JP2010124071A - Communication device, communication method, and program - Google Patents

Abstract

Provided is a communication technique that enables an invalid communication device to be easily invalidated in a content distribution system.
A leecher 50A receives a torrent file from a sales server 54, accesses a tracker 51 based on the torrent file, acquires node information, and based on the node information, seeders 52A to 52C and a leecher 50B. And receiving each encrypted piece to obtain all encrypted pieces respectively corresponding to each piece. The leecher 50A requests the key server 53 for decryption information for decrypting each encrypted piece, and the key server 53 encrypts each decryption key for decrypting each encrypted piece. And the decryption information including the seed information used for encrypting each decryption key is transmitted to the leecher 50.
[Selection] Figure 1

Description

  The present invention relates to a communication device, a communication method, and a program.

  In general, there are a “single server type” and a “distributed server type” as systems for distributing contents. In a single server type system, for example, one content server, a license server, and a client are connected via a network, and content is distributed from the content server to each client. The content to be distributed is encrypted, and the license server has key information related to the encryption. In the content server, the content is held as E (KT) [C]. However, KT is a key called a title key, and C is plaintext content. E (KT) [C] indicates that C is encrypted with KT. The key information includes KT. The client B obtains the key information from the license server, encrypts the key information using a key KB unique to the client (client B), and receives the content E (KT) [C received from the content server. ] And keep it associated with it. The client B can use the content by decrypting the key information using the key KB, extracting the title key KT, and decrypting E (KT) [C] using the title key KT. it can.

  In such a configuration, when the client B downloads the content E (KT) [C] from the content server, the client B performs authentication and key exchange with each other. As a result, the client B shares the temporary key KtmpB. The content server encrypts the content E (KT) [C] using the temporary key KtmpB, and transmits the content E (KtmpB) [E (KT) [C]] to the client B. The client B decrypts the content E (KtmpB) [E (KT) [C]] using the temporary key KtmpB shared with the content server by the above-described authentication and key exchange, and E (KT) [C] Take out. In such a configuration, even if the encrypted content E (KtmpB) [E (KT) [C]] is illegally read on the network path, the illegally read content is the temporary key KtmpB. Without it, it cannot be decrypted. In other words, by encrypting content using a different temporary key for each client, the same content can be individualized for each client, thereby preventing unauthorized use of the content. For example, by making the temporary key KtmpA for the client A different from the temporary key KtmpB for the client B, the content E (KtmpA) [E (KT) [C]] distributed to the client A and the client B are distributed. Content E (KtmpB) [E (KT) [C]] is different data. In this way, the same content is individualized by the difference in the encryption key, so that unauthorized use of the content can be suppressed.

  However, in a single server type system, since the communication between the client and the content server is one-to-one, when many clients try to receive the content from the content server, the distribution efficiency deteriorates. is there.

  On the other hand, as a distributed server type system, for example, there is a content distribution system called BitTorrent based on P2P (for example, see Non-Patent Document 1). In such a system, different trackers, seeders, and leechers are connected to each other by P2P. In addition, the content to be distributed is divided into a plurality of pieces. The seeder is a node that distributes pieces constituting the content for the purpose of distributing (uploading) the content. The leecher is a node that receives each piece constituting the content and distributes the pieces constituting the content for the purpose of receiving (downloading) the content. In other words, the leecher may become a seeder when pieces of content are obtained to some extent. In this way, the seeder is prepared with the leecher that has received all or some of the pieces constituting the content changed to the seeder, and on the system side (in advance or in the middle of distribution) (seeder from the beginning). There is a thing. The latter is called the initial seeder. The initial seeder holds all pieces or some pieces that can constitute a certain content. Hereinafter, unless otherwise specified, a seeder means a seeder or an initial seeder, and a node means a leecher, seeder, or initial seeder. The tracker holds node information regarding each node, and provides node information to the leecher when accessed from the leecher.

  In such a configuration, when a leecher receives content distribution, first, information called a torrent file is acquired. The torrent file is given from, for example, a server operating a service for selling content to a content provider or user (referred to as a sales server) to another node or sales server, and further given from another node or sales server to a leecher. In addition, a torrent file recorded on a storage medium such as a CD-ROM may be distributed to a leecher offline. The Torrent File stores tracker information about content and file information of the content. The tracker information includes the connection destination of the tracker. The file information includes, for example, hash information of each piece constituting the content. The hash information is used to confirm the integrity of the piece. That is, the hash information is used to calculate a hash of a piece downloaded by the leecher and check the received piece against the hash value of the piece to confirm that the received piece has not been tampered with.

  When the leecher acquires such a torrent file, it connects to the tracker based on the tracker information. The tracker transmits the above node information to the leecher. The node information includes a list of connection destinations of one or more nodes. The leecher connects to a plurality of nodes based on the node information. The pieces delivered by each node often differ from node to node. Since the leecher can receive different pieces from a plurality of nodes, the leecher can receive the content at high speed.

  As described above, in the content distribution system based on P2P, content is distributed and held in a plurality of nodes. Therefore, in such a system, even if there are many nodes that receive content distribution, it is possible to receive content distribution from a plurality of other nodes by P2P. good.

  In this way, even in a content distribution system that can distribute content from a plurality of nodes, it is desirable to protect the content to be distributed by encryption in order to prevent unauthorized use of the content. However, in such a content distribution system, unlike a single server type system, the same content that each leecher receives from a seeder must be the same even in an encrypted state, It was difficult to distribute individually encrypted contents. For this reason, if one key for decrypting the encrypted content is exposed, there is a risk that all the content existing on the network can be decrypted.

  By the way, in Patent Document 1, a content is divided into a plurality of pieces, and each of the plurality of pieces is converted into a single plaintext and encrypted using a plurality of encryption keys to generate a ciphertext (referred to as an encrypted piece). A content distribution method is disclosed.

Bittorrent Protocol Specification v1.0 Japanese Patent No. 3917395

  Using the content distribution method disclosed in Patent Document 1, including a content distribution method that generates encrypted pieces by encrypting pieces using a plurality of encryption keys, the above-described fear can be eliminated. However, when an illegal reacher (for example, a leecher that has been hacked or a reacher that participates in an illegal act such as an illegal copy) is detected, it is desirable that the illegal reacher can be invalidated. As simple solutions for invalidating illegal leeches, for example, the following can be considered. The key server gives the decryption key of the encrypted piece to the leecher, and the key server manages the list of illegal leeches (black list), and there is a request for transmission of the decryption key of the encrypted piece from the leecher to the key server. In this case, the key server checks whether or not the leecher is on the black list, and transmits the decryption key of the encrypted piece from the key server to the leecher only when the leecher is not on the black list. It is a solution to do. However, this solution is not desirable because the management of the blacklist and the process of its collation are complicated.

  The present invention has been made in view of the above, and an object of the present invention is to provide a communication device, a communication method, and a program that can easily invalidate an unauthorized communication device in a content distribution system. To do.

  In order to solve the above-described problem, the present invention is a communication device that receives an encrypted piece in which a part of content is encrypted, and receives a plurality of the encrypted pieces from the first communication device. Means, request means for requesting information to decrypt each received encrypted piece from the second communication device, first storage means for storing a first key assigned to the own communication device, and reception Temporary information used to encrypt the decryption key received from the second communication device or the third communication device, the decryption key being a decryption key for decrypting each encrypted piece Encrypted from the second receiving device, the temporary information, the first key, and the second key encrypted using the first key so as to be decryptable. And a key decryption means for decrypting each decrypted key. To.

  Further, the present invention provides a communication device that communicates with another communication device that receives an encrypted piece in which a part of content is encrypted, and requests for requesting information for decrypting a plurality of the encrypted pieces Receiving means for receiving a message from the other communication device; generating means for generating temporary information used for encrypting a decryption key for decrypting the encrypted piece; and receiving the temporary information according to the request message. Transmission means for transmitting to the communication device.

  In addition, the present invention is a communication method executed by a communication device that receives an encrypted piece in which a part of content is encrypted. The communication device includes a first reception unit, a transmission unit, and a key decryption. First receiving step of receiving a plurality of the encrypted pieces from the first communication device, and a storage means for storing a first key assigned to the communication device. The request means requests the second communication device for information for decrypting each received encrypted piece, and the second receiving means decrypts each received encrypted piece. The decryption key encrypted with the decryption key is received from the second communication device or the third communication device, and the temporary information used for encrypting the decryption key is received from the second communication device. 2 receiving step and the key decryption means, A key decryption step of decrypting each of the encrypted decryption keys using the temporary information, the first key, and a second key encrypted so as to be decryptable using the first key. It is characterized by that.

  The present invention also provides a program for executing a computer included in a communication device that receives an encrypted piece in which a part of content is encrypted, and receives a plurality of the encrypted pieces from the first communication device. A requesting step for requesting information for decrypting each received encrypted piece to the second communication device, and a decryption key for decrypting each received encrypted piece. A second receiving step of receiving the encrypted decryption key from the second communication device or the third communication device and receiving temporary information used for encrypting the decryption key from the second communication device; A key decryption step for decrypting each decryption key encrypted using the temporary information, the first key, and a second key encrypted using the first key. Let it run .

  In addition, the present invention is a program for causing a computer included in another communication apparatus that receives an encrypted piece in which a part of content is encrypted, to decode a plurality of the encrypted pieces Receiving a request message for requesting from another communication device; generating a temporary information used for encrypting a decryption key for decrypting the encrypted piece; and according to the request message, the temporary message Causing the computer to execute a transmission step of transmitting information to the other communication device.

  According to the present invention, an invalid communication device can be easily invalidated in a content distribution system.

  Exemplary embodiments of a communication device, a communication method, and a program according to the present invention will be explained below in detail with reference to the accompanying drawings.

[Embodiment]
(1) Configuration <Configuration of content distribution system>
First, the basic configuration of the content distribution system according to the present embodiment will be described. FIG. 1 is a diagram showing a configuration of a content distribution system according to the present embodiment. In the content distribution system according to the present embodiment, the leechers 50A to 50B, the tracker 51, the seeders 52A to 52C, and the sales server 54 are connected to each other via the P2P network NT. The leechers 50A to 50B and the key server 53 are connected to each other via a network such as the Internet (not shown). Here, the nodes are leechers 50A to 50B and seeders 52A to 52C. The seeders 52 </ b> A to 52 </ b> C hold encrypted pieces obtained by encrypting each piece with a different encryption key for content divided into a plurality of pieces. Hereinafter, content composed of such encrypted pieces is referred to as encrypted content. Details of such encrypted content will be described later. Of the seeders 52A to 52C, the seeder 52A functions as the initial seeder described above. The seeder 52A holds all of the encrypted pieces generated by encrypting each piece constituting one content by using a plurality of encryption keys for the same piece and the torrent file. The tracker 51 holds node information for accessing each node. Note that node identification information is assigned to each node. The node identification information is identification information that can uniquely identify each node, for example, the IP address of each node. The key server 53 holds a decryption key for decrypting each encrypted piece. The sales server 54 holds a torrent file.

  The leecher 50A receives the torrent file from the sales server 54, accesses the tracker 51 based on the torrent file, acquires node information, and based on the node information, at least one of the seeders 52A to 52C and the leecher 50B. To receive each encrypted piece and obtain all encrypted pieces corresponding to each piece. The leecher 50A requests the key server 53 for decryption information for decrypting each encrypted piece, and the key server 53 encrypts each decryption key for decrypting each encrypted piece. Is sent to the leecher 50. As a method for encrypting each decryption key, an MKB (Media Key Block) method is applied. Details of the MKB system and decoding information will be described later. The same applies to the leecher 50B. Hereinafter, when it is not necessary to distinguish each of the leechers 50 </ b> A to 50 </ b> B, they are simply referred to as the leecher 50. When it is not necessary to distinguish the seeders 52A to 52C, they are simply referred to as seeders 52.

  Here, the content configuration will be described. Content refers to various digital data, for example, moving image data such as MPEG2 and MPEG4, audio data, text data, still image data, and the like, and content in which these digital data are encrypted is also referred to as content. . For example, content obtained by encrypting HD DVD Prepared Video Content in accordance with the AACS (Advanced Access Content System) specification is also content. Here, the entire content is represented as C. C may be plain text or encrypted. FIG. 2 is a diagram schematically showing a state in which the content is divided into a plurality of pieces. For example, content C is divided into one piece of content into N (N> 1) pieces C1 to CN. The data lengths of the pieces C1, C2,... CN may all be the same or not. Each of these N pieces C1 to CN is encrypted with a different encryption key. At this time, a piece of N pieces is encrypted with m different encryption keys for the same piece. The remaining (N−a) pieces are encrypted with one encryption key for the same piece. That is, for each of a pieces, the same piece is encrypted with m different encryption keys, and m different pieces (encrypted pieces) are generated. Each (N−a) pieces are encrypted with one encryption key, and one encrypted piece is generated for one piece. FIG. 3 is a diagram schematically showing each encrypted piece. An encryption composed of N encrypted pieces by changing the combination of encrypted pieces selected from each of m encrypted pieces corresponding to each of the a pieces. The entire content can be individualized.

  The content can be divided into pieces and the pieces can be encrypted by any of the tracker 51, the key server 53, and a server prepared by the content producer. Hereinafter, an apparatus that performs at least one of these is referred to as a piece processing apparatus. Each encrypted piece is given to the seeder 52A (initial seeder) from, for example, the tracker 51, the key server 53, or a trusted third party (for example, a server prepared by a content producer).

Next, the MKB method will be described. The MKB system is generally applied in a situation where there are a sender that encrypts and transmits data and a plurality of receivers that receive and decrypt the encrypted data (referred to as encrypted data). In such a situation, each recipient is assigned one or more decryption keys in advance. The sender uses the encryption key or keys assigned to the recipient so that the recipient to be revoked cannot compute plaintext and the non-revoked recipient can compute plaintext The plaintext is encrypted. A non-invalidated recipient computes the plaintext by decrypting the encrypted plaintext using one of the assigned decryption keys. MKB is data including one or a plurality of ciphertexts each encrypted so that the plaintext can be decrypted using a device key (first key), and includes key management including other data necessary for decryption by the receiver Information. In the case where identification information is assigned to each ciphertext, this identification information is an example of other data necessary for decryption by the receiver. The device key is data including one or more pieces of key information, and includes other data necessary for decryption by the receiver. Since device key identification information is assigned to each device key, other data necessary for decryption by the recipient is, for example, the device key identification information. The above-described plaintext is obtained by MKB processing described later using this device key and MKB. This plaintext is hereinafter referred to as a plaintext key (second key) for convenience of explanation. The plaintext key encrypted so that it can be decrypted using at least each device key is called an encrypted plaintext key. In general, when the data length of the data to be encrypted is large, the sender encrypts the data to be encrypted by using the plaintext key as a decryption key and the encryption key corresponding to the plaintext key. Encrypted data (encrypted data) is transmitted from the sender and received by the receiver. FIG. 4 is a diagram conceptually showing a basic processing flow performed by the receiver in the MKB system according to the present embodiment. As shown in the figure, in the present embodiment, the receiver uses the device key assigned to himself / herself to decrypt the encrypted plaintext key included in the MKB to obtain the plaintext key, and then The received encrypted data is decrypted using the plaintext key. An example of the MKB method is the MKB method disclosed in the following references 1 and 2.
(Reference 1) D. Naor, M. Naor, and J. Lotspiech, “Revocation and Tracing Schemes for Stateless Receivers,” In Proc. Of CRYPTO 2001, LNCS 2139, Springer-Verlag, pp.41-62, 2001.
(Reference 2) Japanese Patent No. 3917507

  The MKB system disclosed in Reference 1 is an MKB system based on common key cryptography. In the MKB system based on the common key encryption, the encryption key used when generating the encrypted plaintext key included in the MKB and the decryption key (device key) for decrypting the encrypted plaintext key are Are the same. On the other hand, the MKB system disclosed in Reference 2 is an MKB system based on public key cryptography. In the MKB system based on public key cryptography, an encryption key (public key) used to generate an encrypted plaintext key included in the MKB and a decryption key (device key) for decrypting the ciphertext Unlike, the encryption key can be made public (as a public key).

  When such a MKB method is applied to invalidate a certain leecher 50, an encrypted plaintext generated so that a correct plaintext key cannot be obtained even if the device key assigned to the leecher 50 is decrypted. Generate an MKB containing the key. That is, the plaintext key obtained by decrypting the encrypted plaintext key using the device key assigned to the non-invalidated leecher 50 and the encrypted plaintext using the device key assigned to the invalidated leecher 50 An MKB including an encrypted plaintext key that is different from the plaintext key obtained by decrypting the key is generated. According to such a configuration, even if the invalidated leecher 50 decrypts the encrypted plaintext key included in the MKB using the device key stored in the device key storage unit 504, the correct plaintext key is obtained. You can't get it.

  Next, the hardware configuration of each device including the leecher 50, the tracker 51, the seeder 52, and the key server 53 will be described. Each device is a control device such as a CPU (Central Processing Unit) that controls the entire device, a storage device such as a ROM (Read Only Memory) or a RAM (Random Access Memory) that stores various data and various programs, and a variety of devices. It has an external storage device such as an HDD (Hard Disk Drive) or CD (Compact Disk) drive device that stores data and various programs, and a bus that connects them, and has a hardware configuration that uses a normal computer. ing. Each device includes a display device that displays information, an input device such as a keyboard and a mouse that accepts user instruction input, and a communication I / F (interface) that controls communication with an external device. Connected by

<Configuration of seeder 52>
Next, in the hardware configuration described above, various functions realized when the CPU of the seeder 52 executes various programs stored in the storage device or the external storage device will be described. The seeder 52 associates each encrypted piece obtained by encrypting a plurality of pieces C1 to CN constituting the content C with an index (subscript) of each decryption key for decrypting each piece C1 to CN. I remember. Each decryption key may be the same as each encryption key, or may be different from each encryption key. In any case, since each piece C1 to CN is encrypted with an encryption key, each decryption key for decrypting each encrypted piece is encrypted using an index of each decryption key. Pieces can be identified. Each encrypted piece is assigned content identification information that can identify the content. Each such encrypted piece is stored in, for example, an external storage device.

Hereinafter, for the sake of simplicity, description will be made on the case where the encryption key and the decryption key are the same. If the index of the decryption key is represented by (i, j) and the decryption key is represented by K (i, j), each encrypted piece is represented as follows, for example.
E (K (i, j)) [Cj]
(Where i, j are integers, 1 ≦ i ≦ m, 1 ≦ j ≦ N (m> 1), different indexes (i, j), (i ′, j ′) ((i, j) ≠ ( i ′, j ′)) may be K (i, j) = K (i ′, j ′))

The encrypted content composed of such encrypted pieces is represented as follows, for example.
{E (K (i1, 1)) [C1], E (K (i2, 2)) [C2],…, E (K (iN, N)) [CN]}
(However, 1 ≦ i1,…, iN ≦ m)

The sequence of each encrypted piece in such encrypted content is represented by a combination of indexes of each encrypted piece, and is represented as follows, for example. Here, indexes corresponding to the pieces C1 to CN are arranged and represented in order from the left.
{(i1, 1), (i2, 2),…, (iN, N)}
(However, 1 ≦ i1,…, iN ≦ m)

Therefore, what the seeder 52 stores in association with each encrypted piece and the index is expressed as follows, for example.
{(E (K (i1, 1)) [C1], (i1, 1)), (E (K (i2, 2)) [C2], (i2, 2)),…, (E (K ( iN, N)) [CN], (iN, N))}
(However, 1 ≦ i1,…, iN ≦ m)

  Further, the seeder 52A as the initial seeder, for each encrypted piece corresponding to each piece constituting the content, all encrypted pieces generated by encrypting the same piece with a plurality of encryption keys. Is remembered. FIG. 5 is a diagram illustrating each encrypted piece stored in the seeder 52A. In the figure, it is shown that a piece out of N pieces (1 <a <N) is encrypted with a plurality of different encryption keys for the same piece. In the figure, the number of encryption keys used for encrypting the same piece varies from piece to piece. The number of encryption keys for piece C1 is m, and the number of encryption keys for piece C3 is two. However, in the present embodiment, the number of encryption keys used for encryption of the same piece may be the same for each piece. In this way, the piece processing apparatus encrypts the same piece with a plurality of different encryption keys for each of a (N <1 <a <N) pieces out of N pieces. It is possible to increase the number of encryption keys as the value increases.

  In the present embodiment, not limited to this, for example, as shown in FIG. 6, in the case of “a = N”, that is, for all N pieces, m pieces of the same piece Each may be encrypted with a different encryption key. According to such a structure, the variation of the sequence of an encryption piece can be increased. Also, as shown in FIG. 7, in the case of “a = 1”, that is, only one piece out of N pieces may be encrypted with m different encryption keys. According to such a configuration, distribution efficiency can be improved.

  In such a configuration, the seeder 52 transmits piece information indicating a sequence of encrypted pieces stored in the seeder 52 to the leecher 50 by access from the leecher 50. FIG. 8 is a diagram illustrating a data configuration of piece information. In the figure, it is shown that the encrypted piece corresponding to the piece C1 is decrypted with the decryption key K (1, 1), and the encrypted piece corresponding to the piece C2 is decrypted with the decryption key K (3, It is shown that it is decrypted by 2). That is, the piece information indicates the correspondence between each encrypted piece and the decryption key for decrypting each encrypted piece. When receiving a piece request for requesting an encrypted piece from the leecher 50 based on the piece information, the seeder 52 determines whether or not the requested encrypted piece is held, and the determination result is affirmative. In this case, the encrypted piece is transmitted to the leecher 50.

<Configuration of leecher 50>
Next, in the hardware configuration described above, various functions realized when the CPU of the leecher 50 executes various programs stored in a storage device or an external storage device will be described. FIG. 9 is a diagram illustrating a functional configuration of the leecher 50. The leecher 50 includes a content acquisition unit 500, a decryption information request unit 501, a decryption information acquisition unit 502, a content decryption unit 503, a device key storage unit 504, an MKB storage unit 505, and an MKB processing unit 506. Unit 507 and key ring decrypting unit 508. The content acquisition unit 500, the decryption information request unit 501, the decryption information acquisition unit 502, the content decryption unit 503, the MKB processing unit 506, the conversion unit 507, and the key ring decryption unit 508 are executed by a CPU program. Sometimes generated on a storage device such as a RAM. The device key storage unit 504 and the MKB storage unit 505 are stored in an external storage device such as an HDD. It is assumed that leecher identification information that can identify the leecher 50 is assigned to the leecher 50. The leecher identification information is stored in an external storage device such as an HDD.

  The content acquisition unit 500 receives each encrypted piece constituting the encrypted content from at least one of the seeders 52 via the P2P network NT. Specifically, the content acquisition unit 500 first receives a torrent file from the sales server 54. The Torrent File includes tracker information including tracker connection destination information for connecting to the tracker 51, and file information indicating what kind of encrypted pieces are included in the encrypted content. FIG. 10 is a diagram illustrating a torrent file. In the figure, as file information, an index corresponding to each encrypted piece is shown as information for specifying each encrypted piece. The tracker connection destination information is, for example, the IP address or URL of the tracker 51.

  Based on the torrent file, the content acquisition unit 500 accesses the tracker 51 via the P2P network NT, and node information for accessing a node (seeder 52, other leecher 50) connected to the P2P network NT. Is received from the tracker 51. Details of the node information will be described later. Then, the content acquisition unit 500 accesses at least one of the nodes based on the node information, and acquires piece information indicating a sequence of encrypted pieces held by the node and stored in the content acquisition unit 500. Then, the content acquisition unit 500 transmits a piece request for requesting each encrypted piece constituting the encrypted content to at least one of the nodes based on the piece information, and is transmitted in response to the piece request. By receiving the pieces, all the encrypted pieces (piece sequences) constituting the encrypted content are acquired. For example, among the encrypted pieces illustrated in FIG. 3, the content acquisition unit 500 acquires all the shaded encrypted pieces as a piece sequence. The content acquisition unit 500 stores the acquired encrypted piece in, for example, an external storage device.

  The device key storage unit 504 stores the device key assigned to the leecher 50 in association with the device key identification information assigned to the device key. The number of device keys stored in the device key storage unit 504 may be one or plural. The MKB storage unit 505 stores an MKB including an encrypted plaintext key that is a plaintext key encrypted in such a manner that it can be decrypted with each device key assigned to each of a plurality of different leechers 50. MKB identification information that can identify the MKB is assigned to the MKB. The MKB identification information is, for example, an MKB serial number. FIG. 11 is a diagram illustrating the data structure of the MKB. As shown in the figure, the MKB includes MKB identification information, a plaintext key verification record, and a plurality of encrypted plaintext keys. The plaintext key verification record is used to verify the MKB. Specifically, the plaintext key verification record is obtained by encrypting fixed data (for example, a sequence of numbers such as “01234XXX”) with the plaintext key Km. The fixed data is separately stored in advance in an external storage device such as an HDD of the leecher 50. The encrypted plaintext key includes one record for each device key identification information or group of device key identification information, and is included in the MKB. For example, one encrypted plaintext key corresponding to device key identification information '1' and one encrypted plaintext key corresponding to device key identification information '100' to '199' are included as separate records. Since each device key identification information corresponds to the device key as described above, each encrypted plaintext key can be decrypted by one of the key information included in the device key corresponding to the device key identification information. In FIG. 11, the MKB data configuration in the case where the plaintext key is encrypted (using the common key encryption method) using the device key is illustrated. May be. In this case, the encrypted plaintext key included in the MKB is, for example, an encrypted plaintext key obtained by encrypting the plaintext key using a public key corresponding to the device key corresponding to the device key identification information “1”. (The same applies to device key identification information other than “1”.) In addition, one encrypted plaintext key may be included in the MKB. In this case, the device key identification information may not be included in the MKB. Depending on the MKB method used (for example, when the MKB method based on the public key encryption disclosed in Reference 2 is used), the device key identification information may not be included in the MKB.

The decryption information request unit 501 transmits a request message for requesting decryption information for decrypting the piece sequence to the key server 53. The request message includes content identification information associated with the encrypted piece included in the piece sequence and reacher identification information assigned to the leecher 50. The decryption information can identify the encryption key bundle including each encryption decryption key in which each decryption key for decrypting the piece sequence is encrypted, the seed information, and the MKB used for decryption of the encryption key bundle. And MKB identification information. Details of the decryption key will be described later. The request message further includes index information indicating a combination (sequence) of indexes of each encrypted piece in the piece sequence as information designating each decryption key sequence. Such a sequence is represented as follows, for example.
{(i1, 1), (i2, 2),…, (iN, N)}
(However, 1 ≦ i1,…, iN ≦ m)

  The decryption information acquisition unit 502 receives the decryption information transmitted from the key server 53 according to the request message. The seed information is information used to encrypt a key ring for decrypting each encrypted piece held by the leecher 50, and is a temporary information used to decrypt an encrypted key ring (encrypted key ring). Information. When the MKB identification information included in the decryption information acquired by the decryption information acquisition unit 502 and the MKB identification information allocated to the MKB stored in the MKB storage unit 505 are the same, the MKB processing unit 506 The encrypted plaintext key included in the MKB is decrypted with the device key stored in the device key storage unit 504 to obtain a plaintext key. Further, the MKB processing unit 506, when the MKB identification information included in the decryption information acquired by the decryption information acquisition unit 502 and the MKB identification information assigned to the MKB stored in the MKB storage unit 505 are not the same, The former MKB identification information is assigned, and the MKB is acquired from a communication device other than the key server 53 such as a tracker 51, a sales server 54, or a server prepared by a content producer. Then, the MKB processing unit 506 decrypts an encrypted plaintext key that can be decrypted with the device key stored in the device key storage unit 504 among the encrypted plaintext keys included in the acquired MKB, and obtains a plaintext key.

The conversion unit 507 converts the plaintext key obtained by the MKB processing unit 506 using the seed information included in the decryption information acquired by the decryption information acquisition unit 502 according to the following Equation 1, and obtains a converted plaintext key. The converted plaintext key becomes a key bundle decryption key for decrypting the encrypted key bundle included in the decryption information acquired by the decryption information acquisition unit 502. Km ′ represents a converted plaintext key. Km represents a plaintext key. S represents seed information. F represents a function. As the function F, for example, 'F (x, y) = E (x) [y] Ay' may be used, or 'F (x, y) = D (x) [y] Ay' may be used. Then, 'F (x, y) = H (x || y)' may be used. A represents an exclusive OR for each bit. D represents a decryption function, and D (Key) [X] represents that X is decrypted with Key. That is, 'C = D (Key) [E (Key) [C]]'. H represents a hash function. || represents concatenation of data.
Km '= F (Km, S) (Formula 1)

The key ring decryption unit 508 uses the converted plaintext key converted by the conversion unit 507 to decrypt the encrypted key ring acquired by the decryption information acquisition unit 502 according to the following Expression 2, and the content acquisition unit 500 acquires Each decryption key for decrypting each encrypted piece is obtained. Z represents a key ring. K (i1,1), K (i2,2),..., K (iN, N) (where 1 ≦ i1,..., IN ≦ m) are decryption keys respectively corresponding to the pieces C1 to CN. Represents each decryption key included in the key ring.
K (i1,1) || K (i2,2) || ... || K (iN, N) = D (Km ') [Z] (Formula 2)

  The content decrypting unit 503 decrypts each encrypted piece obtained by the content obtaining unit 500 using each decryption key obtained by the key bundle decrypting unit 508, and obtains content composed of the decrypted pieces. .

  Although the leecher 50 may function as a seeder as described above, the functional configuration thereof has been described in the configuration of the seeder 52, and thus the description thereof is omitted here.

<Configuration of Key Server 53>
Next, various functions realized when the CPU of the key server 53 executes various programs stored in the storage device or the external storage device will be described. FIG. 12 is a diagram illustrating a functional configuration of the key server 53. The key server 53 includes a control unit 530, a packet processing unit 531, a network interface unit 532, a plaintext key storage unit 533, a content decryption key storage unit 534, a sequence information storage unit 536, and a sequence information verification unit 535. , An encryption key supply unit 537, a seed information generation unit 538, and an encryption unit 539. The entities of the control unit 530, the sequence information collation unit 535, the network interface unit 532, the packet processing unit 531, the encryption key supply unit 537, the seed information generation unit 538, and the encryption unit 539 are determined by the CPU. It is generated on a storage device such as a RAM when the program is executed. The content decryption key storage unit 534 and the plaintext key storage unit 533 are stored in, for example, an external storage device.

  The control unit 530 controls the entire key server 53, receives a request message from the leecher 50 via the network interface unit 532, and mediates an instruction from the sequence information verification unit 535 to the encryption key supply unit 537. To do. The packet processing unit 531 packetizes various data to be transmitted to an external device such as the leecher 50 and transfers it to the network interface unit 532 or acquires data based on the packet transferred from the network interface unit 532. The network interface unit 532 controls communication with the external device, transmits packetized data transferred from the packet processing unit 531, and transfers packets received from the external device to the packet processing unit 531.

  The plaintext key storage unit 533 stores the plaintext key in association with the MKB identification information and the content identification information associated with the MKB including the encrypted plaintext key obtained by encrypting the plaintext key.

  The content decryption key storage unit 534 is configured, for example, in an external storage device such as an HDD, and stores each decryption key for decrypting each encrypted piece. Each decryption key is represented as, for example, K (i, j) as described above.

The sequence information storage unit 536 is configured in an external storage device such as an HDD, for example, and associates sequence information indicating sequences corresponding to all key bundles transmitted to the leecher 50 in the past with content identification information and leecher identification information. Remember. The sequence corresponding to each key ring is expressed as follows, for example, similarly to the sequence shown in the index information described above.
{(i1,1), (i2,2),…, (iN, N)}
(However, 1 ≦ i1,…, iN ≦ m)

Whether the sequence information collation unit 535 collates the sequence information stored in the sequence information storage unit 536 with the index information received from the leecher 50, thereby transmitting a key bundle corresponding to the sequence indicated by the index information. To decide. Specifically, the sequence information matching unit 535, when the sequence information indicating the same sequence as the sequence indicated by the index information is not stored in the sequence information storage unit 536, the key bundle corresponding to the sequence indicated by the index information Decide to send. The key ring is expressed as follows, for example. Here, the decryption keys corresponding to the pieces C1 to CN are arranged and represented in order from the left.
{K (i1,1), K (i2,2),…, K (iN, N)}
(However, 1 ≦ i1,…, iN ≦ m)

  If the sequence information matching unit 535 determines to transmit the key ring, the sequence information matching unit 535 instructs the seed information generation unit 538 to generate seed information used for encryption of the key ring via the control unit 530. . In addition, when the sequence information collation unit 535 determines not to transmit the key bundle, the sequence information collation unit 535 instructs the encryption key supply unit 537 to prohibit transmission of the key bundle to the leecher 50 via the control unit 530.

The seed information generation unit 538 generates seed information by calculating seed information according to the following Equation 3 using the content identification information and the leecher identification information included in the request message received from the leecher 50 and the secret information. To do. The secret information is information that is not disclosed to the leecher 50 and is information that the key server 53 stores in an external storage device such as an HDD. K represents secret information. S represents seed information. CID represents content identification information. LID represents leecher identification information.
S = H (K || CID || LID) (Formula 3)

The encryption unit 539 encrypts the key bundle that the sequence information matching unit 535 has decided to transmit. Specifically, the encryption unit 539 reads out the decryption keys corresponding to the key bundle sequence determined to be transmitted by the sequence information matching unit 535 from the content decryption key storage unit 534 and receives the request message received from the leecher 50. The plaintext key associated with the content identification information included in is read from the plaintext key storage unit 533. Then, the encryption unit 539 uses the plaintext key and the seed information generated by the seed information generation unit 538 to encrypt the key bundle including each decryption key according to the following Equation 4, and encrypts each decryption key An encryption key ring containing is obtained. Z represents an encryption key ring. K (i1,1), K (i2,2),..., K (iN, N) represents each decryption key as described above. E represents the encryption function as described above.
Z = E (F (Km, S)) [K (i1,1) || K (i2,2) || ... || K (iN, N)] (Formula 4)

  The encryption key supply unit 537 includes a decryption including the encryption key bundle obtained by encrypting the key bundle by the encryption section 539, seed information used for encryption of the key bundle, and MKB identification information of the MKB to be used by the leecher 50. Information is transmitted to the leecher 50 via the network interface unit 532. The MKB identification information of the MKB to be used by the leecher 50 is MKB identification information associated with the plaintext key used by the encryption unit 539 to encrypt the key ring.

<Configuration of tracker 51>
Next, the configuration of the tracker 51 will be described. When accessed from the leecher 50, the tracker 51 transmits node information to the leecher 50 as connection destination information for accessing a node connected to the P2P network NT. The node information includes a set of an IP address and a port number. FIG. 13 is a diagram illustrating a data configuration of node information. In the figure, the nodes A to B are each one of the reachers 50A to 50B and the seeders 52A to 52C, and a set of an IP address and a port number of each node is shown.

  Here, how the tracker 51 generates node information will be described. For example, when a plurality of trackers 51 can exist, a certain node holds a torrent file including tracker connection destination information for connecting to one of the trackers 51, and holds an encrypted piece. And The node refers to the tracker connection destination information of the Torrent File, and transmits node identification information for uniquely identifying the node to the tracker 51. The node identification information is, for example, the IP address and port number of the node. When receiving the node identification information, the tracker 51 uses this to generate node information as shown in FIG.

(2) Operation Next, a procedure of content distribution processing performed by the content distribution system according to the present embodiment will be described with reference to FIG. The leecher 50 can receive the encrypted piece from other leechers 50, but here, for convenience of explanation, it is assumed that the encrypted piece is received from at least one of the seeders 52A to 52C.

  The leecher 50 first accesses the sales server 54 and acquires a torrent file (step S1). When the leecher 50 accesses the tracker 51 using the tracker connection destination information included in the tracker information included in the torrent file (step S2), the tracker 51 transmits node information to the leecher 50 (step S3). ). When the leecher 50 receives the node information (step S4), the leecher 50 accesses, for example, at least one of the seeders 52A to 52C using the node information (step S5). When accessed from the leecher 50, the seeder 52 transmits piece information indicating the sequence of encrypted pieces held by the seeder 52 to the leecher 50 (step S6).

  When receiving the piece information (step S7), the leecher 50 accesses at least one seeder 52 using the piece information (step S8). The leecher 50 transmits to the seeder 52 a piece request for requesting at least one of a plurality of encrypted pieces corresponding to each of the pieces C1 to CN, and receives each encrypted piece. . In response to the piece request from the leecher 50, the seeder 52 transmits the encrypted piece held by the seeder 52 to the leecher 50 (step S9). Specifically, the leecher 50 uses, for example, piece information received by accessing the seeder 52B to encrypt an encrypted piece E (K (i1, 1)) [C1] (i1 is an encrypted piece). For example, it is determined whether or not the seeder 52B holds an encrypted piece of “i1 = 1” in the case of an integer of 1 ≦ i1 ≦ m). The encrypted piece E (K (1, 1)) [C1] is received from the seeder 52B. If the seeder 52B does not actually hold the encrypted piece E (K (1, 1)) [C1], the leecher 50 then accesses another seeder 52 (for example, the seeder 52C). Then, piece information is acquired from the other seeder 52C. The leecher 50 uses the piece information in the same manner as described above to determine whether the seeder 52C holds the encrypted piece. If the determination result is affirmative, Access and attempt to obtain the encrypted piece. The leecher 50 repeats such a process to generate encrypted contents {E (K (i1, 1)) [C1], E (K (i2,2)) [C2], ..., E (K (iN, N)) [CN]}.

  Note that which of the encrypted pieces that the leecher 50 can exist corresponding to the piece Cj (1 ≦ j ≦ N) is the acquisition target, that is, E (K (i1, j)) ) [Cj] (i1 is an integer satisfying 1 ≦ i1 ≦ m), i1 is arbitrarily set from “1” to “m”. Therefore, the sequence {(i1, 1), (i2, 2),..., (IN, N)} is arbitrary for the encrypted pieces acquired by the leecher 50 corresponding to the pieces C1 to CN, respectively. Become.

  Further, when it is determined that the encrypted piece transmitted in step S9 cannot be completely received, the leecher 50 can return to any step before step S9 and start the process again. For example, when it is determined that it cannot be completely received, for example, even if an encrypted piece or a part of a specific encrypted piece is received, the number of failed attempts to acquire them, This is a case where the time from the start of the process becomes a predetermined threshold value or more.

  When the leecher 50 obtains all the encrypted pieces constituting the encrypted content, each of which is an encrypted piece corresponding to each piece constituting the content, the leecher 50 requests decryption information to decrypt each encrypted piece. A message is transmitted to the key server 53 (step S10). This request message includes index information {(i1, 1),..., (IN, N)} indicating a sequence corresponding to each decryption key, content identification information, and reacher identification information.

  When the control unit 530 of the key server 53 receives the request message via the network interface unit 532 (step S11), the sequence information matching unit 535 uses the index information included in the request message received in step S11. Thus, a collation process is performed (step S12). FIG. 15 is a flowchart showing the procedure of the collation process. In the collation process, the sequence information collation unit 535 collates the index information included in the request message received in step S11 with the sequence information stored in the sequence information storage unit 536 (step S140), and uses the index information. It is determined whether or not sequence information indicating the same sequence as the sequence shown is stored in sequence information storage unit 536 (step S141). That is, it is determined whether the key ring requested from the leecher 50 has been transmitted to any of the leechers 50 in the past.

  If the determination result is negative (step S141: NO), the sequence information matching unit 535 generates a key bundle {K (i1, 1), K (i2, 2),... Corresponding to the sequence indicated by the index information. , K (iN, N)}. Then, the sequence information matching unit 535 stores sequence information indicating the sequence in the sequence information storage unit 536 (step S142). Next, the sequence information matching unit 535 instructs the seed information generation unit 538 to generate seed information via the control unit 530. If the determination result in step S141 is affirmative, the sequence information matching unit 535 determines not to transmit the key bundle, and prohibits transmission of the key bundle to the leecher 50 via the control unit 530. Is sent to the encryption key supply unit 537 (step S144).

  Here, it is assumed that seed information generation unit 538 is instructed to generate seed information from sequence information collation unit 535 via control unit 530. Returning to FIG. 14, in this case, the seed information generation unit 538 generates seed information by calculating the seed information according to the above-described Expression 3. Next, the encryption unit 539 reads out the decryption keys corresponding to the key bundle sequence determined to be transmitted by the sequence information matching unit 535 from the content decryption key storage unit 534, and is included in the request message received from the leecher 50. The plaintext key associated with the content identification information is read from the plaintext key storage unit 533. Then, the encryption unit 539 encrypts the key bundle using the plaintext key read from the plaintext key storage unit 533 and the seed information generated by the seed information generation unit 538 according to the above-described equation 4, and the encrypted key bundle Is obtained (step S13). Thereafter, the encryption key supply unit 537 receives the decryption information including the encryption key bundle obtained in step S13, the seed information used for encrypting the key bundle, and the MKB identification information of the MKB to be used by the leecher 50, as a network interface. It transmits to the leecher 50 via the part 532 (step S14).

  On the other hand, when the leecher 50 receives the decryption information from the key server 53 (step S15: YES), the MKB processing unit 506 performs the MKB process (step S16). FIG. 16 is a flowchart illustrating the procedure of the MKB process performed by the MKB processing unit 506. The MKB process shown in the figure is based on the MKB system disclosed in the above-mentioned Reference Document 2, for example. The MKB processing unit 506 acquires the MKB to be used by the leecher 50 using the MKB identification information included in the decryption information (step S151). When the MKB identification information included in the decryption information and the MKB identification information associated with the MKB stored in the MKB storage unit 505 are the same, the MKB processing unit 506 reads the MKB storage unit 505 from the MKB. Is read. When the MKB identification information included in the decryption information is not the same as the MKB identification information associated with the MKB stored in the MKB storage unit 505, the MKB processing unit 506 is included in the decryption information. The MKB associated with the MKB identification information is requested to and received from a communication device other than the key server 53, such as a tracker 51, a sales server 54, or a server prepared by a content producer. Then, among the encrypted plaintext keys included in the MKB acquired in this way, a pair of the encrypted plaintext key and the device key that can be decrypted with the device key stored in the device key storage unit 504 is subjected to MKB processing. The unit 506 searches (step S152). That is, the MKB processing unit 506 determines which device key should be used to decrypt which encrypted plaintext key. This search is performed by the MKB processing unit 506 using, for example, device key identification information assigned to each device key. When identification information is assigned to each encrypted plaintext key, the MKB processing unit 506 may perform a search using this identification information as well. Then, the MKB processing unit 506 decrypts the encrypted plaintext key using the device key in the set obtained as a result of the search, and obtains a plaintext key (step S153).

  Returning to FIG. 14, the conversion unit 507 of the leecher 50 converts the plaintext key obtained in step S16 using the seed information included in the decryption information received in step S15 according to the above-described equation 1, and converts the converted plaintext. Get the key. The key ring decryption unit 508 of the leecher 50 uses the converted plaintext key converted by the conversion unit 507 to decrypt the encrypted key bundle included in the decryption information received in step S15 according to the above-described equation 2 to obtain the content Each decryption key for decrypting each encrypted piece obtained by the obtaining unit 500 is obtained (step S17). Then, the content decryption unit 503 uses each decryption key to create each encrypted piece E (K (i1,1)) [C1], E (K (i2,2)) [C2],..., E (K (iN, N) [CN]) is respectively decrypted, and the decrypted pieces C1 to CN are obtained, and content C composed of these pieces is obtained (step S18). That is, the leecher 50 decrypts E (K (i1, 1)) [C1] using the decryption key K (i1, 1) to obtain the piece C1, and uses the decryption key K (i2, 2). E (K (i2,2)) [C2] is obtained to obtain piece C2, and E (K (iN, N)) [CN] is decrypted using the decryption key K (iN, N). Thus, by obtaining piece CN and obtaining other pieces in the same manner, content C composed of pieces C1 to CN is obtained.

  If the leecher 50 is invalidated, the correct decryption key cannot be obtained even if the encrypted key bundle is decrypted using the plaintext key obtained in step S16. Therefore, even if each encrypted piece is decrypted using such a decryption key, it cannot be decrypted correctly. That is, the invalidated leecher 50 cannot correctly decrypt the content and cannot use the content.

  As described above, when the same content is distributed to a plurality of leechers 50 via the P2P network, the key server 53 determines whether the key ring can be transmitted using the sequence of encrypted pieces. Then, the key bundle determined to be transmitted by the key server 53 is encrypted by applying the MKB method, so that a plaintext key is required for the leecher 50 to decrypt the encrypted key bundle. According to such a configuration, it is not necessary for the key server 53 to manage information such as a black list indicating whether the illegal leecher 50 is one, and the illegal leecher 50 is invalidated by invalidating the illegal leecher 50. Can be prevented. In addition, by configuring the leecher 50 to transmit seed information from the key server 53 as information necessary for decrypting the encrypted key bundle, the seed information can be made different each time decryption information is requested. For this reason, it is possible to force the leecher 50 to access the key server 53 in order to use the content. This means that even if the device key is leaked, the encryption key ring cannot be decrypted using only the leaked device key without the leecher 50 accessing the key server 53. . That is, it is possible to suppress damage due to device key leakage. According to the above configuration, the key server 53 detects an illegal leecher 50 by monitoring a request message for requesting decryption information using the same leecher identification information and content identification information, for example. It becomes possible.

[Modification]
Note that the present invention is not limited to the above-described embodiment as it is, and can be embodied by modifying the constituent elements without departing from the scope of the invention in the implementation stage. Moreover, various inventions can be formed by appropriately combining a plurality of constituent elements disclosed in the embodiment. For example, some components may be deleted from all the components shown in the embodiment. Furthermore, constituent elements over different embodiments may be appropriately combined. Further, various modifications as exemplified below are possible.

<Modification 1>
In the above-described embodiment, various programs executed by the leecher 50 may be stored on a computer connected to a network such as the Internet and provided by being downloaded via the network. The various programs are recorded in a computer-readable storage medium such as a CD-ROM, a flexible disk (FD), a CD-R, a DVD (Digital Versatile Disk), etc. in a file in an installable or executable format. May be configured to be provided. In this case, the program is read from the storage medium by the leecher 50 and executed by the leecher 50, so that the program is loaded onto a storage device such as a RAM, and each unit described in the functional configuration is generated on the storage device. The same applies to various programs executed by the key server 53.

<Modification 2>
In the above embodiment, the key server 53 is configured to include the sequence information matching unit 535 and the sequence information storage unit 536, and the leecher 50 includes the index information in the request message transmitted to the key server 53 in step S10. In step S12, the key server 53 performs collation processing using the index information, and determines whether or not to transmit the key bundle to the leecher 50. However, the key server 53 does not include the sequence information collation unit 535 and the sequence information storage unit 536, the leecher 50 does not include the index information in the request message transmitted to the key server 53 in step S10, and the key server 53 performs the collation in step S12. You may be made to perform the process after step S13 after step S11, without performing a process.

  In the above embodiment, as shown in FIG. 3, a piece out of N pieces is encrypted with m different encryption keys for the same piece. . However, a pieces are encrypted with one encryption key instead of a plurality of encryption keys, but (N−a) pieces are encrypted with an encryption key different from the encryption key to be encrypted. You may make it. Further, all N pieces may be encrypted with the same encryption key.

  In the above-described embodiment, each piece constituting the content is encrypted once and can be decrypted with one decryption key. However, at least one piece is included. Alternatively, multiple encryptions may be performed, and two or more decryption keys may be required for decrypting the piece.

  When multiple pieces are encrypted with a plurality of encryption keys, device secret information is given to each leecher 50, and the leecher 50 uses the device secret information as an encryption key to set a seeder 52, another leecher 50, or the like. The encrypted piece received from the other node is encrypted, and the encrypted piece is transmitted to the other leecher 50. In this way, encryption is performed every time an encrypted piece is transmitted from each node. For example, the leecher 50 that has performed encryption (for example, leecher 50A) also transmits its own leecher identification information to another leecher 50 (for example, leecher 50B) that is the transmission destination of the encrypted piece. When the leecher 50B further encrypts the encrypted piece and transmits the encrypted piece to another leecher 50 (for example, the leecher 50C), the leecher 50B and the reacher identification information of the leecher 50A that is the reception source and its own leecher identification Together with the information, it is transmitted to the leecher 50C.

  Note that it is not always necessary to use the device secret information SA itself given to the leecher 50 as an encryption key for encrypting the encrypted piece. For example, using the random number RA generated by the leecher 50, the hash value H (SA || RA) may be calculated and used as an encryption key, or an encryption key F (SA, RA) may be calculated using a function. In this case, the leecher 50 (the leecher 50A) also transmits the random number RA used for calculating the encryption key to the other leecher 50 (the leecher 50B). When transmitting the encrypted piece to the other leecher 50 (the leecher 50C), the leecher 50B transmits the random number transmitted from the leecher 50A and the random number generated by itself to the leecher 50C.

  The leecher 50 does not necessarily need to encrypt the entire encrypted piece, and may encrypt only a part of the encrypted piece. In this case, the leecher 50 (Leacher 50A) has encrypted information about which part of the encrypted piece is encrypted (for example, 32 bytes of data from the beginning (the 0th data) of the encrypted piece). In this case, (0, 31)) is transmitted to the other leecher 50 (leecher 50B). When the leecher 50B transmits the encrypted piece to the other leecher 50 (Leacher 50C), information about which part of the encrypted piece the leecher 50A has encrypted and which part of the encrypted piece itself is encrypted. The information regarding this is also transmitted to the leecher 50C. At this time, in order to know the order of the leechers 50 that have encrypted the encrypted pieces, for example, which part of the encrypted piece is encrypted so that the leecher 50B is encrypted after the leecher 50A. The information about or is arranged in order. Here, for example, assuming that the length of the piece is 128 bytes, the initial seeder 52A encrypts the whole piece (for example, 128 bytes of data), and then the leecher 50A that receives the encrypted piece receives 16 bytes of data from the beginning. The leecher 50B that receives the encrypted piece from the leecher 50C encrypts the next 16-byte data skipped by 16 bytes from the head, and so on. It may be determined in advance whether or not to convert. In this case, information regarding how many nodes (the leecher 50 and the seeder 52) the encrypted piece has passed may be used instead of the information regarding which part of the encrypted piece has been encrypted. This information is “0” when the node on which the leecher 50 receives the encrypted piece is, for example, the initial seeder 52A, “1” when it is the leecher 50A, and “2” when it is the leecher 50B. For example, when the leecher 50B receives the encrypted piece from the leecher 50A, it overwrites this information from “1” to “2”.

  Further, when multiple pieces are encrypted with a plurality of encryption keys, the above-mentioned request message transmitted from the leecher 50 to the key server 53 includes the node identification information of all nodes through which the encrypted pieces have passed. . When random numbers are used for generating an encryption key as described above, the above request message includes random numbers of all nodes that have passed through the encrypted piece. Similarly, information regarding which part of the encrypted piece has been encrypted may be included, and information regarding how many nodes the encrypted piece has passed may be included.

  In the content distribution system in the above-described embodiment, “1 ≦ i1,..., IN ≦ m”. However, when multiple pieces are encrypted with a plurality of encryption keys as described above, = 1 '. In this case, i1,..., IN may not be included as index information.

  On the other hand, the key server 53 when multiple pieces are encrypted with a plurality of encryption keys is as follows. The key server 53 holds device secret information given to each leecher 50. When the key server 53 receives the request message from the leecher 50, the key server 53 searches the device identification information given to each node through which the encrypted piece has passed, from the node identification information of all the nodes through which the encrypted piece has passed, These are acquired as a key ring. As described above, when a random number is used to generate an encryption key, the key server 53 uses the device secret information given to each node through which the encrypted piece has passed and the decryption key using the random number of the corresponding node. (H (SA || RA) or F (SA, RA) in the above example) and the calculation result is obtained as a key bundle. The key server 53 does not necessarily have to hold the device secret information given to each leecher 50. For example, the device secret information given to the leecher 50 (the value of the leecher identification information is LIDA) is' SA. = H (Kmaster || LIDA) or SA = F (Kmaster, LIDA) ', the key server 53 only needs to know the Kmaster value and the algorithm of the function H or F. The device secret information given to the leecher 50 corresponding to the identification information can be calculated from the included LID.

  Also, piece encryption may be performed by at least two or more of all nodes that have passed through the encrypted piece, instead of being transmitted from each node.

  As described above, if the content delivery system in which the leecher 50 receives the decryption key for decrypting the encrypted piece or the information necessary for obtaining the decryption key from the key server 53, the MKB system according to the present embodiment. The key ring encryption according to can be applied to various content distribution systems.

<Modification 3>
In the embodiment described above, the key server 53 may check whether or not the leecher 50 holds an appropriate MKB when receiving a request message from the leecher 50. In this case, the content composed of each encrypted piece includes, in addition to the content identification information, the MKB assigned to the MKB used for encrypting the key ring for decrypting each encrypted piece and for decrypting the encrypted key ring. Identification information is associated. For example, the key server 53 stores the correspondence between the content identification information and the MKB identification information in advance. The leecher 50 includes the MKB identification information associated with the MKB held by the leecher 50 in the request message and transmits the request message to the key server 53. When receiving the request message, the key server 53 uses the content identification information included in the request message as a search key, the plaintext key associated with the content identification information and stored in the plaintext key storage unit 533, and the plaintext key A pair with the MKB identification information associated with is searched. Then, the key server 53 is used as a search key and is associated with the content identification information and stored in the plaintext key storage unit 533, and the key server 53 is associated with the content identification information. It is determined whether or not the MKB identification information stored in advance is the same as the MKB identification information included in the request message received from the leecher 50. If it is determined that the MKB identification information is the same, the key server 53 continues the process and performs the collation process in step S14 of FIG. The subsequent steps are the same as in the above embodiment. On the other hand, if it is determined that the MKB identification information is not the same, the key server 53 notifies the leecher 50 to that effect and ends the processing. At this time, the key server 53 may transmit to the leecher 50 information related to the acquisition destination of the MKB that the leecher 50 should acquire. The information regarding the MKB acquisition destination is, for example, access information such as a URL (Uniform Resource Locator) for accessing a server holding the MKB.

  According to the above configuration, when the leecher 50 does not hold an appropriate MKB, the verification process and the process of encrypting and transmitting the key ring are not performed. While being able to suppress, the processing load of the key server 53 can be reduced.

<Modification 4>
In the embodiment described above, the key server 53 includes the plaintext key storage unit 533 and is configured to store the plaintext key. However, the present invention is not limited to this, and the key server 53 may store the MKB and the device key and calculate the plaintext key using these instead of storing the plaintext key. FIG. 17 is a diagram illustrating the configuration of the key server 53 according to the present modification. The key server 53 includes an MKB storage unit 541 that stores an MKB, a device key storage unit 542 that stores a device key, and further includes an MKB processing unit 540 instead of the plaintext key storage unit 533. The MKB processing unit 540 decrypts an encrypted plaintext key that can be decrypted with the device key stored in the device key storage unit 542, out of the encrypted plaintext keys included in the MKB stored in the MKB storage unit 541. Get the key. The encryption unit 539 uses the plaintext key obtained by the MKB processing unit 540 and the seed information generated by the above-described seed information generation unit 538 to encrypt the key bundle to obtain an encrypted key bundle.

  In this case, the key server 53 may acquire the MKB from the leecher 50 instead of storing the MKB in the MKB storage unit 505 in advance. In this case, the leecher 50 may transmit the request message requesting the decryption information to the key server 53 by including the MKB itself instead of the MKB identification information of the MKB included in the leecher 50.

<Modification 5>
In the above-described embodiment, when transmitting the decryption information to the leecher 50, the key server 53 may transmit the MKB itself instead of the MKB identification information of the MKB to be used by the leecher 50. In this case, the leecher 50 may perform the above-described MKB process using the MKB received from the key server 53. According to such a configuration, since the leecher 50 does not need to store the MKB in advance, the memory resources of the leecher 50 can be saved.

  In this case, the key server 53 does not transmit the entire MKB to the leecher 50, but only information necessary for the leecher 50 to decrypt the encrypted key ring is included in the leecher 50 among the information included in the MKB. You may make it transmit. The information necessary for the leecher 50 to decrypt the encryption key ring is, for example, the MKB corresponding to the device key identification information assigned to the device key of the leecher 50 among the encrypted plaintext keys included in the MKB. Is the encrypted plaintext key included in According to such a configuration, even when the key server 53 transmits MKB to the leecher 50, the amount of data to be transmitted can be reduced.

  Also, in this case, the key server 53 does not use the encrypted plaintext keys included in the MKB, but the converted plaintext key obtained by converting the plaintext key according to Formula 1 (Km ′ in the formula) for encryption of the key bundle. May be used. In this case, the conversion unit 507 of the leecher 50 converts the plaintext key obtained by the MKB processing unit 506 using Equation 1, and the key bundle decryption unit 508 uses the converted plaintext key (converted plaintext key) to encrypt the key. Decrypt the bundle to obtain the key bundle.

<Modification 6>
In the above-described embodiment, the MKB identification information is an MKB serial number. However, the MKB identification information is not limited to this, and may be an identifier combining numbers, alphabets, or the like, or an MKB hash value. Alternatively, it may be MKB version information, a digital signature for the MKB, or an MKB file name. FIG. 11 illustrates the MKB data configuration when the MKB includes the MKB identification information. However, the present invention is not limited to this. For example, when the hash value of the MKB is used as the MKB identification information, each MKB is identified from the MKB itself. If possible, the MKB identification information may not be included in the MKB.

<Modification 7>
In the embodiment described above, the key server 53 may store device keys assigned to a plurality of different leechers 50, and the key server 53 may generate the MKB. The key server 53 converts the device key according to the following Expression 5 (referred to as a conversion device key), and generates an MKB including an encrypted plaintext key obtained by encrypting the plaintext key using the conversion device key. Kd ′ represents a conversion device key. Kd represents a device key assigned to the leecher 50. F represents a function.
Kd '= F (Kd, S) (Formula 5)

  Then, the key server 53 encrypts the key bundle using, for example, a plaintext key that is a result of decrypting each encrypted plaintext key included in the MKB generated by itself using the conversion device key. Then, the key server 53 transmits to the leecher 50 the MKB generated by itself, the encrypted key bundle obtained by encrypting the key bundle, and the decryption information including the seed information. On the other hand, in the leecher 50, when the decryption information acquisition unit 502 receives the decryption information, the conversion unit 507 uses the device key stored in the device key storage unit 504 and the seed information included in the decryption information to The conversion device key is calculated according to Equation 5. Then, the MKB processing unit 506 decrypts an encrypted plaintext key that can be decrypted using the calculated conversion device key among the encrypted plaintext keys included in the MKB included in the decryption information to obtain a plaintext key. Then, the key ring decryption unit 508 decrypts the encrypted key ring using the obtained plaintext key to obtain a key ring. Note that the key server 53 does not use the encrypted plaintext key itself included in the MKB generated by itself to encrypt the key ring, but converts the plaintext key obtained by converting the plaintext key according to Equation 1 (in the equation, Km ′ ) May be used. In this case, the conversion unit 507 of the leecher 50 converts the plaintext key obtained by the MKB processing unit 506 using Equation 1, and the key bundle decryption unit 508 uses the converted plaintext key (converted plaintext key) to encrypt the key. Decrypt the bundle to obtain the key bundle.

  The key server 53 may generate an MKB including an encrypted plaintext key obtained by encrypting a plaintext key using the device key without converting the device key. Then, the key server 53 may encrypt the key bundle using the converted plaintext key obtained by converting the plaintext key according to Equation 1.

<Modification 8>
In the embodiment described above, the key server 53 encrypts the plaintext key using the converted device key obtained by converting the device key according to the above-described equation 5 even when the MKB is stored in the MKB storage unit 505 in advance. May be used. Then, the key server 53 may encrypt the key bundle using the plaintext key, or may encrypt the key bundle using the converted plaintext key obtained by converting the plaintext key according to Equation 1. .

<Modification 9>
In the above-described embodiment, when the MKB processing unit 506 of the leecher 50 does not have the same MKB identification information included in the decoded information and the MKB identification information associated with the MKB stored in the MKB storage unit 505 In addition, for example, the MKB is acquired from a communication device other than the key server 53, such as a tracker 51, a sales server 54, or a server prepared by a content producer. However, the other device is not limited to this, and may be the key server 53. In this case, for example, the key server 53 may transmit the MKB when transmitting the decryption information to the leecher 50. Further, the MKB may be included in the torrent file. In this case, the leecher 50 acquires the MKB from a communication device such as a sales server that provides a torrent file to the leecher 50. Further, the URL of the MKB acquisition destination may be included in the torrent file. In this case, the leecher 50 acquires the MKB from another communication device that can be accessed using the URL. Further, the MKB itself may be transmitted / received through the P2P network NT as one of the encrypted pieces. Further, the leecher 50 may acquire the MKB recorded on a storage medium such as a CD-ROM offline, for example, instead of acquiring the MKB from another communication device.

<Modification 10>
In the embodiment described above, the seed information is calculated so as to have a different value for each leecher 50 and for each content, but the present invention is not limited to this. For example, when the leechers 50 are grouped, the same seed information may be assigned to the leechers 50 in the same group.

<Modification 11>

In the above-described embodiment, the seed information generation unit 538 of the key server 53 calculates the seed information according to the above-described Expression 3. However, the seed information may be calculated according to the following Expression 6. F represents a function.
S = F (F (K, CID), LID) (Formula 6)

  In the above-described embodiment, the encryption unit 539 uses the function E to encrypt the key ring. If the data length of the key ring is large, for example, the function E is used as the common key encryption and the CBC mode is used. It ’s fine. In this case, the same common key encryption CBC mode may be used for the function D used when the key ring decrypting unit 508 of the leecher 50 decrypts the encrypted key ring.

<Modification 12>
In the above-described embodiment, the encryption unit 539 of the key server 53 receives the request message from the leecher 50 and then encrypts the key bundle to obtain the encryption key. The encryption key bundle may be stored in advance.

<Modification 13>
In the embodiment described above, the key server 53 transmits the decryption information including the encrypted key bundle obtained by encrypting the key bundle and the seed information to the leecher 50. However, the key server 53 may transmit the seed information as decryption information to the leecher 50 without transmitting the encrypted key bundle to the leecher 50. In this case, the leecher 50 is acquired by receiving an encryption key bundle from a communication device other than the key server 53, such as a tracker 51, a sales server 54, or a server prepared by a content producer. In this case, when the key server 53 receives the above request message from the leecher 50, the key server 53 transmits seed information to the leecher 50 and sends a transmission request message requesting to transmit the encryption key bundle to the leecher 50. You may make it transmit to the other communication apparatus. Alternatively, the key server 53 may transmit to the leecher 50 decryption information including seed information and information regarding the acquisition destination of the encrypted key bundle. The information related to the acquisition destination of the encryption key ring is access information such as a URL (Uniform Resource Locator) for accessing the acquisition destination server, for example. The key server 53 may generate the encryption key ring, and the key server 53 may pass the generated encryption key ring to the other communication device, or the other communication device itself may have the encryption key. A bundle may be generated. When the other communication device itself generates the encryption key ring, the key server 53 may not store each decryption key for decrypting each encrypted piece, and the other communication device Each decryption key is stored, and the key server 53 may generate seed information and transmit it to the other communication device. That is, in this case, the key server 53 may be configured not to include the plaintext key storage unit 533, the content decryption key storage unit 534, the encryption key supply unit 537, and the encryption unit 539 shown in FIG. The generation unit 538 may transmit seed information to the other communication device via the packet processing unit 531 and the network interface unit 532.

<Modification 14>
In the above-described embodiment, the MKB process performed by the leecher 50 in step S16 is based on the MKB method described in Reference Document 2, but is not limited thereto, and is disclosed in Reference Document 2, for example. You may make it follow the existing MKB system. In this case, the processing in step S152 shown in FIG. 16 is unnecessary, and the leecher 50 obtains a plaintext key by decrypting the encrypted plaintext key using the device key in step S153 after step S151.

In the above-described embodiment, the MKB data configuration shown in FIG. 11 is used. However, the present invention is not limited to this. For example, although the data configuration when the MKB method disclosed in the above-mentioned Reference 1 is applied is disclosed in Reference 3 below, this data configuration may be used.
(Reference 3) Advanced Access Content System (AACS), Introduction and Common Cryptographic Elements Revision 0.91, February 17, 2006. (http://www.aacsla.com/specifications/specs091/AACS_Spec_Common_0.91.pdf)

<Modification 15>
In the embodiment described above, after the MKB process in step S16 of FIG. 14, the leecher 50 determines whether or not the plaintext key obtained in step S16 has been revoked (or whether or not a correct plaintext key has been obtained). May be determined. In this case, for example, a plaintext key verification record is included in the MKB. The plaintext key verification record is obtained, for example, by encrypting fixed data (for example, a sequence of numbers such as “01234XXX”) with the plaintext key Km. Fixed data is stored in advance in the leecher 50 separately. FIG. 18 is a flowchart showing a procedure of a portion different from the above-described embodiment with respect to the procedure of the content distribution process according to this modification. After step S16, in step S20, the leecher 50 determines whether the plaintext key obtained in step S16 has been revoked. Specifically, the leecher 50 uses the plaintext key to decrypt the plaintext key verification record included in the MKB used to obtain the plaintext key, and obtain fixed data. Then, the leecher 50 determines whether or not this matches the previously stored fixed data. If the former and the latter do not match, it is determined that the plaintext key has been revoked. This means that the leecher 50 is disabled. If the former and the latter match, it is determined that the plaintext key has not been revoked. This means that the leecher 50 has not been invalidated. If it is determined that the plaintext key has been revoked (step S20: YES), the leecher 50 displays on the display device that the leecher 50 has been revoked and ends the process (step S21). Alternatively, the leecher 50 may display on the display device that the device key is to be updated. On the other hand, when it is determined that the plaintext key has not been revoked (step S20: NO), the leecher 50 performs the processing after step S17 in the same manner as described above. Depending on the MKB system, the invalidated leecher may perform invalidation by not including data (for example, encrypted plaintext key) necessary for calculating the plaintext key in the MKB. In other words, the invalidated leecher cannot calculate the plaintext key. In this case, the leecher 50 that has not been revoked may use the above-described plaintext key verification record to determine whether a correct plaintext key has been obtained without any data reading error or calculation error. . FIG. 11 illustrates the data structure of the MKB when the plaintext key verification record is included in the MKB. However, the present invention is not limited to this, and when the above determination process is not performed, the plaintext key verification record is not included in the MKB. May be.

  According to such a configuration, when the plaintext key is invalidated, the process of decrypting the encrypted key bundle is not performed, so that the processing load on the leecher 50 can be reduced. At the same time, since it is possible to notify the user that the leecher 50 has been invalidated, the illegal leecher 50 can be detected smoothly.

<Modification 16>
In the embodiment described above, the example in which the key server 53 stores each decryption key for decrypting each encrypted piece in the content decryption key storage unit 534 has been described. A configuration of the key server 53 without the unit 534 is also possible. Hereinafter, an example of a method for obtaining each decryption key by calculation without storing each decryption key (for example, expressed as K (i, j)) will be described. For example, 'K (i, j) = H (Kmaster' || CID || i || j) '. Here, Kmaster ′ is secret information held by the key server 53, and CID is content identification information included in the request message from the leecher 50. In this case, the key server 53 has only to store the value of Kmaster ′ in the content decryption key storage unit 534, and the decryption key K (i, j) to be given to the leecher 50 from the CID included in the request message. Can be calculated. The calculation method of K (i, j) is not limited to the above-described method. For example, secret information held by the key server 53 is prepared for each content (that is, for each CID) (represented as Kmaster _CID ), and 'K (i, j, j) = F (Kmaster _CID , i || j) '. In this case, the key server 53 obtains may by storing the value of Kmaster _CID to the content decryption key storage unit 534, a Kmaster _CID to be used from the CID included in the request message from the content decryption key storage unit 534 The decryption key K (i, j) to be given to the leecher 50 can be calculated.

  According to such a configuration, the key server 53 does not need to store each decryption key for decrypting each encrypted piece in the content decryption key storage unit 534, and only stores the master key. Therefore, the memory capacity of the content decryption key storage unit 534 can be small, and the product cost can be reduced.

<Modification 17>
In the above-described embodiment, the example in which the key server 53 calculates the encryption key bundle Z by Expression 4 is shown, but public key cryptography can also be used as E. In this case, the key server 53 may calculate a public key corresponding to F (Km, S) as a secret key and encrypt the key bundle using the calculated public key. When the data size of K (i1,1) || K (i2,2) || ... || K (iN, N) is large, the public key encryption process may be performed a plurality of times.

<Modification 18>
For the device key in the above-described embodiment, the value f (LID) obtained by substituting the leecher identification information LID into the polynomial f (x) defined by the following equation 7 is the device key (for the leecher whose leecher identification information is LID). It is also good.

Here, q is a prime number. t is an integer. a _i is an integer greater than or equal to zero and less than q. A value g (LID) obtained by substituting leecher identification information LID into a polynomial g (x) defined by the following equation 8 may be used as seed information S (received by a leecher whose leecher identification information is LID).

Here, q is a prime number. u is an integer. b _i is an integer greater than or equal to zero and less than q. The value of b _i may be changed for each content identification information. The device key after conversion using the seed information (for the reacher whose reacher identification information is LID) may be defined as f (LID) + g (LID) mod q. This modification can be applied, for example, when the MKB system of Reference 2 is used. When the device key after conversion using the seed information is defined as f (x) + g (x) mod q, and when the MKB method of Reference 2 is used, the key server 53 uses f (x) + g Using each coefficient of (x) or each coefficient of g (x) and the public key (corresponding to the device key before conversion using seed information) (to the device key after conversion using seed information) (Corresponding) A public key is calculated, and the calculated public key is used to encrypt a key bundle for decrypting each encrypted piece or a decryption key for decrypting the encrypted key bundle.

It is a block diagram which shows the structure of the content delivery system concerning one Embodiment. It is a figure which shows typically the state by which the content concerning the embodiment was divided | segmented into several pieces. It is a figure which shows typically each encryption piece concerning the embodiment. It is a figure which shows notionally the flow of the basic process which a receiver performs in the MKB system concerning the embodiment. It is a figure which illustrates each encryption piece which the seeder 52A concerning the embodiment has memorize | stored. It is a figure which illustrates each encryption piece which the seeder 52A concerning the embodiment has memorize | stored. It is a figure which illustrates each encryption piece which the seeder 52A concerning the embodiment has memorize | stored. It is a figure which illustrates the data structure of piece information concerning the embodiment. It is a figure which illustrates the functional structure of the leecher 50 concerning the embodiment. It is a figure which illustrates Torrent File concerning the embodiment. It is a figure which illustrates the data structure of MKB concerning the embodiment. It is a figure which illustrates the functional structure of the key server 53 concerning the embodiment. It is a figure which illustrates the data structure of the node information concerning the embodiment. It is a flowchart which shows the procedure of the content delivery process concerning the embodiment. It is a flowchart which shows the procedure of the collation process concerning the embodiment. It is a flowchart which shows the procedure of the MKB process which the MKB process part 506 concerning the embodiment performs. It is a figure which illustrates the structure of the key server 53 concerning the modification of the embodiment. It is a flowchart which shows the procedure of a different part from the embodiment about the procedure of the content delivery process concerning the modification of the embodiment.

Explanation of symbols

50, 50A, 50B leecher (communication equipment)
51 Tracker (Management server)
52, 52A, 52B, 52C Seeder (communication device)
53 Key server 54 Sales server 500 Content acquisition unit 501 Decryption information request unit 502 Decryption information acquisition unit 503 Content decryption unit 504 Device key storage unit 505 MKB storage unit 506 MKB processing unit 507 Conversion unit 508 Key bundle decryption unit 530 Control unit 531 Packet Processing unit 532 Network interface unit 533 Plain text key storage unit 534 Content decryption key storage unit 535 Sequence information collation unit 536 Sequence information storage unit 537 Encryption key supply unit 538 Seed information generation unit 539 Encryption unit 540 MKB processing unit 541 MKB storage unit 542 Device Key Storage Unit NT P2P Network

Claims (24)

A communication device that receives an encrypted piece in which a part of content is encrypted,
First receiving means for receiving a plurality of the encrypted pieces from the first communication device;
Request means for requesting the second communication device for information for decrypting each received encrypted piece;
First storage means for storing a first key assigned to the communication device;
The decryption key that is a decryption key for decrypting each received encrypted piece is received from the second communication device or the third communication device, and is temporarily used to encrypt the decryption key Second receiving means for receiving information from the second communication device;
Key decryption means for decrypting each of the encrypted decryption keys using the temporary information, the first key, and a second key encrypted so as to be decryptable using the first key. A communication device. The key decryption means includes
MKB processing means for decrypting the encrypted second key using the first key;
Calculation means for calculating a third key for decrypting each of the encrypted decryption keys using the second key and the temporary information;
The communication apparatus according to claim 1, further comprising: a decrypting unit configured to decrypt each of the encrypted decryption keys using the third key. The second receiving means further receives from the second communication device the second key encrypted in a decryptable manner using the first key converted using the temporary information;
The key decryption means includes
A calculation means for converting the first key by calculating using the first key and the temporary information;
MKB processing means for decrypting the encrypted second key using the converted first key;
The communication apparatus according to claim 1, further comprising: a decrypting unit that decrypts each encrypted decryption key using the second key. The second receiving means further receives from the second communication device the second key encrypted in a decryptable manner using the first key converted using the temporary information;
The key decryption means includes
A calculation means for converting the first key by calculating using the first key and the temporary information;
MKB processing means for decrypting the encrypted second key using the converted first key;
Calculation means for calculating a third key for decrypting each of the encrypted decryption keys using the second key and the temporary information;
The communication apparatus according to claim 1, further comprising: a decrypting unit that decrypts each decrypted key encrypted using the third key. Second storage means for storing key management information to which the first key management identification information that can identify the key management information including the second key encrypted so as to be decryptable using the first key is further stored. Prepared,
The second receiving means further receives, from the second communication device, second key management identification information assigned to the key management information to be used by the communication device,
The key decryption means, when the first key management identification information and the second key management identification information are the same, the key management information stored in the second storage means, the temporary information, and the second information When each of the encrypted decryption keys is decrypted using one key, and the first key management identification information and the second key management identification information are not the same, the second key management identification information is associated with each other The obtained key management information is obtained from the third communication device or the storage medium, and each of the decryption keys encrypted using the obtained key management information, the temporary information, and the first key The communication device according to claim 1, wherein the communication device is decoded. The second receiving means further receives from the second communication device key management information including the second key encrypted in a decryptable manner using the first key;
5. The key decryption unit decrypts each encrypted decryption key by using the received key management information, the temporary information, and the first key. The communication device according to any one of the above. The request means, when requesting the information, transmits communication device identification information capable of identifying the own communication device and content identification information capable of identifying the content to the second communication device,
2. The second reception unit receives the encrypted decryption key from the second communication device or the third communication device, and receives the temporary information from the second communication device. The communication device according to claim 6. The communication apparatus according to claim 1, further comprising a piece decrypting unit that decrypts the encrypted piece using each decrypted decryption key. A communication device that communicates with another communication device that receives an encrypted piece in which a part of content is encrypted,
Receiving means for receiving a request message for requesting information for decrypting a plurality of the encrypted pieces from the other communication device;
Generating means for generating temporary information used for encrypting a decryption key for decrypting the encrypted piece;
A communication apparatus comprising: a transmission unit configured to transmit the temporary information to the other communication apparatus according to the request message. First storage means for storing each of the decryption keys of the plurality of encrypted pieces or key calculation information for calculating each of the decryption keys;
Second storage means for storing the first key;
Key encryption means for encrypting the decryption key so as to be decryptable using the temporary information and the first key;
The communication device according to claim 9, wherein the transmission unit transmits the temporary information and the encrypted decryption key to the other communication device. The transmission means further transmits access information for accessing the other communication device that holds the decryption key or the encrypted decryption key to the other communication device. Communication equipment. A third storage means for storing secret information that is not disclosed to the other communication device;
Content identification information that can identify the content is assigned to the content,
The other communication device is assigned communication device identification information capable of identifying the other communication device,
The receiving means receives the request message including the communication device identification information and the content identification information;
The communication device according to claim 9, wherein the generation unit generates the temporary information using the secret information, the communication device identification information, and the content identification information. The key encryption means includes
Conversion means for converting the first key by a function using the temporary information;
The communication apparatus according to claim 10, further comprising: an encryption unit that encrypts each of the decryption keys so as to be decryptable using the converted first key. The second storage means includes the first key and the first key encrypted in a decryptable manner using the second key assigned to the other communication device, and can identify the key management information. Storing the key management identification information to which the management identification information is assigned and the content identification information in association with each other;
The receiving means receives the request message including the communication device identification information, the content identification information, and the key management identification information from the other communication device,
The key encryption means includes the key management identification information associated with the first key stored in association with the content identification information included in the request message, and the key management identification information included in the request message. Determining means for determining whether or not the key management identification information is the same;
If the former key management identification information and the latter key management identification information are not the same, the error management means further transmits an error message indicating that to the other communication device,
The said conversion means converts the said 2nd key with a function using the said temporary information, when the said key management identification information of the former and the said key management identification information of the latter are the same. 13. The communication device according to 13. The transmitting means transmits the temporary information and key management information including a first key encrypted in a decryptable manner using a second key assigned to the other communication device to the other communication device. The communication device according to claim 9, wherein the communication device is a device. A fourth storage means for storing a second key assigned to the other communication device;
The key encryption means includes
Conversion means for converting the second key by a function using the temporary information;
Generating means for generating the key management information including the first key encrypted in a decryptable manner using the converted second key;
Encryption means for encrypting each decryption key using the first key,
The communication device according to claim 10, wherein the transmission unit transmits the temporary information, the encrypted decryption key, and the key management information to the other communication device. A fourth storage means for storing a second key assigned to the other communication device;
The key encryption means includes
Conversion means for converting the second key by a function using the temporary information;
Generating means for generating the key management information including the first key encrypted in a decryptable manner using the converted second key;
Encryption means for encrypting each decryption key using the first key and the temporary information;
The communication device according to claim 10, wherein the transmission unit transmits the temporary information, the encrypted decryption key, and the key management information to the other communication device. Fourth storage means for storing the second key assigned to the communication device;
A fifth storage means for storing the key management information including the first key encrypted in a decryptable manner using the second key;
The key encryption means includes
MKB processing means for decrypting the encrypted first key included in the key management information using the second key;
The communication apparatus according to claim 10, further comprising an encryption unit configured to encrypt each decryption key using the first key and the temporary information. A fourth storage means for storing a second key assigned to the other communication device;
The receiving means further receives the key management information including the first key encrypted in a decryptable manner using the second key;
The key encryption means includes
MKB processing means for decrypting the encrypted first key included in the key management information using the second key;
The communication apparatus according to claim 10, further comprising an encryption unit configured to encrypt each decryption key using the first key and the temporary information. The transmission means includes the key management identification information assigned to the key management information including the temporary information and the first key encrypted in a decryptable manner using the second key assigned to the other communication device. The communication device according to claim 9, wherein the communication device is transmitted to the other communication device. The key encryption means includes
Determining means for determining whether to transmit each decryption key based on a combination of each decryption key requested by the request message;
If the determination result of the determination means is affirmative, each decryption key in the combination requested by the request message or key calculation information for calculating each decryption key is read from the first storage means, The communication apparatus according to claim 10, further comprising an encryption unit that encrypts each decryption key using the temporary information and the first key. A communication method executed by a communication device that receives an encrypted piece in which a part of content is encrypted,
The communication device includes a first reception unit, a transmission unit, a key decryption unit, and a storage unit that stores a first key assigned to the communication device,
A first receiving step in which the first receiving means receives a plurality of the encrypted pieces from a first communication device;
The requesting unit requests the second communication device to request information for decrypting each received encrypted piece;
The second receiving means receives the decryption key, which is a decryption key for decrypting each received encrypted piece, from the second communication device or the third communication device, and receives the decryption key A second receiving step of receiving temporary information used for encryption from the second communication device;
The key decryption means decrypts each decryption key encrypted using the temporary information, the first key, and a second key encrypted using the first key so as to be decryptable. And a key decryption step. A program for causing a computer included in a communication device to receive an encrypted piece in which a part of content is encrypted,
A first receiving step of receiving a plurality of the encrypted pieces from a first communication device;
A requesting step for requesting information for decrypting each received encrypted piece to the second communication device;
The decryption key that is a decryption key for decrypting each received encrypted piece is received from the second communication device or the third communication device, and is temporarily used to encrypt the decryption key A second receiving step of receiving information from the second communication device;
Decrypting each encrypted decryption key using the temporary information, the first key assigned to the communication device, and the second key encrypted using the first key so that decryption is possible A program for causing a computer to execute a key decryption step. A program for executing a computer of another communication device that receives an encrypted piece in which a part of content is encrypted,
Receiving a request message requesting information for decrypting a plurality of the encrypted pieces from the other communication device; and
Generating step for generating temporary information used for encryption of a decryption key for decrypting the encrypted piece;
A program for causing a computer to execute a transmission step of transmitting the temporary information to the other communication device according to the request message.

Images