HK1041324B - Information processing device and method, and providing medium - Google Patents

Description

Information processing apparatus and method, and providing medium

Technical Field

The invention relates to an information processing apparatus and method and a providing medium. And more particularly, to an information processing apparatus and method using encrypted information and a providing medium.

Background

There have been systems that encrypt information (hereinafter, referred to as content) such as music and transmit it to information processing apparatuses of users who comply with a protocol so that the users can decrypt and use the content on their information processing apparatuses.

If a user has two or more information processing apparatuses capable of using content, he/she can transfer the provided content and use the content in the information processing apparatus to which the content is transferred.

However, in this case, the information processing apparatus has a problem that: the transmission source does not retain the content but makes the user unable to use the content in the information processing apparatus of the transmission source.

Disclosure of Invention

The present invention has been made in view of the above circumstances, and when a content to be transmitted is provided in another information processing apparatus, the content can be retained in the information processing apparatus of the transmission source.

In order to solve these problems, the present invention provides an information processing apparatus which is connected to another information processing apparatus and performs decryption and uses encrypted value information, comprising: a storage means for storing usage information including a key required to encrypt the value information, a usage condition of the value information, and transmission state information indicating whether the value information has been transmitted; providing means for providing the value information to the other information processing apparatus together with appropriate transmission information including the key included in the usage information when the usage condition included in the usage information stored by the storage means is correct and the transmission state information included in the usage information indicates that the value information is not transmitted; first changing means for changing the transmission state information to indicate that the value information has been transmitted when the value information and the transmission information have been supplied to the other information processing apparatus by the supplying means; transmitting means for transmitting an appropriate control signal to the other information processing apparatus when the transmission state information contained in the usage information stored by the storage means has been transmitted and the transmission of the value information to the other information processing apparatus is canceled; and second changing means for changing the transmission state information to indicate that the value information is not transmitted when a reply signal from the other information processing apparatus is received in response to the control signal transmitted by the transmitting means.

Further, the present invention provides an information processing method for an information processing apparatus which is connected to another information processing apparatus and performs decryption and uses encrypted value information, comprising: a storage step of storing usage information including a key required to encrypt the value information, a usage condition of the value information, and transmission state information indicating whether the value information has been transmitted; a providing step of providing, when the usage condition contained in the usage information stored by the storing step is a predetermined condition and the transmission state information included in the usage information indicates that the value information is not transmitted, the value information to the other information processing apparatus together with appropriate transmission information including the key contained in the usage information; a first changing step of changing the transmission state information to indicate that the value information has been transmitted when the value information and the transmission information have been supplied to the other information processing apparatus by the supplying step; a transmission step of transmitting an appropriate control signal to the other information processing apparatus when the transmission state information contained in the usage information stored by the storage step has been transmitted and the transmission of the value information to the other information processing apparatus is cancelled; and a second changing step of changing the transmission state information to indicate that the value information is not transmitted when receiving a reply signal from the other information processing apparatus in response to the control signal transmitted by the transmitting step.

Further, the present invention provides a providing medium for providing a computer-readable program for causing an information processing apparatus, which is connected to another information processing apparatus and performs decryption and uses encrypted value information, to execute a process, the process comprising: a storage step of storing usage information including a key required to encrypt the value information, a usage condition of the value information, and transmission state information indicating whether the value information has been transmitted; a providing step of providing, when the usage condition contained in the usage information stored by the storing step is a predetermined condition and the transmission state information included in the usage information indicates that the value information is not transmitted, the value information to the other information processing apparatus together with appropriate transmission information including the key contained in the usage information; a first changing step of changing the transmission state information to indicate that the value information has been transmitted when the value information and the transmission information have been supplied to the other information processing apparatus by the supplying step; a transmission step of transmitting an appropriate control signal to the other information processing apparatus when the transmission state information contained in the usage information stored by the storage step has been transmitted and the transmission of the value information to the other information processing apparatus is canceled; and a second changing step of changing the transmission state information to indicate that the value information is not transmitted when a reply signal from the other information processing apparatus is received in response to the control signal transmitted by the transmitting step.

Further, the present invention provides an information processing apparatus, an information processing method, and a providing medium storing usage information including a key required to encrypt the value information, a usage condition of the value information, and transmission state information indicating whether the value information has been transmitted; when the usage condition contained in the usage information stored by the storing step is a predetermined condition and the transmission state information included in the usage information indicates that the value information is not transmitted, supplying the value information to the other information processing apparatus together with appropriate transmission information including the key contained in the usage information; changing the transmission state information to indicate that the value information has been transmitted when the value information and the transmission information have been supplied to the other information processing apparatus by the supplying step; sending an appropriate control signal to the other information processing apparatus when the transmission state information contained in the usage information stored by the storing step has been transmitted and the transmission of the value information to the other information processing apparatus is canceled; and changing the transmission state information to indicate that the value information is not transmitted when a reply signal from the other information processing apparatus is received in response to the control.

Further, the present invention provides an information processing apparatus which is connected to another information processing apparatus, and which performs decryption and uses encrypted value information, comprising: receiving means for receiving value information from the other information processing apparatus and transmitting transmission information including a key required to encrypt the value information; storage means for storing the transmission information received by the receiving means; deletion means for deleting the transmission information stored in the storage means when an appropriate control signal is received from the other information processing means; and transmitting means for transmitting an appropriate reply signal when the transmission information is deleted by the deleting means.

Further, the present invention provides an information processing method for an information processing apparatus which is connected to another information processing apparatus and performs decryption and uses encrypted value information, comprising: a reception step of receiving value information from another information processing apparatus and transmitting transmission information including a key required to encrypt the value information; a storage step of storing the transmission information received by the reception step; a deleting step of deleting the transmission information stored in the storage device when an appropriate control signal is received from the other information processing device; and a sending step of sending an appropriate reply signal when the transmission information is deleted by the deleting step.

Further, the present invention provides a providing medium for providing a computer-readable program for an information processing apparatus which is connected to another information processing apparatus and performs decryption and uses encrypted value information to execute a process, characterized by comprising: a reception step of receiving value information from another information processing apparatus and transmitting transmission information including a key required to encrypt the value information; a storage step of storing the transmission information received by the reception step; a deleting step of deleting the transmission information stored in the storage device when an appropriate control signal is received from the other information processing device; and a sending step of sending an appropriate reply signal when the transmission information is deleted by the deleting step.

Further, the present invention provides an information processing apparatus, an information processing method, and a providing medium that receive value information from other information processing apparatuses and transmit transmission information including a key required to encrypt the value information; storing the transmission information received by the receiving step; deleting the transmission information stored in the storage means when an appropriate control signal is received from the other information processing means; when the transmitted information is deleted by the deletion step, an appropriate reply signal is sent.

The present invention also provides an information processing apparatus which is connected to another information processing apparatus and decrypts and uses encrypted value information, characterized by comprising: a storage means for storing usage information including a key required to encrypt the value information, a usage condition of the value information, and transmission state information indicating whether the value information has been transmitted; providing means for providing the value information to the other information processing apparatus together with appropriate transmission information including the key included in the usage information when the usage condition included in the usage information stored by the storage means is correct and the transmission state information included in the usage information indicates that the value information is not transmitted; first changing means for changing the transmission state information to indicate that the value information has been transmitted when the value information and the transmission information have been supplied to the other information processing apparatus by the supplying means; transmitting means for transmitting an appropriate control signal to the other information processing apparatus when the transmission state information contained in the usage information stored by the storage means has been transmitted and the transmission of the value information to the other information processing apparatus is canceled; second changing means for changing the transmission state information to indicate that the value information is not transmitted when a reply signal from the other information processing apparatus is received in response to the control signal transmitted by the transmitting means.

The present invention also provides an information processing method for an information processing apparatus which is connected to another information processing apparatus and decrypts and uses encrypted value information, characterized by comprising: a storage step of storing usage information including a key required to encrypt the value information, a usage condition of the value information, and transmission state information indicating whether the value information has been transmitted; a providing step of providing, when the usage condition contained in the usage information stored by the storing step is a predetermined condition and the transmission state information included in the usage information indicates that the value information is not transmitted, the value information to the other information processing apparatus together with appropriate transmission information including the key contained in the usage information; a first changing step of changing the transmission state information to indicate that the value information has been transmitted when the value information and the transmission information have been supplied to the other information processing apparatus by the supplying step; a transmission step of transmitting an appropriate control signal to the other information processing apparatus when the transmission state information contained in the usage information stored by the storage step has been transmitted and the transmission of the value information to the other information processing apparatus is cancelled; a second changing step of changing the transmission state information to indicate that the value information is not transmitted when a reply signal from the other information processing apparatus is received in response to the control signal transmitted by the transmitting step.

The present invention also provides an information processing apparatus which is connected to another information processing apparatus and decrypts and uses encrypted value information, characterized by comprising: receiving means for receiving value information from the other information processing apparatus and transmitting transmission information including a key required to encrypt the value information; storage means for storing the transmission information received by the receiving means; deletion means for deleting the transmission information stored in the storage means when an appropriate control signal is received from the other information processing means; transmitting means for transmitting an appropriate reply signal when the transmission information is deleted by the deleting means.

The present invention also provides an information processing method for an information processing apparatus which is connected to another information processing apparatus and decrypts and uses encrypted value information, characterized by comprising: a reception step of receiving value information from another information processing apparatus and transmitting transmission information including a key required to encrypt the value information; a storage step of storing the transmission information received by the reception step; a deleting step of deleting the transmission information stored in the storage device when an appropriate control signal is received from the other information processing device; a sending step of sending an appropriate reply signal when the transmission information is deleted by the deleting step.

This page is blank.

Drawings

FIG. 1 is a system block diagram illustrating an EMD system;

FIG. 2 is a system block diagram illustrating the primary information flow in an EMD system;

fig. 3 is a block diagram showing a functional structure of the EMD service center 1;

fig. 4 is a schematic diagram illustrating the transmission of the transfer key Kd in the EMD service center 1;

fig. 5 is another schematic diagram illustrating the transmission of the transfer key Kd in the EMD service center 1;

fig. 6 is another schematic diagram illustrating the transmission of the transfer key Kd in the EMD service center 1;

fig. 7 is another schematic diagram illustrating the transmission of the transfer key Kd in the EMD service center 1;

fig. 8 is another schematic diagram illustrating the transmission of the transfer key Kd in the EMD service center 1;

fig. 9 is a diagram for explaining system registration information;

fig. 10 is a diagram for explaining point-of-use information;

fig. 11 is a block diagram showing a functional configuration example of the content provider 2;

fig. 12 is a diagram showing UCP;

FIG. 13 is a schematic diagram illustrating the controlled delivery of content;

FIG. 14 is a schematic diagram illustrating a first occurrence of replication;

FIG. 15 is a diagram showing an example of code values of a service code and a condition code;

FIG. 16 is a chart showing an example of setting of code values for use conditions of UCP;

FIG. 17 is a schematic diagram showing a content provider secure container;

fig. 18 is a schematic diagram showing an example of the authentication certificate of the content provider 2;

fig. 19 is a block diagram showing a functional structure of the service provider 3;

FIG. 20 is a graph showing an example of PT;

FIG. 21 is a chart showing an example of code values for "value" of a PT;

fig. 22 is a graph showing another example of PT;

FIG. 23 is a chart showing an example of code values for "value" of another PT;

FIG. 24 is a schematic diagram showing a service provider security container;

fig. 25 is a schematic diagram showing an example of the authentication certificate of the service provider 3;

fig. 26 is a block diagram showing an example of the functional configuration of the receiver 51 in the user's home network 5;

fig. 27 is a schematic diagram showing an example of an authentication certificate of the SAM62 of the receiver 51;

FIG. 28 is a diagram illustrating an example of a UCS;

fig. 29 is a schematic diagram illustrating the internal configuration of the usage information memory 63A in the external memory 63 of the receiver 51;

fig. 30 is a graph showing an example of statistical information;

fig. 32 is a diagram illustrating the reference information 51;

fig. 33 is a diagram showing an example of the use point information of the reference information 51;

FIG. 34 is a diagram showing an example of a registration list;

fig. 35 is a block diagram showing an example of the functional configuration of a receiver 201 in the user's home network 5;

fig. 36 is a schematic diagram illustrating an internal configuration of the usage information memory 213A in the external memory 213 of the receiver 201;

FIG. 37 is a chart of the information stored in the memory module 223 of the receiver 201;

FIG. 38 is a flowchart illustrating a process for utilization of content;

fig. 39 is a flowchart illustrating a process of sending the transfer key Kd from the EMD service center 1 to the content provider 2;

fig. 40 is a flowchart illustrating a flow of mutual authentication between the content provider 2 and the EMD service center 1;

fig. 41 is a flowchart illustrating another flow of mutual authentication between the content provider 2 and the EMD service center 1;

fig. 42 is a flowchart illustrating another flow of mutual authentication between the content provider 2 and the EMD service center 1;

fig. 43 is a flowchart illustrating a process of transmitting a content provider secure container from the content provider 2 to the service provider 3;

fig. 44 is a flowchart illustrating a process of transmitting a service provider secure container from the service provider 3 to the receiver 51;

FIG. 45 is a flow chart of a process in receiving a service provider secure container using the receiver 51;

fig. 46 is a flowchart illustrating a procedure when the receiver 51 plays back content;

FIG. 47 is a flowchart illustrating a statistical clearing process;

FIG. 48 is a flowchart illustrating a process of controlling delivery of content;

fig. 49 is a flowchart illustrating a procedure of ending the control transfer of content.

Detailed Description

The following describes embodiments of the present invention

(1) Information distribution system

Fig. 1 shows an EMD (electronic music distribution) system to which the present invention is applied. The EMD system includes: an EMD service center 1 that manages individual devices, a content provider 2 that provides content (in this example, having two content providers 2-1 and 2-2 (refer to the simple content provider 2 unless the system allocates them) for other devices as well), a service provider 3 that provides a predetermined service corresponding to the content (in this example, having two service providers 3-1 and 3-2), and a user network 5 composed of devices that use the content (in this example, a receiver 51, a receiver 201, and a receiver 301).

The content in an EMD system is digital data, the information of which is a value. In this example, a piece of content corresponding to music data is equivalent to a piece of music. The content is provided to the user by taking a piece of content as one unit (single song) or a plurality of contents as one unit (album). The user purchases content (actually, purchases a right to use the content) to use it. In addition to music data, the content may be video data, game programs, computer programs, text data, or the like.

The EMD service center 1 transmits a transfer key Kd for the usage-required content to the user home network 5 and the content provider 2, as shown in fig. 2, representing a main information flow in the EMD system. Also, the EMD service center 1 receives statistical information and the like from the user home network 5 and adjusts payment.

As shown in fig. 2, the content providers 2-1 and 2-2 have: content to be provided (encrypted with a content key Kco), a content key Kco (encrypted with a transfer key Kd) necessary for encrypting the content, a usage control rule (hereinafter abbreviated UCP) describing details of usage of the content and providing them to the service provider 3 in a so-called content provider secure container (to be described later).

The service providers 3-1 and 3-2 prepare one or more price tags (hereinafter abbreviated as PTs) according to the usage details contained in the UCP provided by the content provider 2. The service provider 3 transmits the prepared PT together with content (encrypted with a content key Kco), a content key Kco (encrypted with a transfer key Kd), and UCP provided by the content provider 2 to the user's home network 5 through a network 4 composed of a private cable network, the internet, or a communication satellite in the form of a so-called service provider secure container.

The user home network 5 prepares a usage control state (hereinafter, abbreviated as UCS) according to the provided UCP and PT shown in fig. 2, and performs a process of using content based on the prepared UCS. Furthermore, the user home network 5 prepares statistical information, counts the time with the preparation of UCS, and transmits it to the EMD service center 1 together with the corresponding UCP and PT, with the provision of the transfer key Kd, for example. In addition, the user home network 5 may not send UCP and PT to the EMD service center 1.

In this example, the user home network 5 includes a receiver 51 connected to the HDD52 and having a SAM (secure application module) 62, and a receiver 201 connected to the HDD 202 and having a SAM 212. The receivers 51 and 201 are connected by IEEE 1394.

(2) EMD service center

Fig. 3 is a block diagram showing a functional configuration of the EMD service center 1. The service provider management section 11 provides the service provider 3 with the bonus information. The content provider management section 12 sends the transfer key Kd to the content provider 2 and provides reddening information.

The copyright management section 13 transmits information related to the use of the content to an appropriate copyright management unit such as JASPAC (japan author, composer, and publisher association) through the user home network 5.

The key server 14 stores the transfer key Kd and supplies it to the content provider 2 through the content provider management section 12 or to the user home network 5 through the user management section 18.

The transfer key Kd provided from the EMD service center 1 to the device (e.g., the receiver 51 or the receiver 201) of the user home network 5 and the content provider 2 is described below with reference to fig. 4 to 7.

FIG. 4 shows: when the content provider 2 starts to provide content and the receiver 51 constituting the user's home network 5 starts to use the content, the EMD service center 1 has a transfer key Kd, the content provider 2 has a transfer key Kd, and the receiver 51 has a transfer key Kd in month 1 of 1998.

In the example of fig. 4, the transfer key Kd is valid from the first day to the last day of the calendar month (both inclusive). For example, the transmission key Kd version 1 having one value of "aaaaaaaa" made up of one fixed number of bits is valid from 1 month 1 of 1998 to 1 month 31 of 1998 (i.e., the content key Kco encrypting the content distributed to the user's home network 5 by the service provider 3 is encrypted with the transmission key Kd version 1 from 1 month 1 of 1998 to 1 month 31 of 1998). The transmission key Kd version 2 having one value of "bbbbbbbb" constituted by one fixed number of bits is valid from 2 month 1 of 1998 to 2 month 28 of 1998 (i.e., the content key Kco for encrypting the content distributed to the user's home network 5 by the service provider 3 within a given period of time encrypted by the transmission key Kd version 2). Likewise, transfer key Kd version 3 was valid at month 3 of 1998, transfer key Kd version 4 was valid at month 4 of 1998, transfer key Kd version 5 was valid at month 5 of 1998, and transfer key Kd version 6 was valid at month 6 of 1998.

Before the content provider 2 starts providing content, the EMD service center 1 sends six transfer keys Kd (transfer keys Kd versions 1 to 6) that are valid from 1 month to 6 months 1998 to the content provider 2, and the content provider 2 receives and stores the six transfer keys Kd. The reason why the transmission key Kd of six months is stored is the time of a certain period required to prepare, for example, encryption of the content and the transmission key before the content provider 2 starts providing the content.

Before the receiver 51 starts using the content, the EMD service center 1 sends three transfer keys Kd (transfer key Kd versions 1 to 3) that are valid from 1 month to 3 1998 to the receiver 51, and the receiver 51 receives and stores the three transfer keys Kd. The transfer key Kd of three months is stored in order to avoid a situation in which contents are invalid even during the contract due to a trouble in which the user home network 5 cannot be connected to the EMD service center 1 or other trouble, and to reduce the load on the user home network 5 by reducing the number of connections to the EMD service center 1.

During months 1 to 3 of 1998, the transfer key Kd version 1 is used by the EMD service center 1, the content provider 2 and the receiver 51 constituting the user's home network 5.

The transmission of the transfer key Kd from the EMD service center 1 to the content provider 2 and the receiver 51 on 2/1 of 1998 is explained with reference to fig. 5. The EMD service center 1 transmits six transfer keys Kd (transfer key Kd versions 2 to 7) that are valid from month 2 to month 7 of 1998 to the content provider 2, and the content provider 2 receives and stores them, overwriting the original. The EMD service center 1 transmits 3 transfer keys Kd (transfer key Kd versions 2 to 4) that are valid from month 2 to month 4 of 1998 to the content provider 2, and the content provider 2 receives and stores them, overwriting the original. The EMD service center 1 thus stores the transfer key Kd version 1. This enables effective use of the past transfer key Kd in the case of unexpected trouble or in the case where an illegal action is issued or detected.

During the period of 1998 from 2 month 1 to 2 month 28, the transfer key Kd version 2 is used by the EMD service center 1, the content provider 2 and the receiver 51 constituting the user's home network 5.

The transmission of the transfer key Kd from the EMD service center 1 to the content provider 2 and the receiver 51 on 3/1 of 1998 is explained with reference to fig. 6. The EMD service center 1 transmits six transfer keys Kd (transfer key Kd versions 3 to 8) that are valid from 3 to 8 months 1998 to the content provider 2, and the content provider 2 receives the six transfer keys Kd and stores them, overwriting the original. The EMD service center 1 transmits 3 transfer keys Kd (transfer key Kd versions 3 to 5) that are valid from 3 months to 5 months in 1998 to the content provider 2, and the content provider 2 receives the 3 transfer keys Kd and stores them, overwriting the original. The EMD service center 1 thus stores the transfer keys Kd version 1 and 2.

During 3 months 1 to 3 months 31 days of 1998, the transfer key Kd version 3 is used by the EMD service center 1, the content provider 2 and the receiver 51 constituting the user's home network 5.

The transmission of the transfer key Kd from the EMD service center 1 to the content provider 2 and the receiver 51 on 4/1 of 1998 is explained below with reference to fig. 7. The EMD service center 1 transmits six transfer keys Kd (transfer key Kd versions 4 to 9) that are valid from 4 to 9 months 1998 to the content provider 2, and the content provider 2 receives the six transfer keys Kd and stores them, overwriting the original. The EMD service center 1 transmits 3 transfer keys Kd (transfer key Kd versions 4 to 6) that are valid from 4 to 6 months 1998 to the content provider 2, and the content provider 2 receives the 3 transfer keys Kd and stores them, overwriting the original. The EMD service center 1 thus stores the transfer keys Kd version 1, 2, and 3.

During the period of 1998 from 4 months 1 to 4 months 30, the transfer key Kd version 4 is used by the EMD service center 1, the content provider 2 and the receiver 51 constituting the user's home network 5.

In this method, if the transmission key Kd is allocated several months in advance, the user can purchase the contents even if they do not access the EMD service center 1 for one or two months, but they can access the EMD service center 1 and receive the key at a convenient time.

As described above, the transmission key Kd of three months is distributed to the devices formally registered in the EMD system and the content provider 2 in the user home network 5. However, as shown in fig. 8, only one month of the transfer key Kd is allocated to the user home network devices informally registered and provisionally registered (described in detail below) in the EMD system instead of three months. In this example, in order to register the user home network 5 device in the EMD system, a registration program such as user credit processing needs to be performed in about one month. Therefore, in order to validate the content during this period (one month), from the registration to the formal registration, the transfer key Kd permitting the use for one month is assigned to the device which is not formally registered.

Returning to fig. 3, the log data management section 15 stores: statistical information output by the user management part 18, PT corresponding to the content, and UCP corresponding to the content.

The reddening section 16 calculates respective profits of the EMD service center 1, the content providers 2-1 and 2-2, and the service providers 3-1 and 3-2 based on the information provided by the log data management section 15, and outputs the results to the service provider management section 11, the content provider management section 12, the cashier section 20, and the copyright management section 13. The reddening section 16 calculates points of use provided to the content providers 2-1 and 2-2 and the service providers 3-1 and 3-2, respectively, based on the calculated profits (the larger the profit or the larger the user's use, the larger the point), and outputs the points of use to the user management section 18. Here, the usage point in the content provider 2 is referred to as a content usage point, and the usage point in the service provider 3 is referred to as a service usage point.

The mutual authentication section 17 performs mutual authentication with the content provider 2, the service provider 3, and the user home network 5 device.

The user management section 18 manages information (hereinafter referred to as system registration information) relating to devices in the user's home network 5. As shown in fig. 9, the system registration information includes information corresponding to the items "SAM ID", "device number", "settlement ID", "statistical settlement user information", a plurality of "affiliated user information" and "point-of-use information".

The "SAM ID" contains a SAM (to be described later) ID of a manufacturing apparatus constituting the user home network 5. The "SAM ID" row of the system registration information in fig. 9 includes the SAM62 of the receiver 51, the SAM212 of the receiver 201.

The "device number" is the number of the user's home network 5 device that is supposed to have the SAM. If one device in the user's home network 5 has the capability of communicating with the service provider 3 and the EMD service center 1 directly through the network 4 (communication block), and has, for example, the capability of outputting (sending) the contents of UCPs and PTs to the user or the capability of allowing the user to select the details of use in UCPs (display unit and operation panel), this device is given a device number of 100 or more (hereinafter referred to as a master device). Devices without such capability (hereinafter referred to as auxiliary devices) are assigned a device number of 99 or less. In this example, receivers 51 and 201 have the above capabilities and are assigned a device number of 100 or greater than 100. Therefore, the device number 100 is assigned to each "device number" in the system registration information of fig. 9 corresponding to the SAM62ID of the receiver 51 and the SAM212ID of the receiver 201.

The "settlement ID" stores a predetermined settlement ID designated at the time of formal registration in the EMD system. In this example, since the receivers 51 and 201 have already performed formal registration and are assigned the settlement ID, the assigned settlement ID is stored in each "settlement ID" corresponding to the SAM62ID of the receiver 51 and the SAM212ID of the receiver 201 in the system registration information of fig. 9.

The "statistical settlement user information" includes the name, address, telephone number, settlement institution information (i.e., credit card number), birthday, age, sex, ID, password, and the like of the user who settles the statistics (such a user is hereinafter referred to as a statistical settlement user).

When the user submits a registration request, the user provides the name, address, telephone number, settlement institution information, birthday, age, sex of the statistical settlement user (hereinafter, this item included in the "statistical settlement user information" is referred to as general information of the user if they do not need to be handled separately). These items, name, address, telephone number, settlement institution information must be accurate (i.e., information registered in the settlement institution) because they are used for user credit processing in this example. On the other hand, in this example, the birthday, age, sex in the user's general information are not used for the user credit processing, and thus do not need to be accurate. In addition to this, there is no need for the user to have to provide them. When the user is registered in the EMD system, the ID and password of the statistical settlement user contained in the "statistical settlement user information" are specified and set.

The "statistical settlement user information" used for the SAM62ID of the receiver 51 in the system registration information of fig. 9 contains user general information provided by the user F, which is a statistical settlement user of the receiver 51, and the ID and password of the user F. SAM212 for receiver 201

The "statistical settlement user information" of the ID includes user general information provided by the user F and the ID and password of the user a who is the statistical settlement user of the receiver 51.

The "affiliated user information" includes the name, address, telephone number, date of birth, age, sex, ID, password, and the like of the user who does not perform the settlement by himself (such a user is hereinafter referred to as an affiliated user). In other words, it contains information other than the settlement institution information in the "statistical settlement user information". The name, address, telephone number, birthday, age, sex of the affiliated user contained in the "affiliated user information" need not be precise because the affiliated user does not go through credit processing. For example, a foreign number may be used as a name. Even if the name is used to identify the user, no other information is necessarily required. When the affiliated user registers in the EMD system, the ID and password of the affiliated user included in the "affiliated user information" are designated and set.

In this example, "affiliated user information" for the SAM62ID and the SAM212ID in the system registration information of fig. 9 is to contain any information since the affiliated users are not registered to the receivers 51 and 201.

The "point-of-use information" is the point-of-use information output by the reddening section 16. In this example, "point-of-use information" for SAM62ID and SAM212ID respectively contains point-of-use information. Fig. 10 shows an example of the use point information of the receiver 51. In the example of fig. 10, the content usage point of the content provider 2-1 is 222 points, the content usage point of the content provider 2-2 is 123 points, the service usage point of the service provider 3-1 is 345 points, and the service usage point of the service provider 3-2 is 0 points, which are assigned to the user F (statistical settlement user) of the receiver 51.

In this example, the total number of points 345(═ 123+222) of usage points of each of the content provider 2-1 and the content provider 2-2 and the total number of points 345(═ 345+0) of service usage points of each of the service provider 3-1 and the service provider 3-2 are made equal.

For the receiver 201, since the content is not used at this point, "point-of-use information" for the SAM212ID does not contain any information.

In addition to managing the system registration information, the user management section 18 prepares a registration list for predetermined processing and transmits it to the user home network 5 together with the transmission key Kd.

Returning again to fig. 3, the settlement section 19 calculates the amount paid by the user based on, for example, the statistical information, UCP and PT provided by the log data management section 15, and provides the result to the cashier section 20, and then settles the statistics by communicating with an external bank or the like (not shown) based on the amount of the usage fee paid or paid by the user, the content provider 2 and the service provider 3. Also, the cashier section 20 notifies the user management section 18 of the result of the settlement.

The audit section 21 checks the correctness of the statistical information provided by the devices in the user's home network 5 and the correctness of the PT and UCP (i.e., checks any illegal action). In this example, the audit section 21 receives content from the content provider 2, PT from the service provider 3, and corresponding UCP and PT from the user home network 5.

(3) Content provider

Fig. 11 is a block diagram showing a functional structure of the content provider 2-1. The content server 31 stores the content provided by the user and supplies it to the electronic watermark applying section 32, and then electronic watermarks the content provided by the content server 31 and supplies it to the compressing section 33.

The compression section 33 compresses the content supplied from the electronic watermark applying section 32 by ATRAC 2(Adaptive Transform optical Coding2) (a trademark) or other method, and supplies it to the encryption section 34, the encryption section 34 encrypts the content compressed by the compression section 33 by a common key cipher such as DES (data encryption standard) using a random number supplied as a key by the random number generator section 35, and outputs the result to the secure container preparation section 38.

The random number generator section 35 supplies random numbers composed of a fixed number of bits to the encryption sections 34 and 36 to be used as the content key Kco. The encryption section 36 encrypts the content key Kco by a common key cipher such as DES using the transfer key Kd provided by the EMD service center 1, and outputs the result to the secure container preparation section 38.

DES is an encryption method that encrypts 64-bit blocks of plain text using a 56-bit common key. The DES processing is constituted by a portion (data mixing portion) for converting a plain text into a cipher text by mixing it with a key, and a portion (key processing portion) for generating a key (expanded key) for use by the data mixing portion from a common key. All DES algorithms are publicly available. Therefore, the basic processing in the data mixing section will be described herein.

First, a 64-bit plain text is divided into high-order 32-bit H₀And low order 32 bits L₀. Using the 48-bit extended key and the lower 32-bit L provided from the key processing section₀As input, the output from an F function is obtained by mixing the lower 32 bits L₀To perform the calculation. The F function consists of two basic transformations: "replace" for replacing a value in a specified way; and "transposition" for transforming the bit positions in a specified method. Then, the high order 32 ratioSpecial H₀XOR with the output from the F function and marked H₁。L₀Is marked as H₁。

At the high order 32 bits H₀And low order 32 bits L₀After 16 iterations of the above process on a base basis, the high order 32-bit H is synthesized₁₆And low order 32 bits L₁₆Is output as a cipher text. In order to perform decryption, the above-described process is reversed using a common key used in encryption.

The rule storage section 37 stores UCP set for the content and outputs it to the secure container preparation section 38. Fig. 12 shows UCP a set for the content a held in the content server 31, which is stored in the rule storage section 37. The UCP contains information about "content ID", "content provider ID", "UCP validity period", "use condition", and "use details". The "content ID" contains the ID of the content added by a given UCP. Each "content ID" of UCP a (fig. 12A) and UCP B (fig. 12B) contains an ID of content a.

The "content provider ID" contains an ID of a content provider that provides the content. Each "content provider ID" of UCP a and UCPB contains an ID of the content provider 2-1. "UCP ID" contains the ID assigned to a given UCP: the "UCP ID" of UCP a contains the ID of UCP a and the "UCP ID" of UCPB contains the ID of UCP B. The "UCP valid period" includes information on the valid period of UCP: the "UCP valid period" of UCP a includes a valid period of UCP a.

The "use condition" contains predefined information about the "use condition" and the "equipment condition". The "usage condition" contains a condition capable of selecting a user of a given UCP. "device conditions" include conditions that enable selection of a device for a given UCP.

In the case of UCP a, "use condition 10" is specified. The "user condition 10" of the "use condition 10" contains information indicating that the condition is a condition whose use point is 200 points or more ('200 points or more'). The "device condition 10" of the "use condition 10" contains information indicating that there is no condition ('unconditional'). Thus, ucpa can be selected only by users having 200 or more points of use of the content provider 2-1.

In the case of UCP B, "use condition 20" is specified. The "user condition 20" of the "use condition 20" contains information indicating that the condition is a condition whose use point is 200 points or less ('200 points or less'). The "equipment condition 20" of the "use condition 20" includes 'unconditional'. Thus, UCP B can only be selected by users with 200 or less points of use of the content provider 2-1.

The "usage details" contain information relating to "ID", "type", "parameter", and "control transfer permission information". The "ID" contains an ID assigned to the information contained in the "usage details".

The "genre" contains information indicating the type of content such as playback or copy. The "parameter" contains predefined information corresponding to the usage type contained in the "type".

The "control transfer permission information" contains information indicating whether or not the control transfer of the content is possible (permitted or not). In the case of one content control transfer, the content is copied to the destination device while being held in the source device, as shown in fig. 13A. In other words, the content can be used in both the source and destination devices. In this regard, the control transfer is different from the general content transfer in which the content is moved from the source device to the destination device only when the content is stored and used, as shown in fig. 13B.

During the controlled transfer of the content, the source device cannot transfer the control of the content to any third device (is not permitted), as shown in fig. 13A. Thus, the content is only maintained in both devices: a source device and a destination device. In this regard, the content control transfer is different from the first generation copy that is capable of generating a plurality of copies (first generation) from the original content, as shown in fig. 14A. Also, content control delivery is different from the one-time copy shown in fig. 14B, where content control can be delivered to a third device if the content is returned from the source device.

Returning to fig. 12A, UCP a has four "use details" fields: "use details 11" to "use details 14". The "ID 11" of "usage detail 11" contains the ID assigned to "usage detail 11". The "type 11" contains information indicating the usage type of "purchase and playback" which means that the content is to be purchased and played back. "parameter 11" contains predefined information corresponding to "purchase and playback". The "control transfer permission information 11" contains information ('permission') indicating that the control transfer of the content is permitted.

The "ID 12" of the "usage detail 12" contains the ID assigned to the "usage detail 12". "type 12" contains information indicating "first generation copy" meaning that the content will generate a first generation copy. By purchasing and using the right of the type "first generation copy", the user can generate a plurality of first generation copies from the original content as in fig. 14A. However, the second generation copy cannot be generated from the first generation copy (is not allowed). "parameter 12" contains predefined information corresponding to "first generation copy". The "control transfer permission information 12" contains information indicating that the control transfer of the content is not permitted ('no permission').

The "ID 13" of the "usage detail 13" contains the ID assigned to the "usage detail 13". The "type 13" contains information of "limited time playback" indicating the type of use for playback of a particular period (time). The "parameter" contains a start time and an end time corresponding to the "limited time playback". The "control transmission permission information 13" is set to "not permitted".

The "ID 14" of the "usage detail 14" contains the ID assigned to the "usage detail 14". The "type 14" contains information indicating "pay for five times of copying" of the usage type of five times of copying (better than the coupon for five times of copying). In this case, as shown in fig. 14B, a replica cannot be generated from a replica (not permitted). "parameter 14" contains information indicating "five copies" that can be copied five times. The "control transmission permission information 14" is set to "not permitted".

UCP B in fig. 12B contains "use details 21" and "use details 22". The "ID 21" of the "use details 21" contains a predetermined ID assigned to the "use details 21". "type 21" contains a designation "paying a fee for four times of playback" containing information indicating the type of use for four times of playback. The "parameter 21" contains information indicating "play back four times" capable of playing back four times. The "control transmission permission information 21" is set to "not permitted".

The "ID" of the "usage detail 22" contains a predetermined ID assigned to the "usage detail 22". "type 22" includes the designation "pay twice-a-copy fee". "parameter 22" includes "duplicate twice". The "control transmission permission information 22" is set to "not permitted".

Here, details of UCP a and UCP B are compared, and at this time, a user having a usage point of 200 or more can select from four kinds of "usage details" fields: from "usage details 11" to "usage details 14", users with usage points of 200 or less can only be from two kinds

The "usage details" field is selected: "use details 21" to "use details 22".

Incidentally, fig. 12 shows UCP a and UCP B as an example. In fact, in addition to the service code shown in fig. 15A and the condition code shown in fig. 15B, the "use condition 10" of UCPA and the "use condition 20" of UCP B contain a numerical code indicating a numerical value or a predefined type according to the service code, respectively.

Fig. 16A shows a code value for each code of "user condition 10" and "device condition 10" set to "use condition 10" in UCP a (fig. 12A). Since "user condition 10" of "use condition 10" indicates 200 points or more, the service code 80xxh (fig. 15A) indicates "with a condition for use point", the numeric code 0000C8h indicates the numeric value 200 this time, and the condition code 06h (fig. 15B) indicates "> (equal to or less)", which are set as "user condition".

Since "device condition 10" in UCP a indicates "unconditional", the service code 0000h (fig. 15A) represents "unconditional", the numeric code FFFFFFh is meaningless, and the condition code 00h (fig. 15B) represents "unconditional", which are set as "device condition".

Fig. 16B shows a code value for each code of "user condition 20" and "device condition 20" set to "use condition 20" in UCP B. Since "user condition 20" of "use condition 20" indicates 200 points or less, service code 80xxh (fig. 15A) indicates "with a condition for use point", numeric code 0000C8h indicates numeric value 200, and condition code 03h (fig. 15B) indicates "> (less)", which are set as "user condition".

Since "device condition 20" in UCP B indicates "unconditional", similarly to "device condition 10" in UCP a, all have the same code value, and the description thereof is omitted.

Returning to fig. 11, the secure container preparation section 38 prepares a content provider secure container including, for example, a content a (encrypted with a content key KcoA), UCPA, UCP B, and a signature of the content provider, as shown in fig. 17. The signature is obtained by encrypting a hash value using a secret key (in this case, the secret key Kscp of the content provider 2) in the public key cryptosystem of the content provider. The hash value is obtained in turn by applying a hash function to the data that needs to be transmitted, in this case the content a (encrypted with the content key KcoA), the content key KcoA (encrypted with the transfer key Kd) and UCPA.

The secure container preparation section 38 transmits the content provider secure container to the service provider 3 by attaching the authentication certificate of the content provider 2-1 shown in fig. 18. The authentication certificate includes: its version number, the serial number assigned to the content provider 2-1 by the certificate authority, the algorithm and parameters used for signing, the validity period and name of the certificate of authenticity, the public key Kpcp and the signature of the content provider 2-1 (encrypted with the secret key Ksca of the certificate authority).

The signature is used to verify tampering. It is generated by an operation by means of a hash function, a hash value from the code to be transmitted and a secret key using a public key cipher to encrypt the hash value.

The hash function and signature authentication are described below. When data to be transmitted is input, a hash function is accepted, compressed to a certain bit length, and output as a hash value. The hash function is characterized by: it is difficult to predict the input (output) from the hash value, if one bit of the input data is changed, many bits of the hash value are changed, and it is difficult to find the input data having the same hash value.

The receiver that receives the signature and the data decrypts the signature with the encrypted public key to obtain a composite hash value. A hash value of the received data is calculated and compared with a hash value obtained by decrypting the signature to verify whether the two hash values are the same. If they are determined to be the same, the received data is not falsified and is transmitted through a transmitter having a secret key corresponding to the public key. Examples of hash functions for signatures include MD (message digest) 4, MD5, SHA (secure hash algorithm), and so forth.

The following describes public key cryptography. In contrast to a common key cipher that uses the same key (common key) in encryption and decryption, a public key cipher uses different keys in encryption and decryption. In public key cryptography, one of the keys is made publicly, but the others may not be kept secret. A key that can be made publicly is called a public key, and a secret key is called a secret key.

A typical public key cryptographic RSA (Rivest-Shamir-Adleman) is first described below. First, two prime numbers p and q of the same length are determined, and then their product is determined. The least common multiple L of (p-1) and (q-1) is computed, and a value e equal to or greater than 3 and less than L and coprime to L is determined (i.e., the values into e and L are only 1).

In the modulo-L algorithm, the multiplicative inverse d of element e is determined. In other words, the relationship ed ═ 1mod L exists among d, e, and L, where d can be calculated by the euclidean algorithm. Here, n and e are public keys, and p, q, and d are secret keys.

The cipher text C can be calculated from the plain text M by equation (1):

C＝M^emod n …(1)

the cipher text C is decrypted into the plain text M by equation (2):

M＝C^dmod n …(2)

the proof is omitted. The reason why plain text can be converted into cipher text by RSA and cipher text can be decrypted is that: RSA is based on the fermat first theorem and holds equation (3):

M＝C^d＝(M^e)^d＝M^ed＝M mod n …(3)

if one knows the secret keys p and q, he/she can calculate the secret key d from the public key e. However, if the number of digits of the content public key n is increased relative to the content due to a large number of calculations, and unique factorization of the content public key n is difficult, the secret key d cannot be calculated from the public key e, and the ciphertext cannot be decrypted from simple knowledge of the public key n. As described above, the RSA cryptosystem may use different keys in encryption and decryption.

Another public key cryptosystem, elliptic curve cryptography, is described below. Elliptic curve y by B²＝x³A point on + ax + b. To define the addition of points on an elliptic curve, B is increased by nBThe result was multiplied by n. Likewise, subtraction will be defined. It has been demonstrated that: it is difficult to calculate n from B and Bn. It is assumed that B and nB are public keys, and n is a secret key. The cipher texts C1 and C2 are calculated from the plain text M using a random number r and a public key by equations (4) and (5):

C1＝M+rnB …(4)

C2＝rB …(5)

the cipher texts C1 and C2 are decrypted into the plain text M using equation (6):

M＝C1-nC2 …(6)

decryption can only be performed if the secret key n is valid. From the above discussion it can be seen that: elliptic curve cryptography allows the use of synchronized keys in encryption and decryption, as is the case with RSA cryptosystems.

Returning to fig. 11, the mutual authentication section 39 of the content provider 2-1 performs mutual authentication with the EMD service center 1 before receiving the transmission key Kd from the EMD service center 1. Mutual authentication with the service provider 3 can also be performed before the content provider security container is sent to the service provider 3. In this example, since the content provider secure container does not contain secret information, the mutual authentication is not required.

Since the content provider 2-2 basically has the same configuration as the content provider 2-1, illustration and explanation in the drawings may be omitted.

(4) Service provider

The functional configuration of the service provider 3-1 is explained below with reference to a block diagram in fig. 19. The content server 41 stores: content (encrypted with a content key Kco), a content key Kco (encrypted with a transfer key Kd), UCP, and a signature of the content provider 2 contained in a content provider secure container provided by the content provider 3, and supplies them to the secure container preparation section 44.

The pricing portion 42 verifies the authenticity of the content provider secure container based on the signature contained in the content provider secure container provided by the content provider 2. In this case, the certificate of the content provider 2 is verified. If it is authentic, a public key of the content provider 2 is given. And, the authentication of the content provider secure container is verified based on the given public key.

If the authentication of the content provider security container is confirmed, it prepares PTs based on UCP contained in the content provider security container and provides them to the security container preparation section 44. Fig. 20 shows two price tags, PT-1 (fig. 20A) and PT-2 (fig. 20B), prepared according to UCP a of fig. 12A. One PT contains information specified in "content ID", "content provider ID", "UCPID", "service provider ID", "PT valid period", "pricing condition", and "price".

The "content ID", "content provider ID", and "UCP ID" of the PT contain information specified in the corresponding entry of UCP. That is, the "content IDs" of PT-1 and PT-2 contain the ID of content A, their "content provider ID" contains the ID of content provider 2-1, and their "UCPID" contains the ID of UCP A.

The "service provider ID" contains the ID of the service provider 3 having the PT given. The "service provider ID" of PTA-1 and PTA-2 contains the ID of service provider 3. "PT ID" contains the ID assigned to the given PT: the "PT ID" of PT A-1 contains the ID of PT A-1, and the "PT ID" of PT A-2 contains the ID of PT A-2. The "PT valid period" contains information on a given valid period of the PT: the "PT active period" of PTA-1 includes the active period of PTA-1, and the "PT active period" of PT A-2 includes the active period of PT A-2.

The "pricing condition" is composed of a "user condition" and a "device condition", similarly to the case with the "usage condition" in the UCP. The "user condition" contains information on the condition of a user who can select a given PT. The "device condition" contains information on the condition of a device capable of selecting a given UCP.

In the case of PT A-1, "pricing condition 10" is specified. The "user condition 10" of the "pricing condition 10" contains information indicating that the user is male ('male'). The "equipment condition" of the "pricing condition 10" is set to "unconditional". Thus, PT A-1 can only be selected by a male user.

In the "user condition 10" and the "device condition 10" of the "pricing condition 10", actually, the code value of each type of code is set as shown in fig. 21A. The "user condition 10" of the "pricing condition 10" includes a service code 01xxh (fig. 15A) indicating "condition with sex", a value code 000000h indicating male, and a condition code 01h (fig. 15B) indicating "═ sex". The "device condition 10" includes a service code 0000h indicating "unconditional", a numeric code FFFFFFh which does not mean in this case, and a condition code 00h indicating "unconditional".

In the case of PT A-2, "pricing condition 20" is specified. The "user condition 20" of the "pricing condition 20" contains information indicating that the user is female ('female'). The "equipment condition" of the "pricing condition 20" is set to "unconditional". Thus, PT A-2 can only be selected by female users.

In the "user condition 20" and the "device condition 20" of the "pricing condition 20", actually, the code value of each type of code is set as shown in fig. 21B. The "user condition 20" of the "pricing condition 20" includes a service code 01xxh (fig. 15A) indicating "condition with sex", a value code 000000h indicating a woman, and a condition code 01h (fig. 15B) indicating "═ sex". The "device condition 20" includes a service code 0000h indicating "unconditional", a numeric code FFFFFFh which does not mean in this case, and a condition code 00h indicating "unconditional".

Returning to fig. 20, the "price" of the PT includes usage payment when the content is used in the usage type specified in the "type" of the "usage details" of the corresponding UCP. It means that: since "type 11" of "usage details 11" is specified as "purchase and playback" in UCP a (fig. 12A), "2000 yen" specified in "price 11" on PT a-1 and "1000 yen" specified in "price 21" on PT a-2 indicate the purchase price (payment) of content a.

"600 yen" specified in "price 12" of PT a-1 and "300 yen" specified in "price 22" of PT a-2 are prices of rights to use the content a, as specified by "type 12" of "usage details 12" of UCP a, corresponding to the usage type "first generation copy". "100 yen" specified in "price 13" of PT a-1 and "50 yen" specified in "price 23" of PT a-2 are prices of rights to use the content a corresponding to the usage type "time-limited playback" as specified by "type 13" of "usage details 13" of UCP a. "300 yen" specified in "price 14" of PT a-1 and "150 yen" specified in "price 24" of PT a-2 are prices for using the content a corresponding to the usage type copied five times as specified by "type 14" of "usage details 14" of UCP a.

In this example, when comparing the price on PT A-1 (which can be used for males) and PT A-2 (which can be used for females), it can be seen that: the price on PT A-1 is twice as high as the price on PT A-2. For example, when "price 11" on PT A-1 for "usage details 11" of UCP A is "2000 yen", price 21 "on PT A-2 for" usage details 11 "of UCP A is" 1000 yen ". Similarly, the prices specified by "price 12" to "price 14" on PT A-1 are twice as high as the prices specified by "price 22" to "price 24" on PTA-2. In short, the female user can use the content a at a lower price.

Fig. 22 shows PT B-1 and PT B-2 prepared according to UCP B in fig. 12B. The PT B-1 in FIG. 22A includes the ID of content A, the ID of content provider 2-1, the ID of UCP B, the ID of service provider 3-1, the ID of PT B-1, the validity period of PT B-1, pricing conditions 30, and two types of prices 31 and 32.

The "user condition 30" of the "pricing condition 30" in the PT B-1 is set to "unconditional", and the "device condition 30" contains information of the device condition as a slave device ('slave device'). Thus, only PT B-1 can be selected when content A is used by a slave device.

In the "user condition 30" and the "device condition 30" of the "pricing condition 30", actually, the code value of each type of code is set as shown in fig. 23A. The "user condition 30" includes a service code 0000h (fig. 15A) indicating "unconditional", a numeric code FFFFFFh which makes no sense in this case, and a condition code 00h (fig. 15A) indicating "unconditional". The "device condition 30" is designated as "slave device", and therefore, the service code is set to 00xxh indicating "condition for device", the value code is set to 000064h indicating "value 10", and the condition code is set to 03h indicating "< (less)". In this example, since the device number is set to less than 100 for use by the slave device, such a code value is set.

Like the "type 21" of the "usage details 21" of the UCP B (fig. 12B) indicating "pay play 4 times", when four times of playback are performed, "100 yen" in the "price 31" on the PT B-1 is the price thereof. Also, "300 yen" in "price 32" is its price when two playbacks are performed, as "type 22" of "usage details 22" of UCP a indicates "pay play 2 fee".

As shown in fig. 22B, the PT B-2 prepared according to the UCP B includes an ID of content a, an ID of content provider 2-1, an ID of UCP B, an ID of service provider 3-1, an ID of PT B-1, a validity period of PT B-2, pricing conditions 40, and two types of prices 41 and 42.

The "user condition 40" of the "pricing condition 40" in the PT B-2 is set to "unconditional", and the "device condition 40" contains information of the device condition as the master device ('master device'). Thus, only PT B-2 can be selected when content A is used by the master device.

In the "user condition 40" and the "device condition 40" of the "pricing condition 40", actually, the code value of each type of code is set as shown in fig. 23B. The "user condition 40" of the "pricing condition 40" includes a service code 0000h (fig. 15A) indicating "unconditional", a value code FFFFFFh which makes no sense in this case, and a condition code 00h (fig. 15B) indicating "unconditional". In the "device condition 40", the service code is set to 00xxh indicating "with condition for device", the value code is set to 000064h indicating "value 100", and the condition code is set to 06h indicating "> (equal to or greater than)". In this example, since the device number is set to more than 100 for the master device, such a code value is set.

When content a is used according to the usage type indicated by "type 21" of "usage details 21" and "type 22" of "usage details 22" of UCP B, the prices indicated in "price 41" and "price 42" on PT B-2 are delivered.

Here, the price on PT B-1 (user slave) and PT B-2 (user master) are compared, finding: the price on PT B-1 is set to more than twice that on PT B-2. For example, when "price 31" on PT B-2 indicates "100 yen", price 41 "on PT B-2 indicates" 50 yen ". Similarly, when "price 41" on PT B-2 indicates "50 yen," price 42 "indicates" 150 yen.

Returning to fig. 19, the rule storage section 43 stores UCP of the content provided by the content provider 2 and supplies it to the secure container preparation section 44.

The secure container preparation section 44 prepares a service provider secure container including, for example: content a (encrypted with content key KcoA), content key KcoA (encrypted with transfer key Kd), UCP a, UCP B, signature of content provider 2, PT a-1, PT a-2, PT B-1, PT B-2, and signature of service provider, as shown in fig. 24.

Further, the secure container preparation section 44 provides the prepared service provider secure container to the user home network 5 by attaching an authentication certificate, as shown in fig. 25, by the version number thereof, the serial number assigned to the service provider 3-1 by the certificate authority, the algorithm and parameter for signature, the name of the certificate authority, the validity period of the authentication certificate, the name and public key Kpsp of the service provider 3-1, the signature of the certificate authority.

Returning again to fig. 19, the mutual authentication section 45 performs mutual authentication with the content provider 2 before receiving the content provider secure container from the content provider 2. It also performs mutual authentication with the user's home network 5 before sending the service provider security container to the user's home network 5. However, if the network 4 is a communication satellite network, the mutual authentication is not performed. In this example, since the content provider security container and the service provider security container do not contain secret information, the service provider 3 does not need to perform mutual authentication with the content provider 2 and the user home network 5.

Since the configuration of the service provider 3-2 is the same as that of the service provider 3-1, illustration and description thereof are omitted in the drawings.

(5) User home network

(5-1) receiver 51

Referring to fig. 26, a configuration example of the receiver 51 in the user home network 5 is shown. The receiver 51 is composed of a communication block 61, a SAM62, an external memory 63, a decompression section 64, a communication block 65, an interface 66, a display controller 67, and an input controller 68. The communication block 61 of the receiver 51 communicates with the service provider 3 or the EMD service center 1 through the network 4, and transmits and receives necessary information.

The SAM62 is composed of a mutual authentication module 71, a statistics module 72, a memory module 73, an encryption/decryption module 74, and a data verification module 75. Which is made of a single IC designed specifically for cryptographic use. It has a multilayer structure in which a multilayer memory cell is formed internally by a dummy layer of aluminum or the like. Since it operates at a small range of voltage or frequency, it is difficult to read data from the outside illegally (tamper-resistance).

The mutual authentication module 71 of the SAM62 transmits the SAM62 authentication certificate stored in the memory module 73 to the mutually authenticated partner (as shown in fig. 27) to perform mutual authentication, and supplies the encryption/decryption module 74 with a temporary key Ktmp (session key) shared by the mutually authenticated partner. The authentication certificate of the SAM contains information corresponding to information contained in the authentication certificate of the content provider 2-1 and the authentication certificate of the service provider 3-1. Therefore, the description thereof is omitted.

The statistics module 72 is an example of a Usage Control Status (UCS), and when rights of content have been purchased according to a usage type of 'purchase and playback', statistics information is prepared according to the details of usage of a selected UCP. Fig. 28 shows an example of UCS when rights of content have been purchased according to the usage type of 'purchase and playback'. Fig. 28 shows UCS a generated from usage details 11 and "price 11" on PT a-1 shown in fig. 20A in UCP a shown in fig. 12A. As shown in fig. 28, the UCS contains information specified in "content ID", "content provider ID", "UCP valid period", "service provider ID", "PTID", "PT valid period", "UCS ID", "SAM ID", "user ID", "usage details", and "usage history".

"content ID", "content provider ID", "UCP valid period", "service provider ID", "PT ID", and "PT valid period" of the UCS include information specified in the corresponding entry of the PT. Thus, in the case of USC A in FIG. 28, "content ID" includes the ID of content A, "content provider ID" includes the ID of content provider 2-1, "UCP ID" includes the ID of UCP A, "UCP valid period" includes the valid period of UCP A, "service provider ID" includes the ID of service provider 3-1, "PT ID" includes the ID of PTA-1, and

the "PT active period" includes the active period of PT A-1.

The "UCS ID" contains an ID assigned to a given UCS, and the "UCS ID" of UCS a contains an ID of UCS a. The "SAM ID" contains the ID of the device, and the "SAMID" of UCS a contains the SAM62ID of the receiver 51. The "user ID" contains the ID of the user who uses the content, and the "user ID" of UCS a contains the ID of user F.

The "usage details" are composed of items "ID", "type", "parameter", and "control transmission state". These items "ID", "type", "parameter", and "control transmission state" contain information specified in the corresponding items of "usage details" of the selected UCP. Thus, the "ID" of UCS a contains information (ID of usage detail 11) specified in "ID 13" of "usage detail 13" of UCS a, the "type" is set to 'limited time playback' specified in "type 11" of "usage detail 11", and the "parameter" contains information (start time and end time) specified in "parameter 11" of "usage detail 11".

If the "control transfer state" of the selected UCP is set to 'allowed' (i.e., control transfer is enabled), "control transfer state" of the "usage details" contains the destination IDs of the source device (the device that has purchased the content) and the destination device. If the control transfer is not performed, the ID of the source device is used as the ID of the destination device. If the "control transfer permission information" of the UCP is set to "not permitted", the "control transfer status" will be set to "not permitted". In this case, the control transfer of the content is not performed (not permitted). In the "control transmission state" of UCS a, the "control transmission permission information 11" of the "usage details 11" of UCP a is set to "allowed" and the IDs of both the source device and the destination device are set to the ID of the SAM62 because the control of the content a is not transmitted.

The "usage history" contains a history of usage types of the same content. Currently only information representing 'purchase and playback' is stored in the "usage history" of UCS a. For example, if the receiver 51 has previously used content a, the usage type is also stored.

In the case of the above-described UCS, the "UCP valid period" and the "PT valid period" have been specified. However, these items may not be assigned to the UCS. Also, even though the "content provider ID" has been assigned to the UCS described above, if the UCP ID is unique enough to identify the content provider, it may not be assigned. Also, if the PT ID is unique enough to identify the service provider, the "service provider ID" may not be specified.

The prepared UCS is sent to the external memory 63 and stored in its use information memory 63A, together with the content key Kco (encrypted with the save key Ksave) supplied from the decryption unit 91 of the encryption/decryption module 74 of the receiver 51. As shown in fig. 29, the usage information memory 63A of the external memory 63 is divided into M blocks (for example, 1MB each): BP-1 to BP-M. Each BP is in turn divided into N usage information memory areas: RP-1 to RP-N. In an appropriate usage information memory region RP of the usage information memory 63A, the UCS and the content key Kco (encrypted with one save key Ksave) provided by the SAM62 are stored in a paired form.

In the example of fig. 29, in the usage information memory area RP of the block BP-1, UCS a shown in fig. 28 and the content key KcoA (encrypted with one holding key Ksave) that encrypts the content a are stored in a paired form. In the use information memory areas RP-1 and RP-2 of the block BP-1, other content keys Kco1 and Kco2 (encrypted with one save key Ksave) and use control states UCS 1 and 2 are stored. The usage information memory areas RP-4 (not shown) to RP-M of the blocks BP-1 and BP-2 (not shown) to BP-M do not currently store any content key Kco or usage control status UCS and contain initial information indicating that they are empty. Then, the UCS and the content key Kco (encrypted with one save key Ksave) stored in the use information memory area RP will be collectively referred to as use information if they do not need to be handled separately.

Fig. 30 shows statistical information a prepared together with UCS a shown in fig. 28. As shown in fig. 30, the statistical information includes "content ID", "content provider ID", "UCP valid period", "service provider ID", "PT valid period", "UCS ID", "SAM ID", "user ID", "usage details", and "statistical history". The "content ID", "content provider ID", "UCP valid period", "service provider ID", "PT valid period", "UCS ID", "SAM ID", "user ID", and "usage details" of the statistical information include information specified in the corresponding entry of UCS. Thus, in the case of the statistical information a of fig. 30, "content ID" includes the ID of the content a, "content provider ID" includes the ID of the content provider 2-1, "UCP ID" includes the ID of UCP a, "UCP valid period" includes the valid period of UCP a, "service provider ID" includes the ID of the service provider 3, "PT ID" includes the ID of PT a-1, and "PT valid period" includes the valid period of PT a-1. The "UCS ID" contains the ID of UCS a, and the "SAM ID" contains the ID of SAM62, and the "user ID" contains the ID of user F of receiver 51, and the "usage details" contain the information specified in "usage details 11" of UCS a.

The "statistical history" of the statistical information contains information indicating the sum of the statistics calculated in the device. The "statistical history" of the statistical information a contains information of the sum calculated in the receiver 51.

In the above statistical information, even if the "UCP valid period" and the "PT valid period" have been designated, they may not be designated to the UCS. Also, even if the "content provider ID" has been specified in the above statistical information, if the UCP ID is unique enough to identify the content provider, it may not be specified. Also, if the PT ID is unique enough to identify the service provider, the "service provider ID" may not be specified.

Returning to fig. 26, the memory module 73 stores keys, for example, the public key Kpu of the SAM62, the secret key Ksu of the SAM62, the public key Kpesc of the EMD service center 1, the public key Kpea of the certificate authority, the secret key Ksave, and the transfer key Kd of three months, the certificate of authentication of the SAM62 (fig. 27), statistical information (for example, statistical information a in fig. 30), reference information 51, and M check values HP-1 to HP-M, as shown in fig. 31.

Fig. 32 shows the reference information 51 stored in the memory module 73. The reference information contains predetermined information assigned to each of the items "SAM ID", "device number", "settlement ID", "payment restriction", "statistical settlement user information", "affiliated user information", and "point-of-use information".

The "SAM ID", "device number", "settlement ID", "payment restriction", "statistical settlement user information", "affiliated user information", and "point-of-use information" of the reference information include information assigned to corresponding items in the system registration information (fig. 9) managed by the user management section 18 of the EMD service center 1. Thus, the reference information 51 contains the ID of the SAM62, the device number (100) of the SAM62, the settlement ID of the user F, the statistical settlement user information of the user F, general information (name, address, telephone number, settlement institution information, date of birth, age, and sex), the ID, and the password of the user, and the point-of-use information (similar information to that shown in fig. 10) shown in fig. 33 of the receiver 51.

The "payment limit" contains an upper limit for the amount paid, which varies depending on whether the given device is officially or temporarily registered. Since the receiver 51 has been officially registered, the "payment limit" of the reference information 51 contains an upper limit for the amount paid by the officially registered device ('officially registered'). The upper limit of the amount paid at the time of formal registration is higher than that at the time of temporary registration.

The following explains the M check values HP-1 to HP-M stored in the memory module 73 shown in FIG. 23. The check value HP-1 is a hash value obtained by using one hash function for all data stored in the block PB-1 of the usage information memory 63A of the external memory 63. The check values HP-2 to HP-M are hash values obtained by using a hash function on all data stored in the corresponding blocks PB-2 to PB-M of the external memory 63, as in the case of the check value HP-1.

Returning to fig. 26, the encryption/decryption module 74 of the SAM62 includes a decryption unit 91, a random number generation unit 92, and an encryption unit 93. The decryption unit 91 decrypts the encrypted content key Kco using the transfer key Kd, and outputs the result to the encryption unit 93. The random number generation unit 92 generates a random number with a predetermined number for generating a temporary key Ktemp, and outputs them to the encryption unit 93 if necessary (for example, during mutual authentication).

The encryption unit 93 encrypts the encrypted content key Kco again with the save key Ksave stored in the memory module 73. The encrypted content key Kco is supplied to the external memory 63. When the content key Kco is sent to the decompression section 64, the encryption unit 93 encrypts it using the temporary key Ktemp generated by the random number generation unit 92.

Data verification module 75 verifies the data in block BP of usage information storage 63A of external memory 63 by comparing the hash value of the data stored in block BP with the corresponding verification value HP stored in memory module 73 to determine whether tampering has occurred. The data verification module 75 also calculates the verification value HP and stores (updates) it in the memory module 73 when the purchase, use and control transfer of the content takes place.

The decompression section 64 includes a mutual authentication module 101, a decryption module 102, a decryption module 103, a decompression module 104, and an electronic watermark application module 105. The mutual authentication module 101 performs mutual authentication with the SAM62 and outputs a temporary key Ktemp to the decryption module 102. The decryption module 102 decrypts the content key Kco encrypted by the temporary key Ktemp using the temporary key Ktemp, and outputs the result to the decryption module 103. The decryption module 103 decrypts the content recorded in the HDD52 using the content key Kco, and outputs the result thereof to the decompression module 104. The decompression module 104 further decompresses the decrypted content by a method such as ATRAC 2, and outputs the result thereof to the electronic watermark application module 105. The electronic watermark applying module 105 prints electronic watermark information (for example, SAM62 ID) on the content for identification of the receiver 51 and outputs the result thereof to a speaker (not shown) to play back music.

The communication block 65 communicates with the receiver 201 of the user's home network 5. The interface 66 converts the signal from the SAM62 and the decompression section 64 into a prescribed form, and outputs the result thereof to the HDD 52. It also converts the signal from the HDD52 into a prescribed form and outputs the result to the SAM62 and decompression section 64.

The display controller 67 controls output to a display unit (not shown). The input controller 68 controls inputs from a control panel (not shown) composed of various buttons.

The HDD52 stores a registration list as shown in the image 34, and adds content and the like provided by the service provider 3. The registration list includes a list portion storing list information and a SAM information portion storing designation information relating to devices having the given registration list.

The SAM information part stores (in the "SAM ID" field) the SAM ID of the device having the given registration list, in this example, the SAM62ID of the receiver 51. It also stores (in the "validity period" field) the validity period of the registration list, the version number of the registration list (in the "version number" field) and the number of the connected device (including the device) in the "connected device number" field, for a total of two, in this example, including the receiver 51 itself and the receiver 201 connected thereto.

The manifest part includes nine items: "SAM ID", "user ID", "purchase", "statistics", "device bill", "master device", "status flag", "signature to condition", and "signature to registration list", and in this example, the specified information is stored in each item as the registration condition of the receiver 51.

The "SAM ID" stores the SAM ID of the device. In this example, the SAM62ID of the receiver 51 and the SAM212ID of the receiver 201 are stored. The "user ID" stores the ID of the user of the corresponding device, in this example, the ID of the user F and the ID of the user a.

The "purchase" stores information ('yes' or 'no') indicating whether the corresponding device can purchase the content (more precisely, purchase the right to use the content). In this example, since the receivers 51 and 201 are able to purchase content, 'yes' is stored.

The "statistics" stores information indicating whether the corresponding device can communicate with the EMD service center 1 to perform the statistics ('yes' or 'no'). In this example, since the user F is registered as the statistical settlement user and the user a is the same, the receivers 51 and 201 can perform statistics. The appropriate row of the "statistics" column stores a 'yes'.

The "device bill" stores the SAM ID with the device whose statistics are settled. In this example, since receivers 51(SAM 62) and 201(SAM 212) can perform statistics by themselves, SAM62ID and SAM212 IDs are stored.

If a given device receives content from other connected devices than from the service provider 3, the "master device" stores the SAM ID of the connected device that can provide the content. In this example, the receivers 51 and 201 receive content from the service provider 3, and therefore store information ('none') indicating a device that does not provide the content. Here, the provided content does not include control transfer.

The "status flag" stores any restrictions on the operation of a given device. If there is no such restriction, the appropriate information is stored ('unrestricted'). If there is some restriction or if there is some condition that will stop its operation, the appropriate information is stored (respectively 'restricted' or 'stopped'). For example, if settlement fails, the "status flag" of the device is set to 'restricted'. In this example, a device with the "status flag" set to 'restricted' may use already purchased content, but may not purchase new content. In short, there is a certain limitation on the device. In addition to this, if an illegal action such as illegal copying of contents is detected, the "status flag" is set to 'stop' and the operation of the device is stopped. Thus, the device is no longer able to receive any services from the EMD system.

In this example, no restrictions are set on the receivers 51, 201, and therefore their "status flags" are set to 'unrestricted'.

The "signature on condition" stores a signature of the EMD service center 1 on information stored in "SAM ID", "user ID", "purchase", "statistics", "device bill", "master device", "status flag". In this example, signatures of the restrictions on the receivers 51 and 201 are stored.

The "signature on registration manifest" stores signatures for all contents specified in the registration manifest.

(5-2) receiver 201

Fig. 35 shows an example of the configuration of the receiver 201. The components of the receiver 201 from the communication block 211 to the input controller 218 are the same as the components of the receiver 51 from the communication block 61 to the input controller 68. Here, detailed description thereof may be omitted.

The external memory 213 is divided into P blocks BM-1 to BM-P (for example, into 1 megabytes each), and has a transfer information memory 213A, each of which is divided into Q transfer information memory areas RM-1 to RM-Q. For example, when the control transfer of the content is performed, the external memory 213 stores a content key Kco (encrypted with a save key Ksave) for the content, an ID of the content, and a SAM ID of the source device (herein, all of these are included, referred to as transfer information if they do not need to be processed separately) sent from the SAM 12.

The content key KcoA (encrypted with one holding key Ksave), the content AID, and the SAM62ID of the content a (encrypted with the content key Kco), the content AID, are stored in the transfer information memory area RM-2 of the block BM-1 in the transfer information memory 213A of fig. 36. This represents that the control transfer of the content a from the receiver 51 in the transfer information storage 213A has been completed.

Transfer information memory areas RM-2 (not shown) to RM-Q of blocks BM-1 and BM-2 (not shown) to BM-P do not store transfer information, but store initial information (capable of storing initial information) indicating that they are empty.

The memory module 223 of the SAM212 stores the public key Kpu of the SAM212, the secret key Ksu of the SAM212, the public key Kpesc of the EMD service center 1, the public key Kpea of the certificate authority, the save key Ksave, and the transfer key Kd of three months, the certificate of authentication of the SAM212 previously assigned by the certificate authority, the reference information 201, and Q check values HM-1 to HM-Q, as shown in fig. 37.

The P check values HM-1 to HM-Q are hash values obtained by using a hash function on data stored in the blocks BM-1 to BM-Q of the transfer information memory 213A of the external memory 63.

The description of the HDD 202 is omitted because it has the same function as the HDD 52. The HDD 202 stores the registration condition of the receiver 51 indicated in the list part of the registration list of the receiver 51 in fig. 34, and the registration list (not shown) of the receiver 201 has one list part when the registration condition of the receiver 201 is set.

In this example, for the sake of simplicity, the external memory 63 of the receiver 51 has only the use information memory 63A, and the external memory 213 of the receiver 201 has only the use information memory 213A. Actually, the external memory 63 of the receiver 51 has a transmission information memory (not shown) in addition to the use information memory 63A. Similarly, the external memory 213 of the receiver 201 includes a transmission information memory (not shown) in addition to the use information memory 213A.

(6) Purchasing and utilizing content

The processing in the EMD system is described below with reference to the flowchart in fig. 38. It is assumed here that: the content a in the content provider 2-1 is provided to the receiver 51 of the user's home network 5 through the service provider 3-1 to be used.

(6-1) Transmission of delivery Key from EMD service center to content provider

In step S11, the transfer key Kd is provided by the EMD service center 1 to the content provider 2-1. The details of this process are shown in the flowchart of fig. 39. In step S31, the mutual authentication portion 17 (fig. 3) of the EMD service center 1 performs mutual authentication with the mutual authentication portion 39 (fig. 11) of the content provider 2-1. When the authentication of the content provider 2-1 is verified, the content provider management section 12 of the EMD service center 1 transmits the transfer key Kd provided by the key server 14 to the content provider 2-1. Details of the mutual authentication will be described below with reference to fig. 40 to 42.

The encryption section 36 of the content provider 2-1 receives the transfer key Kd transmitted from the EMD service center 1 in step S32, and stores them in step S33.

When the encryption section 36 of the content provider 2-1 stores the transfer key Kd, the process of step S11 ends, and step S12 in fig. 38 starts. Before explaining the process of step S12, mutual authentication (verification process for defense) in step S31 will be explained, assuming a scheme (fig. 40) of using one common key; a scheme using two common keys (fig. 41) and a scheme using one public key (fig. 42).

Fig. 40 is a flowchart illustrating an operation of using one common key of the common key DES cipher for mutual authentication between the mutual authentication section 39 of the content provider 2 and the mutual authentication section 17 of the EMD service center 1. In step S41, the mutual authentication section 39 of the content provider 2 generates a 64-bit random number R1 (which may also be generated by the random number generator section 35). In step S42, the mutual authentication section 39 of the content provider 2 DES-encrypts the random number R1 with a common key Kc stored in advance (the encryption section 36 may also be caused to perform the encryption). In step S43, the mutual authentication part 39 of the content provider 2 transmits the encrypted random number R1 to the mutual authentication part 17 of the EMD service center 1.

In step S44, the mutual authentication section 17 of the EMD service center 1 decrypts the received random number R1 with a common key Kc stored in advance. At step S45, the mutual authentication part 17 of the EMD service center 1 generates a 32-bit random number R2. At step S46, the mutual authentication part 17 of the EMD service center 1 replaces the lower 32 bits of the decrypted 64-bit random number R1 with the random number R2 to generate a concatenated R1_HII R2, wherein Ri_HIs the upper n bits of Ri, and a | B is the concatenation of a and B (the lower n bits of a and m bits B are concatenated to produce n + m bits). At step S47, the mutual authentication part 17 of the EMD service center 1 pairs R1 with the common key Kc_H| R2 performs DES decryption. In step S48, the mutual authentication part 17 of the EMD service center 1 transmits the encrypted R1 to the content provider 2_H‖R2。

In step S49, the mutual authentication portion 39 of the content provider 2 uses the common key Kc to the received R1_HIir 2. In step S50, the mutual authentication section 39 of the content provider 2 verifies the decrypted R1_HWhether or not the upper 32 bits of | R2 are identical to the upper 32 bits R1 of the random number R1 generated in step S41_HOtherwise, if they match, the EMD service center 1 is certified as legitimate. If R1 is produced_HWith the received R1_HAnd does not match, the process is terminated. If they match, the mutual authentication part of the content provider 2 in step S5139 generates a 32-bit random number R3. In step S52, the mutual authentication section 39 of the content provider 2 generates a concatenated R2 | R3 by placing the random number R2 in the upper position and the generated random number R3 in the lower position, the random number R2 being the R1 which takes out the received and decrypted_HThe low order 32 bits of | R2. In step S53, the mutual authentication portion 39 of the content provider 2 DES-encrypts R2 | R3 using the common key Kc. At step S54, the mutual authentication portion 39 of the content provider 2 transmits the encrypted concatenated R2 | R3 to the mutual authentication portion 17 of the EMD service center 1.

In step S55, the mutual authentication part 17 of the EMD service center 1 decrypts the received concatenated R2 | R3 using the common key Kc. At step S56, the mutual authentication part 17 of the EMD service center 1 checks whether the upper 32 bits of the decrypted concatenated R2 | R3 are identical to the random number R2. If they match, the content provider 2 is certified as legitimate. Otherwise, the process is terminated and the content provider 2 is determined to be illegal.

Fig. 41 is a flowchart illustrating an operation of using two common keys Kc1 and Kc2 in the common key DES cipher for mutual authentication between the mutual authentication section 39 of the content provider 2 and the mutual authentication section 17 of the EMD service center 1. In step S61, the mutual authentication section 39 of the content provider 2 generates a 64-bit random number R1. In step S62, the mutual authentication section 39 of the content provider 2 DES-encrypts the random number R1 with a common key Kc1 stored in advance. In step S63, the mutual authentication part 39 of the content provider 2 transmits the encrypted random number R1 to the EMD service center 1.

In step S64, the mutual authentication section 17 of the EMD service center 1 decrypts the received random number R1 with a common key Kc1 stored in advance. At step S65, the mutual authentication section 17 of the EMD service center 1 encrypts the random number R1 using a pre-stored common key Kc 2. At step S66, the mutual authentication part 17 of the EMD service center 1 generates a 64-bit random number R2. At step S67, the mutual authentication section 17 of the EMD service center 1 encrypts the random number R2 with the common key Kc 2. At step S68, the mutual authentication part 17 of the EMD service center 1 transmits the encrypted random numbers R1 and R2 to the mutual authentication part 39 of the content provider 2.

At step S69, the mutual authentication section 39 of the content provider 2 decrypts the received random numbers R1 and R2 using a pre-stored common key Kc 2. In step S70, the mutual authentication section 39 of the content provider 2 checks whether the decrypted random number R1 is the same as the random number R1 generated in step S61 (random number R1 before encryption). If they match, the EMD service center 1 is certified as legitimate. If they do not match, the process is terminated and the EMD service center 1 is determined to be illegal. In step S71, the mutual authentication portion 39 of the content provider 2 encrypts the decrypted random number R2 using the common key Kc 1. In step S72, the mutual authentication part 39 of the content provider 2 transmits the encrypted random number R2 to the EMD service center 1.

In step S73, the mutual authentication part 17 of the EMD service center 1 decrypts the received random number R2 using the common key Kc 1. At step S74, the mutual authentication section 17 of the EMD service center 1 checks whether the decrypted random number R2 is identical to the random number R2 generated at step S66 (random number R2 before encryption). If they match, the content provider 2 is certified as legitimate. If they do not match, the process is terminated, and the content provider 2 is determined to be illegal.

Fig. 42 is a flowchart illustrating an operation of using a 160-bit length elliptic curve in the public key cryptography for mutual authentication between the mutual authentication section 39 of the content provider 2 and the mutual authentication section 17 of the EMD service center 1. In step S81, the mutual authentication section 39 of the content provider 2 generates a 64-bit random number R1. In step S82, the mutual authentication section 39 of the content provider 2 transmits the random number R1 and an authentication certificate (obtained in advance from a certificate authority) containing its own public key Kpcp to the mutual authentication section 17 of the EMD service center 1.

In step S83, the mutual authentication section 17 of the EMD service center 1 decrypts the signature of the received authentication certificate using the secret key Ksca of the certificate authority obtained in advance, and takes out the hash value of one public key Kpcp of the content provider 2 and one name of the content provider 2. It also fetches the public key Kpcp and the name of the content provider 2 contained as plain text in the certificate of authentication. If the certificate of authenticity is a legitimate certificate of authenticity specified by the certificate authority, it can be decrypted, and the resultant hash value of the public key Kpcp and the name of the content provider 2 will match the hash value obtained by applying a hash function to the public key Kpcp of the content provider 2 and the name of the content provider 2 contained in the certificate of authenticity as plain text. This proves that the public key Kpcp is a legitimate public key without tampering. If its signature cannot be decrypted, or, even if it can be decrypted, if the hash values do not match, the public key or provider is illegal. In this case, the process is terminated.

If the authentication is successful, the mutual authentication part 17 of the EMD service center 1 generates a 64-bit random number R2 in step S84. In step S85, the mutual authentication section 17 of the EMD service center 1 generates a concatenation of R1 | R2 of random numbers R1 and R2. In step S86, the mutual authentication section 17 of the EMD service center 1 encrypts the concatenation R1 | R2 using its own secret key Ksesc. In step S87, the mutual authentication portion 17 of the EMD service center 1 encrypts the concatenation R | R2 using the public key Kpcp of the content provider 2 obtained in step S83. In step S88, the mutual authentication section 17 of the EMD service center 1 transmits the collocated R1 | R2 encrypted with the secret key Ksesc, the collocated R1 | R2 encrypted with the public key Kpcp, and the authentication certificate (obtained in advance from the certificate authority) containing its own public key Kpesc to the mutual authentication section 39 of the content provider 2.

In step S89, the mutual authentication section 39 of the content provider 2 decrypts the signature of the received authentication certificate using the secret key Kpca of the certificate authority obtained in advance, and if it is correct, takes out the public key Kpesc from the certificate. This process is similar to that in step S83, and therefore, the description thereof is omitted here. In step S90, the mutual authentication section 39 of the content provider 2 decrypts the concatenated R | R2 encrypted using the secret key Ksesc by using the public key Kpesc obtained in step S89. In step S91, the mutual authentication section 39 of the content provider 2 decrypts the concatenated R1 | R2 encrypted with its own public key Kpcp by using its own secret key Kscp. In step S92, the mutual authentication section 39 of the content provider 2 compares the concatenated R1 | R2 encrypted in step S90 with the concatenated R1 | R2 encrypted in step S91. If they match, the EMD service center 1 is certified as legitimate. If they do not match, the process is terminated and the EMD service center 1 is determined to be illegal.

If the authentication is successful, the mutual authentication part 39 of the content provider 2 generates a 64-bit random number R3 in step S93. In step S94, the mutual authentication section 39 of the content provider 2 generates a concatenation R2 | R3 of the random number R2 obtained in step S90 and R3 obtained in step S93. In step S95, the mutual authentication portion 39 of the content provider 2 encrypts the concatenation R2 | R3 using the public key Kpesc obtained in step S89. In step S96, the mutual authentication portion 39 of the content provider 2 transmits the encrypted concatenated R2 | R3 to the mutual authentication portion 17 of the EMD service center 1.

At step S97, the mutual authentication section 17 of the EMD service center 1 decrypts the encrypted concatenated R2 | R3 using its own secret key Ksesc. In step S98, the mutual authentication section 17 of the EMD service center 1 checks whether the decrypted random number R2 is identical to the random number R2 (random number R2 before encryption) generated in step S84. If they match, the content provider 2 is certified as legitimate. If they do not match, the process is terminated, and the content provider 2 is determined to be illegal.

As described above, the mutual authentication section 17 of the EMD service center 1 and the mutual authentication section 39 of the content provider 2 perform mutual authentication. The random number used for mutual authentication is a temporary key Ktemp that is valid only for processing after a given mutual authentication.

(6-2) Transmission from content provider to service provider

The processing of step S12 in fig. 38 is explained next. In step S12, the content provider security container is provided to the service provider 3-1 by the content provider 2-1. The details of this processing are shown in the flow of fig. 43. In step S201, the electronic watermark application section 32 (fig. 11) of the content provider 2 reads the content a from the content server 31, inserts a predetermined electronic watermark representing the content provider 2, and provides the content a to the compression section 33.

The compression section 33 of the content provider 2-1 compresses the content a with the electronic watermark by a predetermined method such as ATRAC 2 and supplies it to the decryption section 34 at step S202. In step S203, the random number generator section 35 generates a random number serving as the content key KcoA and supplies it to the decryption section 34.

In step S204, the decryption section 34 of the content provider 2-1 encrypts the content a, which is provided with the electronic watermark and compressed, in a predetermined method such as DES by using the random number (content key KcoA) generated by the random number generator section 35. Then, in step S205, the encryption section 36 encrypts the content key KcoA in a predetermined method, for example, DES, using the transfer key Kd provided by the EMD service center 1.

At step S206, the secure container preparation section 38 of the content provider 2-1 calculates a hash value by using a hash function for the content a (encrypted using the content key KcoA), the content key KcoA (encrypted using the transfer key Kd), and UCP a and UCP B (fig. 12) for the content a stored in the rule storage section 37, and encrypts the hash value using its own secret key Ksesc to generate the signature shown in fig. 17.

In step S207, the secure container preparation section 38 of the content provider 2-1 prepares a content provider secure container containing, as shown in fig. 17, content a (encrypted using the content key KcoA), content key KcoA (encrypted using the transfer key Kd), UCP a and UCP B (fig. 12), and the signature generated in step S206.

In step S208, the mutual authentication section 39 of the content provider 2-1 performs mutual authentication with the mutual authentication section 45 (fig. 19) of the service provider 3-1. Since the mutual authentication process is similar to that described with reference to fig. 40 to 42, the description thereof is omitted. In step S209, the secure container preparation portion 38 of the content provider 2-1 transmits the content provider secure container prepared in step S207 to the service provider 3-1 by attaching an authentication certificate (fig. 18) specified in advance by a certificate authority.

When the content provider secure container is provided to the service provider 3-1 as described above, the process of step S12 ends, and step S13 in fig. 38 starts.

(6-3) content Transmission from service provider to receiver

In step S13, the service provider security container is provided from the service provider 3-1 to the user' S home network 5 (receiver 51). The details of this processing are shown in the flow of fig. 44. At step S221, the pricing portion 42 (fig. 19) of the service provider 3-1 verifies the signature contained in the certificate of authenticity attached to the content provider security container transmitted by the content provider 2-1. If the certificate of authenticity (fig. 18) is not falsified, the pricing portion 42 extracts the public key Kpcp of the content provider 2-1 from the certificate of authenticity. Since the confirmation of the authentication certificate is similar to the process of step S83 in fig. 42, the description thereof is omitted here.

In step S222, the pricing part 42 of the service provider 3-1 decrypts the signature in the content provider secure container transmitted by the content provider 2-1 by using the public key Kpcp of the content provider 2-1. It verifies that the content provider secure container is tampered by determining whether the composite hash value matches a hash value obtained by using a hash function on content a (encrypted using content key KcoA), content key KcoA (encrypted using transfer key Kd), and UCPA and UCP B. If the two hash values do not match (tampering is detected), the process is terminated. But in this example, assuming that the content provider secure container is not tampered with, step S223 is performed next.

In step S223, the pricing portion 42 of the service provider 3-1 takes out the content a (encrypted using the content key KcoA), the content key KcoA (encrypted using the transfer key Kd), and the signature from the content provider secure container, and supplies them to the content server 41, and then stores them. Also, the pricing section 42 takes the UCPA and UCPB from the content provider secure container and supplies them to the secure container preparation section 44.

In step S224, the pricing part 42 of the service provider 3-1 prepares PTA-1, PTA-2 (FIG. 20) and PT B-1, PT B-2 (FIG. 22) based on the extracted UCPA and provides them to the secure container preparation part 44.

In step S225, the secure container preparation portion 44 of the service provider 3-1 prepares the service provider secure container shown in fig. 24 from the content a (encrypted using the content key KcoA), the content key KcoA (encrypted using the transfer key Kd), the UCP a, UCP B, PT a-1, PT a-2, PT B-1, PT B-2, and their signatures provided from the pricing portion 42.

In step S226, the mutual authentication section 45 of the service provider 3-1 performs mutual authentication by the mutual authentication module 71 (fig. 26) of the receiver 51. Since the mutual authentication process is similar to that described with reference to fig. 40 to 42, the description thereof is omitted here.

In step S227, the secure container preparation section 44 of the service provider 3-1 transmits the service provider secure container prepared in step S225 to the receiver 51 of the user home network 5 by attaching the authentication certificate (fig. 25) of the service provider 3-1.

When the service provider secure container is provided to the receiver 51 by the service provider 3 as described above, the process of step S13 ends, and step S14 in fig. 33 starts.

(6-4) recording of content by receiver

In step S14, the service provider security container transmitted by the service provider 3-1 is received with the receiver 51 of the user' S home network 5. The details of this processing are shown in the flowchart of fig. 45. In step S241, the mutual authentication module 71 (fig. 26) of the receiver 51 performs mutual authentication with the mutual authentication section 45 (fig. 19) of the service provider 3-1 through the communication block 61. If the mutual authentication is successful, the communication block 61 receives a service provider secure container from the service provider 3-1 participating in the mutual authentication (fig. 24). However, in this example, assuming that the mutual authentication is successful, step S242 is executed next.

In step S242, the communication block 61 of the receiver 51 receives the authentication certificate of the secret key from the service provider 3-1 participating in the mutual authentication.

In step S243, the encryption/decryption module 74 of the receiver 51 verifies whether the signature contained in the service provider secure container received in step S241 is tampered. If tampering is detected, the process is terminated. In this example, assuming that there is no tampering, step S224 is next performed.

In step S244, UCP satisfying the use condition and PT satisfying the pricing condition are selected according to the reference information 51 (fig. 32) stored in the memory module 73 of the receiver 51 and displayed on a display unit (not shown) through the display controller 67. The user selects the details of use of one of the UCPs by operating its operation panel (not shown) with reference to the displayed details of the UCPs and PTs. Then, the input controller 68 outputs a signal corresponding to a user operation input from the operation panel to the SAM 62.

In this example, the "usage point information" of the reference information 51 indicates that the content usage point count of the content provider 2-1 is 222 points, as shown in fig. 33. Based on the reference information 51, UCP a, which represents "user condition 10" including "usage condition 10" of '200 points or more', is selected from UCP a and UCP B set in accordance with the content a. Further, since the "statistical settlement user information" of the reference information 51 sets the user F to 'male', the "pricing condition 10" of the PT a-1 is satisfied (fig. 20A). Therefore, in this example, PTA-1 is selected from PTA-1 and PTA-2 prepared in accordance with UCPA, and details of UCP A and PT A-1 are displayed on the display unit. In this example, as described above, the user F selects the usage details 11 of UCPA (the price 11 of PTA-1).

In step S245, the statistical module 72 of the SAM62 of the receiver 51 prepares UCS a (fig. 28) and counts information a (fig. 30) based on all "use details 11" of UCP a (all "use details 11" of PT a-1) selected in step S244. In this case, this means that the content a is purchased and played back in 2000 yen.

In step S246, the content a (encrypted using the content key KcoA), UCP a, PTA-1, PTA-2, and the signature of the content provider 2 are taken out from the service provider secure container, output to the HDD52, and stored therein. In step S247, the decryption unit 91 of the encryption/decryption module 74 decrypts the content key KcoA (encrypted with the transfer key Kd) contained in the service provider secure container using the transfer key Kd stored in the memory module 73.

In step S248, the encryption unit 93 of the encryption/decryption module 74 encrypts the content key KcoA encrypted in step S247 by the save key Ksave stored in the memory module 73.

In step S249, the data verification module 75 of the SAM62 searches the usage information memory 63A (fig. 29) of the external memory 63 for a block BP having a free space, and determines whether the content key KcoA encrypted using the save key Ksave in step S248 and UCS a prepared in step S245 are stored in a matching pair. In this example, the block BP-1 of the usage information memory 63A in fig. 29 is detected. Incidentally, in the usage information memory 63A of FIG. 22, the usage information memory area RP-3 of the block BP-1 is indicated as having stored the content keys KcoA and UCS A. However, in this example, they are not stored at this point, and the use information memory area RP-3 of the block BP-1 is empty, containing predetermined initial information.

In step S250, the data verification module 75 of the receiver 51 obtains a hash value by applying a hash function to the block BP-1 data (all the data stored in the use information memory areas RP-1 to RP-N) detected in step S349. Next, in step S251, the data verification module 75 compares the hash value obtained in step S250 with the check value HP-1 (FIG. 31) stored in the memory module 73 and corresponding to the block BP-1. If they match, the block BP-1 data is not tampered, then step S252 is performed next.

In step S252, as shown in fig. 29, the SAM62 of the receiver 51 stores the usage information (the content key KcoA encrypted with the save key Ksave in step S248 and UCS a (fig. 28) prepared in step S245) in the usage information memory region RP-3 of the block BP-1 in the usage information memory 63A (of the external memory 63).

In step S253, the data verification module 75 of the receiver 51 calculates a hash value by applying a hash function to the block BP-1 data in the usage information memory 63A, including the usage information stored in the usage information memory area RP-3 in step S252. In step S254, the data verification module 75 overwrites the check value HP-1 stored in the memory module 73 with the hash value. In step S255, the statistical module 72 stores the statistical information a prepared in step S245 in the memory module 73, and the process ends.

In step S251, if the data verification module 75 determines that the calculated hash value does not match the check value HP-1, the block BP-1 data is tampered. Therefore, the data verification module 75 proceeds to step S256. Where it is determined whether all blocks BP in the use information memory 63A of the external memory 63 have been checked. If it is determined that not all the blocks BP in the external memory 63 have been checked, it proceeds to step S257 and searches for undetected blocks (other blocks having free space), returning to step S250, where the rest of the processing is performed.

In step S256, if the data verification module 75 determines that all the blocks BP in the usage information memory 63A of the external memory 63 have been verified, there is no block BP (usage information memory area RP) capable of storing usage information. Thus, the process ends.

When the service provider secure container is thus received by the receiver 51, the process of step S14 ends, and step S15 in fig. 38 starts.

(6-4) playback of content

In step S15, the receiver 51 uses the supplied content a. In this example, the usage type of the content a is playback according to the usage details 11 of UCP a selected in step S224 of fig. 40. Thus, the playback of the content a will be explained below. The details of the playback are shown in the flowchart of fig. 46.

In step S261, the data verification module 75 of the receiver 51 calculates a hash value including the content key KcoA (encrypted using the save key Ksave) and UCS a stored in the use information memory area RP-3 in step S252 of fig. 45 by applying a hash function to the block BP-1 data in the use information memory 63A of the external memory 63.

In step S262, the data verification module 75 of the receiver 51 compares the hash value calculated in step S261 with the hash value (check value HP-1) calculated in step S253 of fig. 45 and stored in the memory module 73 in step S254. If they match, the block BP-1 data is not tampered, and then step S263 is performed.

In step S263, it is determined whether the content a is valid from the information (fig. 28) contained in the "parameter" of the "usage details" for UCS a. For example, since the "type" of the "usage details" for the UCS is set to 'limited time playback', the "parameter" of the UCS stores the start time and end time of usage. And it determines whether the current time is within the limit. Thus, if the current time is within the limit, the content is judged to be valid, and if it is not within the limit, the content is judged to be invalid. On the other hand, if the "type" of the "usage details" for UCS is set as one type that allows playback (copying) up to a certain amount of time, the "parameter" stores information about the time of the remaining amount of content that can be used. If the time of the effective amount stored in the "parameter" is not zero (0), the corresponding content is judged to be effective. On the other hand, if the effective amount of time is zero (0), the corresponding content is judged to be invalid.

Since the "type" of the "usage details" for UCS a is set to 'purchase and playback', in this example, content a is purchased and played back without limitation. Therefore, the "type" of the "usage details" for UCS a of the content is valid. Thus, in this example, in step S263, the content a is determined to be valid. Therefore, step S264 is then performed.

In step S264, the statistics module 72 of the receiver 51 modifies UCS a. Even if UCS a does not contain any information that should be modified, if the "type" of the "usage details" is set as a usage type that allows playback to a certain amount of time, the effective amount of time stored in the "parameter" is determined to be 1.

Next, in step S265, the SAM62 of the receiver 51 stores the UCS A modified in step S264 (in this example, without actually modifying) in the usage information memory region RP-3 of the block BP-1 in the usage information memory 63A of the external memory 63. In step S266, the data verification module 75 calculates a hash value including UCS a stored in step S265 by applying a hash function to the block BP-1 data in the usage information memory 63A of the external memory 63, and overwrites the check value HP-1 stored in the memory module 73 with the hash value.

In step S267, the mutual authentication module 71 of the SAM62 and the mutual authentication module 101 of the decompression section 64 perform mutual authentication, and share the temporary key Ktemp. The mutual authentication process is similar to that described with reference to fig. 40 to 42, and a description thereof is omitted. Random numbers R1, R2, and R3 or a combination thereof for mutual authentication are stored as temporary keys Ktemp.

In step S268, the decryption unit 91 of the encryption/decryption module 74 decrypts the content key KcoA (encrypted using the save key Ksave) stored in the block BP-1 (use information memory area RP3) in the use information memory 63A of the external memory 63 in step S252 of fig. 45, by using the save key Ksave stored in the memory module 73.

Next, in step S269, the encryption unit 93 of the encryption/decryption module 74 encrypts the decrypted content key KcoA using the temporary key Ktemp. In step S270, the SAM62 transmits the encrypted content key KcoA encrypted using the temporary key Ktemp to the decompression section 64.

In step S271, the decryption module 102 of the decompression section 64 decrypts the content key KcoA using the temporary key Ktemp. In step S272, the decompression section 64 receives the content a recorded on the HDD52 through the interface 66 (encrypted using the content key Kco). In step S273, the decryption module 103 of the decompression section 64 decrypts the content a (encrypted using the content key Kco) using the content key KcoA.

The decryption module 103 of the decompression section 64 decompresses the decrypted content a by a predetermined method such as ATRAC 2 at step S274. In step S275, the electronic watermark application module 105 of the decompression section 64 watermarks the content a for identification by the receiver 51. In step S276, the content a is output to a speaker or the like (not shown), and the process ends.

In step S277, if it is determined in step S262: the hash value calculated in step S261 does not match the hash value stored in the memory module 73 of the receiver 51, or if the content is judged to be invalid in step S263, the SAM62 executes predetermined error processing so that an error message is displayed on a display unit (not shown) through the display controller 67, and the processing ends.

In this method, when the content a is played back (used) on the receiver 51, the process ends, and the entire process in fig. 38 is performed.

(6-6) statistical Settlement

A processing procedure for settlement using the receiver 51 is described below with reference to a flowchart in fig. 47. This process is started when the amount that has been billed exceeds a preset upper limit (limit payment for official or provisional registration), or if the version of the transfer key Kd becomes obsolete and cannot be used to decrypt the content key Kco (encrypted using the transfer key Kd) in step S247 of fig. 45 (and cannot receive the service provider secure container).

In step S301, mutual authentication is performed between the receiver 51 and the EMD service center 1. The mutual authentication is similar to that described with reference to fig. 40 to 42, and the description thereof is omitted here.

Next, the SAM62 of the receiver 51 transmits an authentication certificate to the user management part 18 (fig. 3) of the EMD service center 1. In step S303, the SAM62 of the receiver 51 encrypts the statistical information stored in the memory module 73 by using the temporary key Ktemp shared with the EMD service center 1 in step S301, and transmits it to the EMD service center 1 together with the version of the transfer key Kd, UCP, and PT, and the registration list stored in the HDD 52.

After the information transmitted by the receiver 51 is received and decrypted in step S303, the subscriber management section 18 of the EMD service center 1 checks whether there is any illegal action of the receiver 51, which causes the "status flag" in the registration list to be set to 'stop' in step S304.

In step S305, the checkout part 19 of the EMD service center 1 analyzes the statistical information received in step S303 to calculate the number to be paid to the user (e.g., user F). Then, in step S306, the user management section 18 checks to see whether or not the settlement is successfully performed in step S305.

Next, in step S307, the user management section 18 of the EMD service center 1 sets registration conditions of the receiver 51 based on the verification results performed in steps S304 and S306, and attaches a signature thereto to prepare a registration list of the receiver 51.

For example, if illegal action is detected in step S304, the "status flag" is set to 'stop', which stops all subsequent processes. In short, the receiver 51 can no longer receive any services from the EMD system. On the other hand, if it is determined that: the "status flag" is set to 'restricted' in step S306, in which case the receiver 51 may no longer purchase any content, although it is able to play back the content that has already been purchased.

Next, the statistical settlement processing proceeds to step S308, where the user management section 18 of the EMD service center 1 encrypts the last version of the transmission key Kd (the transmission key Kd for the last three months) and the registration list prepared in step S307 using the temporary key Ktemp, and transmits the result thereof to the receiver 51. The registration manifest need not be encrypted because it is signed.

In step S309, the SAM62 of the receiver 51 receives the transfer key Kd and the registration list transmitted by the EMD service center 1 through the communication block 61, decrypts them, and stores them in the memory module 73, and the HDD52 stores the registration list. At the same time, the statistical information stored in the memory module 73 is deleted, and the registration list and the transfer key Kd are modified.

(6-7) controlling setting of transfer

A processing procedure used when control of the content a is transferred from the receiver 51 to the receiver 201 is described below with reference to a flowchart in fig. 48.

In step S401, mutual authentication is performed between the receivers 51 and 201. The mutual authentication is similar to that described with reference to fig. 40 to 42, and the description thereof is omitted here.

Next, in step S402, the SAM62 of the receiver 51 (source device that controls transmission) and the SAM212 of the receiver 201 (destination device that controls transmission) check whether control transmission of content is possible with reference to their own registration lists. In particular, the SAM of the source device (SAM 62 of the receiver 51) verifies whether the registration condition of the destination device (receiver 201) is included in its own registration list. If included, it is determined that controlled delivery of the content is possible. Also, the SAM of the destination device (SAM 212 of the receiver 201) checks whether the registration condition of the source device (receiver 51) is included in its own registration list. If included, it is determined that controlled delivery of the content is possible. If it is determined on either side that the control transfer of the content is not possible, the process is terminated. In this example, the registration lists of both receivers contain the registration conditions of both. Therefore, both sides determine that the control transfer of the content is possible, and the process proceeds to step S403.

Next, in step S403, the data verification module 225 of the receiver 201 searches the transfer information memory 213A (fig. 36) of the external memory 213 to find a block BM storing the transfer information (the content key KcoA encrypted using one holding key Ksave, the ID of the content a, and the ID of the SAM 62) received in step S414 described below. In this example, block BM-1 is checked in step S403. Incidentally, in the transfer information memory 213A of fig. 36, it is indicated that the transfer information memory area RM of the block BM-1 has stored the content key KcoA, the ID of the content a, and the ID of the SAM 62. In this example, they are stored at this point with transfer information memory region RM-1 empty.

In step S404, the data check module 225 of the receiver 201 checks whether the block BM-1 data checked in step S403 is falsified. In particular, data checking module 225 calculates a hash value by applying a hash function to the data stored in block BM-1 and checks whether the hash value matches the check value HM-1 stored in memory module 223 and corresponding to block BM-1. If they match, the block BM-1 is judged as not having been tampered, and the process proceeds to step S405.

In step S405, the SAM212 of the receiver 201 sends a signal to the receiver 51 via the communication block 215 indicating that controlled transfer of the content is possible.

At step S406, when the receiver 51 receives the signal indicating that the control transmission of the content is possible from the receiver 201, the data verification module 75 of the receiver 51 checks that the block BP-1 is located in the use information memory 63A (fig. 29) of the external memory 63, and stores the content key KcoA corresponding to the content a whose control is to be transmitted.

In step S407, the data check module 75 of the receiver 51 checks whether the block BP-1 data checked in step S406 is falsified. In particular, the data verification module 75 computes a hash value by applying a hash function to all data stored in block BP-1. Then, the data verification module 75 verifies whether the calculated hash value matches the check value HP-1 (the hash value calculated in step S253 and stored in step S254 of fig. 45) stored in the memory module 73 and corresponding to the block BP-1. If they prove to be the same, i.e. the block BP-1 data is not tampered, step S408 is then performed.

In step S408, the SAM62 of the receiver 51 checks whether the usage type of the content is 'purchase and playback', referring to UCS A in the block BP-1 (usage information memory region RP-3) checked in step S406 stored in the usage information memory 63A of the external memory 63

Type in "usage details" (fig. 28). When the "type" in the "usage details" is set to 'purchase and playback', the usage type of the content is judged to be 'purchase and playback' as in the case with UCS a, and the process proceeds to step S409.

In step S409, the SAM62 of the receiver 51 checks whether its own ID is specified as the ID of the destination device in the "control transmission state" in the "usage details" of UCS a, that is, whether the content is under transmission control. If the content is not under the transfer control, the process proceeds to step S410.

In step S410, the SAM62 of the receiver 51 specifies the ID of the SAM212 of the receiver 201, which is the destination device of the control transmission, the same as the ID of the destination device in the "control transmission state" in the "usage details" of UCS a. Next, in step S411, the data verification module 75 of the receiver 51 calculates a hash value by applying a hash function to the data stored in the block BP-1, which BP-1 stores UCS a (destination device ID changed from ID of SAM62 to ID of SAM 212) with the information in "control transmission state" in "use details" transformed in step S410. In step S412, the data verification module 75 rewrites the corresponding hash value HP-1 stored in the memory module 73 to the calculated hash value.

Next, in step S413, the SAM62 of the receiver 51 decrypts the content key KcoA (encrypted using one save key Ksave) stored in the block BP-1 (use information memory region RP-3) of the use information memory 63A of the external memory 63 by the save key Ksave, encrypts it with the temporary key Ktemp shared with the receiver 201 in step S401, and transmits it to the receiver 201 together with its own ID (ID of the SAM 62) and the ID of the content a specified in the "content ID" of UCS a. In execution of this process, the content a stored in the HDD52 is also transmitted to the receiver 201.

In step S414, the receiver 201 receives the content key KcoA (encrypted using the temporary key Ktemp), the ID of the SAM62, and the ID of the content a from the receiver 51. In step S415, the SAM212 of the receiver 201 decrypts the received content key KcoA (encrypted using the temporary key Ktemp) using the temporary key Ktemp, encrypts it again with the save key Ksave it has, and also stores it in the transmission information memory region RM-1 of the block BP-1 checked in step S403 in the transmission information memory 213A (fig. 36) of the external memory 213, together with the ID of the SAM62, the ID of the content a, and its own ID (the ID of the SAM 212), as shown in fig. 36.

Next, in step S416, the SAM212 of the receiver 201 is obtained by giving the SAM information to step S415

The data in the block BM-1 in which the transfer information is stored and which is located in the transfer information memory 213A is subjected to a hash function to calculate a hash value and overwrite it on the check value HM-1 stored in the memory module 223.

In step S417, the content provided by the receiver 51 is stored in the HDD 202.

If it is determined in step S404: the block BM-1 data in the transfer information memory 213A of the external memory 213 has been tampered with, or, if it is determined in step S407: the block BP-1 data in the use information memory 63A at step S63 has been tampered with, the process is terminated. That is, if the memory area storing the transfer information has been tampered with or the usage information has been tampered with (more precisely, if it is suspected that any of them has been tampered with), the controlled transfer of the content does not occur.

If it is determined in step S407: the usage type of the content a is not 'purchase and playback', or, it is determined in step S408 that: the process is also terminated if content a is under the control of the transfer. Briefly, controlled delivery of content can only occur (is permitted) in the event of a usage type that allows the content to be purchased and played back. Also, if the content is under control of the transfer, the controlled transfer of the content cannot occur further (not allowed).

(6-8) control of cancellation of transfer

A processing procedure for returning control of the content a to the receiver 51 after control of the content has been transferred to the receiver 201 (cancel control transfer) is described below with reference to the flowchart in fig. 49.

In step S431, mutual authentication is performed between the receivers 51 and 201. The mutual authentication is similar to that described with reference to fig. 40 to 42, and the description thereof is omitted here. Next, in step S432, the SAM62 of the receiver 51 (source device that controls transmission) and the SAM212 of the receiver 201 (destination device that controls transmission) check whether cancellation of control transmission is possible, referring to their own registration lists. The specialized processing therefor is basically the same as step S402 in fig. 48, and the description thereof is omitted here.

In step S433, the data verification module 75 of the receiver 51 searches the usage information memory 63A (fig. 29) of the external memory 63 for a block BP storing a content key KcoA for the content a (encrypted using the content key KcoA) under the transmitted control. In this example, block BP-1 is examined.

Next, in step S434, the data check module 75 of the receiver 51 checks whether the block BP-1 data checked in step S433 is falsified. The specialized processing therefor is basically the same as step S407 in fig. 48, and the description thereof is omitted here.

If the block BP-1 data in the use information memory 63A of the external memory 63 is judged in step S434 as not having been tampered, the process proceeds to step S435. SAM of receiver 51

The SAM62 reads out the ID of the SAM62 and the ID of the content a from UCS a (fig. 28) stored in the usage information memory 63A of the external memory 63, and transmits them to the receiver 201 together with an appropriate signal requesting cancellation of control transmission (hereinafter referred to as a cancellation control transmission request signal).

In step S436, the ID of the SAM62, the ID of the content a, and the cancel control transmission request signal are received from the receiver 51. Then, in step S437, the SAM212 of the receiver 201 searches the transfer information memory 213A of the external memory 213 to find a block BM storing the ID of the content a, which is the same as the ID of the received content a. In this example, block BM-1 is examined.

In step S438, the SAM212 of the receiver 201 determines whether the ID of the above-described SAM62 identical to the SAM62ID received in step S436 is stored in the block BM-1 (transfer information memory area RM-1) of the transfer information memory 213A of the external memory 213. If it is stored, step S439 is then performed. In this example, the transfer information memory area RM-1 of the block BM-1 stores the ID of the SAM62, and then the process proceeds to step S439.

In step S439, the SAM212 of the receiver 201 determines whether the block BM-1 storing the ID of the SAM62 has been tampered with. The specialized processing therefor is basically the same as step S404 in fig. 48, and the description thereof is omitted here. If it is determined in step S439 that: the block BM-1 is not tampered, the process proceeds to step S440.

In step S440, the SAM212 of the receiver 201 determines whether the content ID received in step S436 is stored in the block BM-1 (transfer information memory region RM-1) of the transfer information memory 213A of the external memory 213. If it is stored, step S441 is then performed. In this example, the transfer information memory area RM-1 of the block BM-1 stores the content ID of the content a, and then the process proceeds to step S441.

In step S441, the SAM212 of the receiver 201 deletes the transfer information from the block BM-1 (transfer information memory area RM-1) of the transfer information memory 213A of the external memory 213. As a result, the transmission information memory area RM-1 of the block BM-1 stores predetermined initial information. In the execution of this process, the content a stored in the HDD 202 is also deleted.

Next, in step S442, the data verification module 225 of the receiver 201 calculates a hash value from the transmission information deleted in step S441 by applying a hash function to the data in the block BM-1, which block BM-1 contains the transmission information memory area RM-1, and overwrites the hash value HM-1 stored in the memory module 223 and corresponding to the block BM-1 therewith.

In step S443, the SAM212 of the receiver 201 transmits a signal to the receiver 51 indicating that the control transfer of the content has been canceled (hereinafter referred to as a control transfer cancel signal).

In step S444, upon receiving the control transmission cancellation signal from the receiver 201, the SAM62 of the receiver 51 stores its own ID as the ID of the destination device in the "control transmission state" in the "usage details" of UCS a (the ID of the SAM62 has been designated as the ID of the source device).

Next, in step S445, the data verification module 75 of the receiver 51 calculates a hash value by applying a hash function to the data in the block BP-1 containing the information in the "control transmission state" in the "usage details" changed in step S444 (the destination device ID is changed from the ID of the SAM212 to the ID of the SAM 62). In step S446, the data verification module 75 overwrites the hash value HP-1 stored in the memory module 73 and corresponding to the block BP-1 with the calculated hash value.

When the control transmission of the content is canceled in the above-described manner, the transmission information is deleted from the destination device, the receiver 201, so that it cannot be used again by the receiver 201. Then, the SAM ID of the source device (SAM 62 of the receiver 51) is also specified as the ID of the destination device in the "control transmission state" in the "usage details", allowing the receiver 51 to perform a new control transmission of the content a.

In the above example, although the controlled transfer of the content is possible only when the type of the content is 'purchase and playback', the controlled transfer of the content may be started when the type of the content is 'limited time playback'.

Also, in the above example, although the receiver 51 sends a cancel control transfer signal to the receiver 201 (i.e., the receiver 51 requests the receiver 201 to cancel the control transfer), it is also possible to allow the receiver 201 to request cancellation of the control transfer.

Further, in the above example, although the public key Kpu of the SAM62 and the authentication certificate are stored in the memory module 73 of the receiver 51, they may be stored in the HDD 52. Also, the public key Kpu and the authentication certificate of the SAM212 may be stored in the HDD 202.

Further, although the content is music data in the above description, it may be moving image data, still image data, text data, or program data. In using a different type of content, a compression method suitable for the type of content may be selected: for example, if the content is image data, MPEG (moving picture experts group) may be used. It is also possible to select the type of electronic watermark appropriate for the content.

As for the common key cipher, DES, which is a block cipher, is used. However, FEAL, IDEA (international data encryption algorithm) proposed by NTT (trademark), or a stream cipher that encrypts one bit or several bits of data at the same time may also be used.

In the above description, although the common key cipher is used to encrypt the content and the content key Kco, a public key cipher may be used.

In the present specification, one system means an entire apparatus composed of two or more pieces of equipment.

As a providing medium for providing a program for executing the above-described processing, a recording medium such as a magnetic disk, a CD-ROM, or a solid-state memory, a communication medium such as a satellite, may also be used.

The receiver according to the above-described embodiment of the present invention allows the value information to be transmitted when the protection of copyright is guaranteed, since the value information has been transmitted when the transmission state information indicates that the value information has been transmitted; if the value information is supplied to the other information processing apparatus together with transmission information including a key required to encrypt the value information, the transmission status information is changed to indicate that the value information has been transmitted; and if a reply signal is received in response to a given control signal, the transmission state information becomes value information that has not been transmitted.

Further, according to the receiver of the embodiment of the present invention described above, since the stored transmission information is deleted when the value information, the transmission information containing the transmission information required to encrypt the value information and a given control signal are received from other information processing apparatuses, the value information used is allowed to be transmitted while the protection of copyright is ensured.

The present invention can be applied to an information processing system that encrypts and distributes music data, moving image data, still image data, text data, or program data.

Claims (6)

1. An information processing apparatus that is connected to another information processing apparatus and decrypts and uses encrypted value information, comprising:

a storage means for storing usage information including a key required to encrypt the value information, a usage condition of the value information, and transmission state information indicating whether the value information has been transmitted;

providing means for providing the value information to the other information processing apparatus together with appropriate transmission information including the key included in the usage information when the usage condition included in the usage information stored by the storage means is correct and the transmission state information included in the usage information indicates that the value information is not transmitted;

first changing means for changing the transmission state information to indicate that the value information has been transmitted when the value information and the transmission information have been supplied to the other information processing apparatus by the supplying means;

transmitting means for transmitting an appropriate control signal to the other information processing apparatus when the transmission state information contained in the usage information stored by the storage means has been transmitted and the transmission of the value information to the other information processing apparatus is canceled;

second changing means for changing the transmission state information to indicate that the value information is not transmitted when a reply signal from the other information processing apparatus is received in response to the control signal transmitted by the transmitting means.

2. The information processing apparatus according to claim 1,

the storage means is constituted by a plurality of blocks divided into storage areas storing the use information;

the information processing apparatus further includes:

computing means for computing a hash value by applying a hash function to all of the pieces of usage information stored in each block of the storage means,

hash value storage means for storing a hash value obtained by applying a hash function to all data stored in each block in the storage means,

decision means for deciding whether or not the storage means is tampered with based on a result of comparison between the hash value calculated by the calculation means and an appropriate hash value stored in the hash value storage means,

control means for controlling the providing operation of the providing means in accordance with the decision made by the decision means.

3. An information processing method for an information processing apparatus that is connected to another information processing apparatus and decrypts and uses encrypted value information, comprising:

a storage step of storing usage information including a key required to encrypt the value information, a usage condition of the value information, and transmission state information indicating whether the value information has been transmitted;

a providing step of providing, when the usage condition contained in the usage information stored by the storing step is a predetermined condition and the transmission state information included in the usage information indicates that the value information is not transmitted, the value information to the other information processing apparatus together with appropriate transmission information including the key contained in the usage information;

a first changing step of changing the transmission state information to indicate that the value information has been transmitted when the value information and the transmission information have been supplied to the other information processing apparatus by the supplying step;

a transmission step of transmitting an appropriate control signal to the other information processing apparatus when the transmission state information contained in the usage information stored by the storage step has been transmitted and the transmission of the value information to the other information processing apparatus is cancelled;

a second changing step of changing the transmission state information to indicate that the value information is not transmitted when a reply signal from the other information processing apparatus is received in response to the control signal transmitted by the transmitting step.

4. An information processing apparatus that is connected to another information processing apparatus and decrypts and uses encrypted value information, comprising:

receiving means for receiving value information from the other information processing apparatus and transmitting transmission information including a key required to encrypt the value information;

storage means for storing the transmission information received by the receiving means;

deletion means for deleting the transmission information stored in the storage means when an appropriate control signal is received from the other information processing means;

transmitting means for transmitting an appropriate reply signal when the transmission information is deleted by the deleting means.

5. The information processing apparatus according to claim 4,

the storage device is composed of a plurality of blocks divided into storage areas for storing usage information;

the information processing apparatus further includes:

computing means for computing a hash value by applying a hash function to all of the pieces of usage information stored in each block of the storage means,

hash value storage means for storing a hash value obtained by applying a hash function to all data stored in each block in the storage means,

decision means for deciding whether or not said storage means is tampered with based on a result of comparison between said hash value calculated by said calculation means and an appropriate hash value stored in said hash value storage means,

control means for controlling a transmission operation of the transmission means in accordance with the decision made by the decision means.

6. An information processing method for an information processing apparatus that is connected to another information processing apparatus and decrypts and uses encrypted value information, comprising:

a reception step of receiving value information from another information processing apparatus and transmitting transmission information including a key required to encrypt the value information;

a storage step of storing the transmission information received by the reception step;

a deleting step of deleting the transmission information stored in the storage device when an appropriate control signal is received from the other information processing device;

a sending step of sending an appropriate reply signal when the transmission information is deleted by the deleting step.