key information is encrypted. The updating method comprises the steps (A) to (E). In the step (A), the data updating section adds the first data to the new content key information and executes cipher block chaining with respect to the content key information using the domain key. In the step (B), the data updating section extracts the first data as it is encrypted from the content key information encrypted in the step (A). In the step (C), the data updating section executes a predetermined operation with respect to concatenated data including the first data extracted in the step (B) and the first data included in each of the m pieces of encrypted content key information, to generate second data. In the step (D), the data updating section rewrites the whole-check data included in the domain key information with the second data generated in the step (C). In the step (E), the data writing section writes the m pieces of encrypted content key information and the encrypted new content key information into the first memory area and the domain key information into the second memory area.

In the key information updating method, when key information is updated, not the whole key information needs to be subjected to a predetermined process. Therefore, a processing amount during updating of the key information can be reduced. Also, in the updated key information, not all data used for a tampering detecting process is stored in a predetermined area (the second memory area having a higher security level), and check data in a final stage is stored in the predetermined area. Thereby, the amount of data to be stored in the predetermined area can be reduced. Also, when a tampering detecting process is executed with respect to the updated key information, not the whole key information needs to be subjected to the process, a processing amount during detection of tampering can be reduced.

Also, in a key information updating method, key information is updated by a host apparatus. The presence or absence of tampering is detected in the key information. The host apparatus comprises a data updating section and a data writing section. The data updating section adds new content key information to the key information and updates the key information. The data writing section writes the key information updated by the data updating section into a target apparatus. The target apparatus includes a first memory area and a second memory area having a higher security level than that of the first memory area. The key information includes domain key information, m pieces of content key information, m pieces of encrypted first data, and second data. Each of the m pieces of content key information includes a content key used for encryption and decryption of a content, and first data corresponding to partial-check data used for a tampering detecting process. The domain key information includes a domain key used for encryption and decryption of the m pieces of content key information, and whole-check data. Each of the m pieces of content key information is encrypted. The updating method comprises the steps (A) to (E). In the step (A), the data updating section adds the first data to the new content key information and executes cipher block chaining with respect to the content key information using the domain key. In the step (B), the data updating section extracts the first data as it is encrypted from the content key information encrypted in the step (A). In the step (C), the data updating section executes cipher block chaining using the domain key with respect to concatenated data including the second data, the m pieces of encrypted first data, and the first data extracted in the step (B), and extracts the second data as it is encrypted from the encrypted concatenated data. In the step (D), the data updating section rewrites the whole-check data included in the domain key information with the second data generated in the step (C). In the step (E), the data writing section writes the (m+1) pieces of first data included in the concatenated data encrypted in the step (C) into the first memory area. Also, in the step (E), the data writing section writes the m pieces of encrypted content key information and the encrypted new content key information into the first memory area, and the domain key information into the second memory area.

Also, in a key information updating method, key information is updated by a host apparatus. The presence or absence of tampering is detected in the key information. The host apparatus comprises a data updating section and a data writing section. The data updating section adds new content key information to the key information and updates the key information. The data writing section writes the key information updated by the data updating section into a target apparatus. The target apparatus includes a first memory area and a second memory area having a higher security level than that of the first memory area. The key information includes domain key information, m pieces of content key information, and m pieces of partial-check data. Each of the m pieces of content key information includes a content key used for encryption and decryption of a content. The domain key information includes a domain key used for encryption and decryption of the m pieces of content key information, and whole-check data. Each of the m pieces of content key information is encrypted. The updating method comprises the steps (A) to (E). In the step (A), the data updating section encrypts the new content key information. In the step (B), the data updating section executes a first operation with respect to the new content key information encrypted in the step (A) to generate first data. In the step (C), the data updating section executes a second operation with respect to concatenated data including the m pieces of partial-check data and the first data generated in the step (B), to generate second data. In the step (D), the data updating section rewrites the whole-check data included in the domain key information with the second data generated in the step (C). In the step (E), the data writing section writes the m pieces of partial-check data and the first data as (m+1) pieces of partial-check data into the first memory area. Also, in the step (E), the data writing section writes the m pieces of encrypted content key information and the encrypted new content key information into the first memory area, and the domain key information into the second memory area.

Also, in a key information updating method, key information is updated by a host apparatus. The presence or absence of tampering is detected in the key information. The host apparatus comprises a data updating section and a data writing section. The data updating section deletes any one piece of content key information from the key information in which the presence or absence of tampering can be detected, and updates the key information. The data writing section writes the key information updated by the data updating section into a target apparatus. The target apparatus includes a first memory area and a second memory area having a higher security level than that of the first memory area. The key information includes domain key information and m pieces of content key information. Each of the m pieces of content key information includes a content key used for encryption and decryption of a content, and first data corresponding to partial-check data used for a tampering detecting process. The domain key information includes a domain key used for encryption and decryption of the m pieces of content key information, and whole-check data. Each of the m pieces of content key information is encrypted. The updating method comprises the steps (A) to (E). In the step (A), the data updating section deletes any one of the m pieces of encrypted content key information. In the step (B), the data updating section extracts first data as it is encrypted from each of the (m−1) pieces of encrypted content key information which are not deleted in the step (A). In the step (C), the data updating section executes a predetermined operation with respect to concatenated data including the (m−1) pieces of first data extracted in the step (B) to generate second data. In the step (D), the data updating section rewrites the whole-check data included in the domain key information with the second data generated in the step (C). In the step (E), the data writing section writes the (m−1) pieces of encrypted content key information into the first memory area and the domain key information into the second memory area.

Also, in a key information updating method, key information is updated by a host apparatus. The presence or absence of tampering is detected in the key information. The host apparatus comprises a data updating section and a data writing section. The data updating section deletes any one piece of content key information from the key information in which the presence or absence of tampering can be detected, and updates the key information. The target apparatus includes a first memory area and a second memory area having a higher security level than that of the first memory area. The key information includes domain key information, m pieces of content key information, m pieces of encrypted first data, and second data. Each of the m pieces of content key information includes a content key used for encryption and decryption of a content, and first data corresponding to partial-check data used for a tampering detecting process. The domain key information includes a domain key used for encryption and decryption of the m pieces of content key information, and whole-check data. The m pieces of encrypted first data are in one-to-one correspondence with the m pieces of content key information. Each of the m pieces of content key information is encrypted. The updating method comprises the steps (A) to (E). In the step (A), the data updating section deletes any one of the m pieces of content key information. In the step (B), the data updating section extracts first data as it is encrypted from each of the (m−1) pieces of encrypted content key information which are not deleted in the step (A). In the step (C), the data updating section deletes first data corresponding to content key information deleted in the step (A) of the m pieces of encrypted first data. In the step (C), the data updating section executes cipher block chaining using the domain key with respect to concatenated data including the second data and the (m−1) encrypted first data which are not deleted in the step (B), and extracts the second data as it is encrypted from the encrypted concatenated data. In the step (D), the data updating section rewrites the whole-check data included in the domain key information with the second data extracted in the step (C). In the step (E), the data writing section writes the (m−1) pieces of first data included in the concatenated data encrypted in the step (C) into the first memory area. Also, in the step (E), the data writing section writes the (m−1) pieces of encrypted content key information into the first memory area, and the domain key information into the second memory area.

Also, in a key information updating method, key information is updated by a host apparatus. The presence or absence of tampering is detected in the key information. The host apparatus comprises a data updating section and a data writing section. The data updating section deletes any one piece of content key information from the key information in which the presence or absence of tampering can be detected, and updates the key information. The target apparatus includes a first memory area and a second memory area having a higher security level than that of the first memory area. The target apparatus includes a first memory area and a second memory area having a higher security level than that of the first memory area. The key information includes domain key information, m pieces of content key information, and m pieces of partial-check data. Each of the m pieces of content key information includes a content key used for encryption and decryption of a content. The domain key information includes a domain key used for encryption and decryption of the m pieces of content key information, and whole-check data. The m pieces of partial-check data are in one-to-one correspondence with the m pieces of content key information. Each of the m pieces of content key information is encrypted. The updating method comprises the steps (A) to (E). In the step (A), the data updating section deletes any one of the m pieces of encrypted content key information. In the step (B), the data updating section deletes partial-check data corresponding to the content key information deleted in the step (A) of the m pieces of partial-check data. In the step (C), the data updating section executes a second operation with respect to concatenated data including the (m−1) partial-check data which are not deleted in the step (B) to generate second data. In the step (D), the data updating section rewrites the whole-check data included in the domain key information with the second data generated in step (C). In the step (E), the data writing section writes the (m−1) partial-check data which are not deleted in the step (B) into the first memory area. Also, in the step (E), the data writing section writes the (m−1) pieces of encrypted content key information into the first memory area, and the domain key information into the second memory area.

According to still another aspect of the present invention, in a tampering detecting method, the presence or absence of tampering is detected by a host apparatus in key information stored in a target apparatus. The key information includes domain key information and m (m is a natural number) pieces of content key information. Each of the m pieces of content key information includes a content key used for encryption and decryption of a content, and first data corresponding to partial-check data used for a tampering detecting process. The domain key information includes a domain key used for encryption and decryption of the m content keys, and whole-check data. Each of the m pieces of content key information is encrypted. The detecting method comprises the steps (A) to (E). In the step (A), chaining decryption is executed using the domain key with respect to any one of the m pieces of encrypted content key information, and the first data is extracted from the decrypted content key information. In the step (B), the first data extracted in the step (A) is compared with previously prepared partial-check data. In the step (C), the first data as it is encrypted is extracted from each of the m pieces of content key information, and a predetermined operation is executed with respect to concatenated data including the m pieces of extracted first data to generate second data. In the step (D), the second data generated in the step (C) is compared with the whole-check data included in the domain key information. In the step (E), it is determined that the key information has not been tampered if the first data matches the partial-check data in the step (B) and the second data matches the whole-check data in the step (D).

In the tampering detecting method, not the whole key information needs to be subjected to a process. Therefore, a processing amount during the tampering detecting process can be reduced. Also, not all data used for the tampering detecting process needs to be stored in a predetermined area (the second memory area having a higher security level), and check data used in a final stage only needs to be stored in the predetermined area. Thereby, the amount of data to be stored in the predetermined area can be reduced.

Also, in a tampering detecting method, the presence or absence of tampering is detected by a host apparatus in key information stored in a target apparatus. The key information includes domain key information, m pieces of content key information, m pieces of encrypted first data, and second data. Each of the m pieces of content key information includes a content key used for encryption and decryption of a content, and first data corresponding to partial-check data used for a tampering detecting process. The domain key information includes a domain key used for encryption and decryption of the m content keys, and whole-check data. Each of the m pieces of content key information is encrypted. The detecting method comprises the steps (A) to (E). In the step (A), chaining decryption is executed using the domain key with respect to any one of the m pieces of encrypted content key information, and the first data is extracted from the decrypted content key information. In the step (B), the first data extracted in the step (A) is compared with previously prepared partial-check data. In the step (C), chaining decryption is executed using the domain key with respect to concatenated data including the whole-check data included in the domain key information and the m pieces of encrypted first data, and the whole-check data is extracted from the decrypted concatenated data. In the step (D), the second data is compared with the whole-check data extracted in the step (C). In the step (E), it is determined that the key information has not been tampered if the first data matches the partial-check data in the step (B) and the second data matches the whole-check data in the step (D).

Also, in a tampering detecting method, the presence or absence of tampering is detected by a host apparatus in key information stored in a target apparatus. The key information includes domain key information, m pieces of content key information, and m pieces of partial-check data. Each of the m pieces of content key information includes a content key used for encryption and decryption of a content. The domain key information includes a domain key used for encryption and decryption of the m content keys, and whole-check data. The m pieces of partial-check data are in one-to-one correspondence with the m pieces of content key information. Each of the m pieces of content key information is encrypted. The detecting method comprises the steps (A) to (E). In the step (A), a first operation is executed with respect to any one of the m pieces of encrypted content key information to generate first data. In the step (B), the first data generated in the step (A) is compared with partial-check data corresponding to content key information subjected to the first operation in the step (A) of the m pieces of partial-check data. In the step (C), a second operation is executed with respect to concatenated data including the m pieces of partial-check data to generate second data. In the step (D), the second data generated in the step (C) is compared with the whole-check data included in the domain key information. In the step (E), it is determined that the key information has not been tampered if the first data matches the partial-check data in the step (B) and the second data matches the whole-check data in the step (D).

According to even still another aspect of the present invention, a data structure of key information comprises m pieces of content key information and domain key information. The key information is stored in a target apparatus. Also, the presence or absence of tampering is detected in the key information by a host apparatus. The target apparatus includes a first memory area and a second memory area having a higher security level than that of the first memory area. The m pieces of content key information are stored in the first memory area. The domain key information is stored in the second memory area. Each of the m pieces of content key information includes a content key used for encryption and decryption of a content, and first data corresponding to partial-check data used for a tampering detecting process by the host apparatus. The domain key information includes a domain key used for encryption and decryption of the m pieces of content key information, and whole-check data used for the tampering detecting process by the host apparatus. Each of the m pieces of content key information is encrypted. The whole-check data corresponds to data which is obtained by extracting the first data as it is encrypted from each of m pieces of encrypted content key information which have not been tampered, and executing a predetermined operation with respect to concatenated data including the m pieces of extracted first data.

In the key information data structure, not all the data used for the tampering detecting process is stored in a predetermined area (the second memory area having a higher security level), and check data for the final stage is stored in the predetermined area. Thereby, the amount of data to be stored in the predetermined area can be reduced. Also, if first data obtained by executing a predetermined process with respect to one piece of content key information is compared with previously prepared partial-check data, the presence or absence of tampering can be detected in the content key information. Also, if second data generated based on m pieces of first data is compared with whole-check data, the presence or absence of tampering can be detected in the whole key information. Therefore, not the whole key information needs to be subjected to the process, thereby making it possible to reduce a processing amount during the tampering detecting process.

Also, a data structure of key information comprises m pieces of content key information, domain key information, m pieces of encrypted first data, and second data. The key information is stored in a target apparatus. Also, the presence or absence of tampering is detected in the key information by a host apparatus. The target apparatus includes a first memory area and a second memory area having a higher security level than that of the first memory area. The m pieces of content key information, the m pieces of encrypted first data, and the second data are stored in the first memory area. The domain key information is stored in the second memory area. Each of the m pieces of content key information includes a content key used for encryption and decryption of a content, and first data corresponding to partial-check data used for a tampering detecting process by the host apparatus. The domain key information includes a domain key used for encryption and decryption of the m pieces of content key information, and whole-check data used for the tampering detecting process by the host apparatus. The m pieces of encrypted first data are in one-to-one correspondence with the m pieces of content key information. Each of the m pieces of content key information is encrypted. The whole-check data corresponds to second data which is obtained by executing cipher block chaining using the domain key with respect to concatenated data including m pieces of encrypted first data which have not been tampered and the second data, and extracting the second data as it is encrypted from the encrypted concatenated data.

Also, a data structure of key information comprises m pieces of content key information, domain key information, and m pieces of partial-check data. The key information is stored in a target apparatus. Also, the presence or absence of tampering is detected in the key information by a host apparatus. The target apparatus includes a first memory area and a second memory area having a higher security level than that of the first memory area. The m pieces of content key information and the m pieces of partial-check data are stored in the first memory area. The domain key information is stored in the second memory area. Each of the m pieces of content key information includes a content key used for encryption and decryption of a content. The domain key information includes a domain key used for encryption and decryption of the m pieces of content key information, and whole-check data used for a tampering detecting process by the host apparatus. The m pieces of partial-check data are in one-to-one correspondence with the m pieces of content key information. Each of the m pieces of partial-check data corresponds to data which is obtained by executing a first operation with respect to content key information which corresponds to the partial-check data and has not been tampered. The whole-check data corresponds to data which is obtained by executing a second operation with respect to concatenated data including m pieces of partial-check data which have not been tampered.

EFFECT OF THE INVENTION

As described above, not all data used for the tampering detecting process is stored in a predetermined area (the second memory area having a higher security level), and check data for the final stage is stored in the predetermined area. Thereby, the amount of data to be stored in the predetermined area can be reduced.

Also, not the whole key information needs to be subjected to the process, thereby making it possible to reduce a processing amount during the tampering detecting process.

Also, when the key information is updated, not the whole key information needs to be subjected to a predetermined process. Therefore, a processing amount during updating of the key information can be reduced.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram showing a whole configuration of a confidential information processing system according to a first embodiment of the present invention.

FIG. 2 is a diagram showing confidential information stored in a target apparatus in the first embodiment of the present invention.

FIG. 3 is a diagram for describing encryption/decryption of a domain key and encryption/decryption of a content key.

FIG. 4 is a diagram for describing a procedure for generating a hash list and whole-check data shown in FIG. 2.

FIG. 5 is a schematic flowchart showing an operation of the confidential information processing system.

FIG. 6 is a diagram for describing an authentication process.

FIG. 7 is a flowchart of a tampering detecting method in the first embodiment of the present invention.

FIG. 8 is a diagram for describing a procedure for updating a hash list and whole-check data when content key information is added.

FIG. 9 is a diagram for describing a procedure for updating a hash list and whole-check data when content key information is deleted.

FIG. 10 is a diagram for describing a variation of the confidential information of FIG. 2.

FIG. 11 is a diagram for describing a variation of the confidential information of FIG. 2.

FIG. 12 is a diagram for describing cipher block chaining.

FIG. 13 is a block diagram showing a whole configuration of a confidential information processing system according to a second embodiment of the present invention.

FIG. 14 is a diagram showing confidential information stored in a target apparatus shown in FIG. 13.

FIG. 15 is a diagram for describing a procedure for generating whole-check data shown in FIG. 14.

FIG. 16 is a diagram for describing a procedure of a tampering detecting process which uses a check value.

FIG. 17 is a flowchart of a tampering detecting method in the second embodiment of the present invention.

FIG. 18 is a diagram for describing a procedure for updating whole-check data when content key information is added.

FIG. 19 is a diagram for describing a procedure for updating whole-check data when content key information is deleted.

FIG. 20 is a diagram for describing a one-way function type hash operation (DES HASH).

FIG. 21 is a diagram showing an algorithm for executing the hash operation of FIG. 20.

FIG. 22 is a diagram for describing a one-way function type hash operation (C 2 ).

FIG. 23 is a diagram for describing cipher block chaining (DES E-CBC).

FIG. 24 is a diagram showing an algorithm for executing the cipher block chaining of FIG. 23.

FIG. 25 is a diagram for describing cipher block chaining (C 2 E-CBC).

FIG. 26 is a diagram for describing a variation of the confidential information of FIG. 14.

FIG. 27 is a diagram showing confidential information stored in a target apparatus in a third embodiment of the present invention.

FIG. 28 is a diagram for describing a procedure for generating a check value list and whole-check data shown in FIG. 27.

FIG. 29 is a diagram for describing a procedure of a tampering detecting process which uses a whole-check value and a check value list.

FIG. 30 is a diagram for describing a procedure for updating a check value list and whole-check data when content key information is added.

FIG. 31 is a diagram for describing a procedure for updating a check value list and whole-check data when content key information is deleted.

FIG. 32 is a diagram showing confidential information stored in a conventional target apparatus.

FIG. 33 is a diagram showing confidential information stored in a target apparatus when a domain key is set.

FIG. 34 is a diagram showing the confidential information stored in the target apparatus in more detail.

DESCRIPTION OF THE REFERENCE CHARACTERS

• • ( 10 ) target apparatus
  • ( 11 ) host apparatus