Abstract: A method and apparatus for processing a Rights Object (RO) are provided. A method for upgrading the RO includes: acquiring, by a Digital Rights Management (DRM) Agent, RO related information of the RO that requires updating from a Secure Removable Media (SRM) Agent; providing, by the DRM Agent, the RO related information to a Rights Issuer (RI), and obtaining a new RO from the RI; and interacting, by the DRM Agent, with the SRM Agent to upgrade the RO that requires updating on the SRM by means of the new RO. According to the embodiments of the present invention, the DRM Agent acquires RO related information which is stored on the SRM and does not have Move rights, and interacts with the RI to move the RO out from the SRM, so as to move the RO without the Move rights out from the SRM, thus extending an application of the RO without the Move rights.

Abstract: Secure bulk messaging mechanism in which, roughly described, a sender first encrypts a message once. The message can be decrypted with a message decryption key. These can be symmetric or asymmetric keys. For each recipient, the sender then encrypts the message decryption key with the recipient's public key. The sender then sends the encrypted message and the encrypted message decryption keys to a store-and-forward server. Subsequently, one or more recipients connect to the server and retrieve the encrypted message and the message encryption key that has been encrypted with the recipient's public key. Alternatively, the server can forward these items to each individual recipient. The recipient then decrypts the encrypted message decryption key with the recipient's private key, resulting in an un-encrypted message decryption key. The recipient then decrypts the message using the un-encrypted message decryption key.

Abstract: A computer-implemented method for using reputation data to detect packed malware may include: 1) identifying a file downloaded from a portal, 2) determining that the file has been packed, 3) obtaining community-based reputation data for the file, 4) determining, by analyzing the reputation data, that instances of the file have been encountered infrequently (or have never been encountered) within the community, and then 5) performing a security operation on the file (by, for example, quarantining or deleting the file).

Abstract: A method of protecting digital contents includes: requesting an external device or service to perform a part of a process of decrypting encrypted contents which correspond to a leaf node among a plurality of leaf nodes in a tree used in a revocation mechanism according to whether the leaf node has been revoked; and decrypting the encrypted contents based on a response to the request. Therefore, even when the data storage capacity of a device is small or the data processing capability thereof is low, the contents encrypted according to a broadcast encryption scheme can be decrypted.

Abstract: A system for recovery of data access of a locked secure storage device can comprise a keystore module and an authorization module. The keystore module may be configured to allow access to a master file system comprising a user encryption key for data stored within the locked secure storage device based on a master code. The authorization module may be configured to receive the administrator code, authenticate the administrator code, decode the master code, and reset a lockout parameter of the locked secure storage device.

Abstract: Disclosed is an inter-entity coupling method for protecting content in a broadcast environment including a broadcast network and a terminal, the broadcast network having a Broadcast Service Application (BSA), a Broadcast Service Distribution (BSD), and a Broadcast Service Management (BSM), the inter-entity coupling method including performing, by the terminal, a registration process for obtaining a group key for the terminal; after the registration process is completed, performing, by the terminal, a service joining process for requesting service joining, and receiving, by the terminal, a Rights Object (RO) about the content from a message, which is received in response to the request, based on the obtained group key; obtaining a traffic key by using the RO, if a traffic key message is received after the service joining process is completed; receiving encrypted content in the terminal; and decrypting the encrypted content by using the traffic key.

Abstract: A method of access control in an electronic device includes monitoring for input at the electronic device, for each input determined to be one of a plurality of predefined gestures including gestures from a touch-sensitive input device or from a movement sensor, mapping the input to a respective Unicode character and adding the respective Unicode character to a passcode to provide an entered passcode, comparing the entered passcode to a stored passcode, and changing an access state at the electronic device if the entered passcode matches the stored passcode.

Abstract: An information processing apparatus for communicating with an external apparatus via a network is provided that includes a generating unit for generating identification information capable of specifying a service in order to launch the service, a receiving unit for receiving input information input by a user with the external apparatus from the external apparatus via the network, a judging unit for judging whether or not the input information received by the receiving unit corresponds to the identification information generated by the generating unit, and a notifying unit for notifying the external apparatus of address information indicating an address of the information processing apparatus if the judging unit judges that the input information corresponds to the identification information.

Abstract: A system and method of managing multicast key distribution that includes associating a multicast address with each internal node of the key tree, wherein the key tree is created based on the last hop topology.

Abstract: The invention proposes a method for transmitting a message to a plurality of user entities in a network by using a multicast service, comprising the steps of encrypting a multicast message by using ciphering, and sending the encrypted multicast message to the plurality of user entities simultaneously. The invention also proposes a corresponding multicast service control device and a corresponding user entity.

Abstract: A method for managing a conference between two or more parties comprises an identity based authenticated key exchange between a conference management element and each of the two or more parties seeking to participate in the conference. Messages exchanged between the conference management element and the two or more parties are encrypted based on respective identities of recipients of the messages. The method comprises the conference management element receiving from each party a random group key component. The random group key component is computed by each party based on a random number used by the party during the key authentication operation and random key components computed by a subset of others of the two or more parties seeking to participate in the conference. The conference management element sends to each party the random group key components computed by the parties such that each party can compute the same group key.

Abstract: An approach is provided that allows an administrator to set a new password at a wireless access point, such as a traditional WAP or a wireless router. The wireless access point creates a message that includes the new password. The message is encrypted using the old password that was previously set for the wireless network. The encrypted message is wirelessly transmitted from the wireless access point to the active client devices (those clients currently accessing the wireless network). The clients decrypt the message using the old password that was previously provided to the clients. The clients retrieve the new password from the message. The clients construct a new message that is encrypted using the new password. The new message is wirelessly transmitted from the clients to the wireless access device and serves as an acknowledgement.

Abstract: A method for distributing a shared secret key among a plurality of nodes is described. Each node establishes a secret key, the number of nodes being more than two nodes. A node distributes by a ring protocol executing over computer network connections an encrypted version of the secret key of each node to other nodes of the plurality of nodes. Each node decrypts the secret keys of other nodes so that each node has the secret key of other nodes. Each node combines the secret keys of other nodes to form a shared secret key available to other nodes.

Abstract: A third-party can subscribe to one or more electronic message group lists without joining the group lists by creating a trust relationship between the subscriber and a group list member. In particular, the subscriber can send a trust indicator to the group member, who can then determine whether to accept the trust indicator for all or specific groups that are associated with the group member, as appropriate. In at least one embodiment, the group member can send a trust indicator acceptance message to the subscriber that identifies the group member, and any or all group lists associated with the group member. The subscriber can then receive messages directed to the trusted group member or group lists, and can send group messages to the group lists subject to a receive setting associated with the group lists or group members of the group lists.

Abstract: Systems, methods, and other embodiments associated with layer two (L2) encryption for data center interconnectivity are described. One example system includes a receive logic to receive an unencrypted L2 switched frame (UL2SF). The UL2SF may include a payload and an L2 header. The example system may also include an encryption logic to selectively encrypt the UL2SF into an encrypted frame if the UL2SF is to be sent through an L2 virtual private network (L2VPN) requiring encryption. The example system may also include a delivery logic that adds a header to the encrypted frame. The header may include data to identify a decryption function to decrypt the encrypted frame and routing information for the encrypted frame. The delivery logic may also provide the encrypted frame to the L2VPN, where the providing includes selectively sending the encrypted frame as one of, a point to point packet, and a multipoint packet.

Abstract: A first information processing apparatus encrypts data that it receives from a second information processing apparatus, and transmits the data thus encrypted to an external device. The second information processing apparatus transmits the data to the first information processing apparatus according to a data size that results after a data size being necessary for communication of the encrypted data is subtracted from a specified data size.

Abstract: A client application allows a user of a telecommunication device to retrieve contact data of a particular individual from a server to initiate contact with the particular individual without viewing content designated as private by the particular individual. The retrieved contact data includes encrypted content and non-encrypted content. The telecommunication device sends a directory request to the server requesting contact data from an electronic directory stored on the server. If the directory request is validated by the server, the telecommunication device receives the requested contact data from the server. The telecommunication device also receives a decryption key and a key expiration parameter from the server. The client application executing on the telecommunication device can use the decryption key within a time period defined by the key expiration parameter to decrypt encrypted contacted data on the telecommunication device to initiate contact with the particular individual.

Abstract: Methods, a client node and a key server node are provided for distributing from the key server node, and acquiring at the client node, self-healing encryption keys. The client node and the key server node are part of a key distribution network that comprises a plurality of client nodes. An encryption key is obtained from a combination of a forward key with a backward key, wherein the backward key is distributed at a time separated from the time of the forward key by a self-healing period. The forward and backward keys are updated in a multicast rekey message, at a given time, encrypted by an encryption key defined for a previous time. Optionally, when a sibling of the client node joins or leaves the key distribution network, a unicast rekey message is used to renew the forward and backward keys at the client node.

Abstract: A method for securely communicating sensed data over a network that includes receiving sensed data from a sensor, dynamically switching through a plurality of multi-cast group addresses as destinations for sending the received sensed data to a client device based on time measurements, encryption keys, or pseudorandom numbers, and transmitting the sensed data to each of the plurality of multi-cast group addresses through the dynamic switching of the plurality of multi-cast group addresses for receipt by the client device.

Abstract: By arranging a redundancy means and a control means upstream from an encryption means which encrypts and decrypts the data to be stored in an external memory, the integrity of data may be ensured when the generation of redundancy information is realized by the redundancy means, and when the generation of a syndrome bit vector indicating any alteration of the data is implemented by the control means. What is preferred is a control matrix constructed from idempotent, thinly populated, circulant square sub-matrices only. By arranging redundancy and control means upstream from the encryption/decryption means, what is achieved is that both errors in the encrypted data and errors of the non-encrypted data may be proven, provided that they have occurred in the data path between the redundancy/control means and the encryption/decryption means.

Abstract: A packet forwarding process, on a data communications device, forwards a packet to a plurality of destinations within a network from that data communications device using an “encrypt, then replicate” method. The packet forwarding process receives a packet that is to be transmitted to the plurality of destinations, and applies a security association to the packet using security information shared between the data communications device, and the plurality of destinations, to create a secured packet. The secured packet contains a header that has a source address and a destination address. The source address is inserted into the header, and then the packet forwarding process replicates the secured packet, once for each of the plurality of destinations. After replication, the destination address is inserted into the header, and the packet forwarding process transmits each replicated secured packet to each of the plurality of destinations authorized to maintain the security association.

Abstract: A system, method, and computer program for text-based encryption, involves accessing a text file with a plurality of lines of text characters; re-sequencing each of the text characters in the plurality of lines; translating a base representation for each of the text characters by an offset of a base value so that a resulting translated character is printable; inserting a plurality of other characters between each of the translated text characters on each of the lines to form a random character string; inserting a plurality of random numbers of random characters before and after the random character string to output to a resultant file; and including a translated seed with the resultant file.

Abstract: This invention is useful in video compression standards support a rich set of intra prediction modes. This invention a unique table creation and lookup approach to software pipeline the prediction process for all pixels within a block. The table stores constant data and pointer data into a neighbor pixel table. Indexing into the table based upon the current intra prediction mode for each pixel of a block recalls constant data and other pixel data for calculation of an intra prediction value.

Abstract: A method and apparatus for mitigating traffic increase due to both a proxy server and a network device transmitting response packets to a search request by multicast. The network device transmits to the proxy server information required for a client apparatus to communicate with the network device. When the proxy server is in a state where proxy-send of the information is possible, the network device restricts response to a search request by multicast from the client apparatus.

Abstract: A method for decrypting the encrypted messages sent by a transmission device to a first electronic device associated with a first trusted authority and to a second electronic device (ME). In one embodiment, first and second tokens are generated and exchanged, respectively, by the first and second electronic devices, which then generate a joint decryption key in order to decrypt the encrypted message.

Abstract: Exemplary embodiments of the invention provide a system and method for providing multicast service in a unicast-based Voice over Internet Protocol (VoIP) system. The system and method include a VoIP call server receiving subnet information from VoIP terminals authenticated by an authentication server, generating multicast group information, and providing the multicast group information to the respective authenticated VoIP terminals. The VoIP call server searches a list of grouped VoIP terminals, selects a VoIP terminal of a corresponding subnet, transmits multicast session information to the selected VoIP terminal to set the VoIP terminal as a relay VoIP terminal, and requests a media server to transmit group message data to the relay VoIP terminal. According to this system and method, it is possible to implement a multicast service in a unicast-based VoIP system without adding additional equipment.

Abstract: Techniques for seeding data among client machines, also referred to as boxes herein, are disclosed. To prevent the data distributed among the boxes from being illegitimately accessed or possessed, according to one aspect of the present invention, each box is configured to perform what is referred to herein as a transcription process. In other words, when encrypted data is received, the data is decrypted and then re-encrypted with a key agreeable with a next box configured to receive the data.

Abstract: A method and system of providing physical port security in a digital data network is disclosed. The system keeps bit maps of allowed physical output ports for each physical network connection. The map of allowed ports can be different for different source addresses connected to the device. When digital data, such as an IP packet, is received, the appropriate physical port security bit map is retrieved and a logical AND is done on the physical port bit map generated by the destination information. The resulting bit map is used to determine which physical ports the data is routed to, blocking any requested destinations that are not appropriate destinations based on the port security bit map.

Abstract: An encrypted communication system is provided, in which an encryption key for use in encrypted communication and settings information for the encrypted communication are distributed to each of a plurality of communication devices performing encrypted communication within a group, and in which traffic generated by distributing the encryption key and the like can be reduced. In the encrypted communication system according to the present invention, information including a key for use in the intra-group encrypted communication or a seed which generates the key is distributed to the communication devices belonging to the group that are participating (e.g., logged in) in the intra-group encrypted communication.

Abstract: There is provided a method for encrypting a data stream using multiple algorithms. In one embodiment, a first portion of the data stream is encrypted with a first algorithm utilizing a first key to generate a first encrypted portion. The first algorithm can be, for example, a Triple Data Encryption Algorithm (TDEA). Data indicating the first algorithm and the first key is then transmitted. Then, the first encrypted portion of the data stream is transmitted. Thereafter, a second portion of the data stream is encrypted with a second algorithm utilizing a second key to generate a second encrypted portion. The second algorithm can be, for example, a Single Data Encryption Algorithm (SDEA). Next, data indicating the second algorithm and the second key is transmitted. Thereafter, the first encrypted portion of the data stream is transmitted.

Abstract: A system and method for implementing security of multi-party communication is disclosed in the disclosure. The system mainly includes a group key management unit and a record protocol unit. The method mainly includes when the system runs in the centralized group key management mode, the Group Controller and Key Server (GCKS) establishes and stores a Group Security Association, the GCKS negotiates with the group members to establish an Initiation Security Association, under the protection of the Initiation Security Association, the group members obtain the Group Security Association from GCKS. When the system runs in the distributed group key management mode, a Group Security Association is established by all the group members together at the beginning of the group communication.

Abstract: In an embodiment, a method of secure information distribution between nodes, includes: performing a handshake process with an adjacent node to determine membership in a secure group; and distributing secure information to the adjacent node, if the adjacent node is a member of the secure group. In another embodiment, an apparatus for secure information distribution between nodes, includes: a node configured to performing a handshake process with an adjacent node to determine membership in a secure group, and distribute secure information to the adjacent node, if the adjacent node is a member of the secure group.

Abstract: Methods, systems, and apparatuses, including computer programs encoded on computer-readable media, for receiving a plurality of metadata associated with a plurality of media items. Each metadata includes a ranking score and a resource locator of the media item. Queuing media item identifiers based on the plurality of metadata and ordering the queue based on the ranking scores. Retrieving a portion of a highest-ranking unplayed media item and providing the portion to a content playback device. Receiving vote indications for an unplayed media item. The ranking score of the unplayed media is updated item based on the received vote indications. The unplayed media items are reordered in the queue based upon the updated ranking score of the unplayed media item. Retrieving a portion of a highest-ranking unplayed media item in the reordered queue and providing the portion to a content playback device.

Abstract: Disclosed is domain upgrade method in Digital Rights Management (DRM) capable of reducing network resources by simplifying signal procedures at the time of transferring changed domain keys. A device joining after domain upgrade is provided with only a domain key of a domain generation after the domain upgrade, but is not provided with a domain key of the previous domain generation. Accordingly, even if the joining device is mal-operated or is hacked, contents before upgrade are prevented from being illegally used or leaking out.

Abstract: A combination-based broadcast encryption method includes: assigning by a server a base group of different combinations to each user; producing and sending secret information for each user by using as a base the base group allocated to each user; producing and sending an inverse-base parameter value through calculations with integers used to produce the base group and key value information of one or more privileged users; and deriving a group key by using the key value information of the privileged users, encrypting a session key by using the derived group key, and sending the encrypted session key to each user. Accordingly, each user is assigned a different base through a combination, thereby having security against collusion attacks.

Abstract: A request to receive multicast data, associated with a multicast group, may be transmitted. The request may be transmitted via a tunnel. Group keys may be received in response to the request. The group keys may be based on the multicast group. An encapsulated packet may be received via another tunnel. The encapsulated packet may be processed, using the group keys, to obtain a multicast packet associated with the multicast data. The multicast packet may be forwarded to at least one multicast recipient.

Abstract: In a procedure for delivering streaming media, a Client first requests the media from an Order Server. The Order Server authenticates the Client and sends a ticket to the Client. Then, the Client sends the ticket to a Streaming Server. The Streaming Server checks the ticket for validity and if found valid encrypts the streaming data using a standardized real-time protocol such as the SRTP and transmits the encrypted data to the Client. The Client receives the data and decrypts them. Copyrighted material adapted to streaming can be securely delivered to the Client. The robust protocol used is very well suited for in particular wireless clients and similar devices having a low capacity such as cellular telephones and PDAs.

Abstract: A security control method in a cable network dynamic multicast session, and more particularly, a method of controlling forward secrecy and backward secrecy in a Data Over Cable Service Interface Specifications (DOCSIS) 3.0 network dynamic multicast session is provided. A security control method in a cable network dynamic multicast session, includes: maintaining a multicast group that is allocated with a first Downstream Service Identifier (DSID) and a first Security Association Identifier (SAID) and that is joined by a first cable modem and a second cable modem; receiving a LeaveMulticastSession message from the second cable modem; exchanging, corresponding to the LeaveMulticastSession message, a Dynamic Bonding Change (DBC) message for changing a multicast parameter with the second cable modem; and updating a first Traffic Encryption Key (TEK) corresponding to the first DSID with a second TEK.

Abstract: The present invention involves establishing a top-level key and optionally also a verification tag. The top-level key is used as the MDP key for encrypting a broadcast medium. Only the part of the key message that contains the encrypted top-level key is authenticated, e.g. using a signature or a Message Access Code (MAC). Any known group-key distribution protocol can be used that is based on the creation of a hierarchy of keys. Examples of such methods are the LKH and SD methods. The group-key distribution protocol output key H, traditionally used as the MDP key, or a derivative thereof is used to encrypt the top-level MDP-key. The invention, further, includes optimization of a group-key message by eliminating unnecessary message components relative a specified group or sub-group of users. The optimization can be made in dependence of contextual data such as user profile, network status, or operator policies.

Abstract: A user PC 20 prepares a retrieve request by storing a SNMP command and a predetermined processing execution condition into a retrieve request of a SLP and transmits and outputs the prepared retrieve request to a printer 40 and others by multicast. Receiving the retrieve request, the printer 40 obtains and executes the SNMP command stored in the retrieve request of the SLP and processes a response to the retrieve request when the execution result meets the processing execution condition. Thus, the SNMP command is executed by receiving the retrieve request of the SLP and the response to the retrieve request of the SLP is processed corresponding to the execution result, it is not necessary to separately transmit or to obtain the request process of the SLP and the retrieve request of the SNMP through the network and the execution result of the SNMP command may be reflected to the process of the SLP.

Abstract: A system and method is provided which allows multicast communications encrypted using IPSec protocol to be received by receivers in a network. In order to allow the receivers to receive the encrypted multicast communication, the address information of the received multicast communication is modified to appear as a unicast communication being transmitted directly to the address of the receiver, such that the receiver may then decrypt the received multicast communication using IPSec decryption capabilities or may, alternatively, forward the received multicast communication in its encrypted state to other devices. The system and method further provide IPSec encryption key delivery to the receiver using an encrypted markup language file. Multiple keys may also be generated for a given IP address of a receiver with each key being generated for a particular multicasting hierarchical classification.

Abstract: Disclosed is a method for generating a Short Term Key Message (STKM) for protection of a broadcast service being broadcasted to a terminal in a mobile broadcast system. The method includes transmitting, by a Broadcast Service Subscription Management (BSM) for managing subscription information, at least one key information for authentication of the broadcast service to a Broadcast Service Distribution/Adaptation (BSD/A) for transmitting the broadcast service, generating, by the BSD/A, a Traffic Encryption Key (TEK) for deciphering of the broadcast service in the terminal and inserting the TEK into a partially created STKM, and performing, by the BSD/A, Message Authentication Code (MAC) processing on the TEK-inserted STKM using the at least one key information, thereby generating a completed STKM.

Abstract: According to one embodiment of the invention, a method for establishing multiple tunnels for each virtual local area network is described. Upon receiving information over a first tunnel associated with a first virtual local area network, a determination is made whether the information is from a network device assigned to a second virtual local area network, which differs from the first virtual local area network. If the network device is a member of the second virtual local area network, a second tunnel associated with the second virtual local area network is created.

Abstract: An apparatus and method for generating a key for a broadcast encryption. The apparatus includes a node secret generator for managing a user that receives broadcast data in a tree structure and for generating a unique node secret for each node in the tree structure. The apparatus also includes an instant key generator for temporarily generating an instant key used at all nodes in common in the tree structure, and a node key generator for generating a node key for each node by operating the node secret generated at the node secret generator and the instant key generated at the instant key generator. Thus, key update can be efficiently achieved.

Abstract: A method and system are provided for delivering a stream in a mobile broadcast system that receives stream contents of broadcast services (BCAST) from a content creation and provides the broadcast services to one terminal or one group of terminals via one of a broadcast distribution system (BDS) and an interaction network. The method involves requesting assignment of a bearer in which the stream is to be delivered, assigning a bearer in response to the bearer assignment request, adapting the stream to be appropriate for the assigned bearer, and delivering the adapted stream to the terminal in the assigned bearer.

Abstract: The invention provides a method and system for a network which includes a plurality of nodes, preferably routers, a shared network segment for communication between the nodes, and several multicast channels in the shared network segment on which the nodes, preferably routers, can send multicast messages to the other nodes. A specific multicast channel is provided on which the nodes can send specific start multicast messages to other nodes, wherein a node which starts a protocol application, preferably a routing protocol application such as Open Shortest Path First (OSPF) protocol, is adapted to send a multicast start message on the specific multicast channel. Another node, preferably a router, receiving this start message is adapted to validate the authenticity of the start message and to send a response message.

Abstract: A presence table stores therein presence information. A storage unit stores therein in associated manner a terminal identifier unique each of a plurality of terminals and an encryption key to be used for multicast communication within a multicast group. A receiving unit receives a subscription request message from a first terminal from among the terminals. The subscription message includes the terminal identifier of the first terminal, and a request requesting subscription to the presence information present in the storage unit. An acquiring unit acquires the encryption key from the storage unit by using the terminal identifier of the first terminal. A transmitting unit transmits acquired encryption key to the first terminal.

Abstract: A content distribution mechanism that relies on cooperative desktop PCs to distribute content is disclosed. The mechanism distributes content in a robust manner by allowing at least one intermediate network node (i.e., between a source and client) to generate and send packets that contain a linear combination of the portions of content available at the node. Such linear combinations may be created by the source and client using at least a portion of the original content file in either encoded or unencoded form. After the client has received enough linearly independent combinations of packets, the original content may be reconstructed. Further, security for network coding file distribution may be employed to maintain the efficiency and security of the content distribution mechanism. A security server may generate security information using a hashing algorithm including the property of producing security information for each block which survives the process of creating encoded blocks.

Abstract: Secure tunneled multicast transmission and reception through a network is provided. A join request may be received from a second tunnel endpoint, the join request indicating a multicast group to be joined. Group keys may be transmitted to the second tunnel endpoint, where the group keys are based at least on the multicast group. A packet received at the first tunnel endpoint may be cryptographically processed to generate an encapsulated payload. A header may be appended to the encapsulated payload to form an encapsulated packet, wherein the header includes information associated with the second tunnel endpoint. A tunnel may be established between the first tunnel endpoint and the second tunnel endpoint based on the appended header. The encapsulated packet may be transmitted through the tunnel to the second tunnel endpoint. The second tunnel endpoint may receive the encapsulated packet. Cryptographic processing of the encapsulated packet may reveal the packet having a second header.

Abstract: A recording and reproduction apparatus for preventing illegitimate use of contents. A recording medium stores an inherent number in an unrewritable area. The recording apparatus writes media key data and an encrypted content onto the recording medium. The media key data includes encrypted media keys generated by (i) for each of unrevoked reproduction apparatuses, encrypting a media key using a device key of the unrevoked reproduction apparatus respectively, and (ii) for each of revoked reproduction apparatuses, encrypting detection information using a device key of the revoked reproduction apparatus. The reproduction apparatus decrypts the encrypted media key using a device key to generate a decryption media key, judges whether the decryption media key is the detection information, and prohibits the encrypted content recorded on the recording medium from being decrypted when judged in the affirmative.