WO2007116390A2 - Dactyloscopie de clés de désembrouillage - Google Patents

Dactyloscopie de clés de désembrouillage Download PDF

Info

Publication number
WO2007116390A2
WO2007116390A2 PCT/IL2006/000472 IL2006000472W WO2007116390A2 WO 2007116390 A2 WO2007116390 A2 WO 2007116390A2 IL 2006000472 W IL2006000472 W IL 2006000472W WO 2007116390 A2 WO2007116390 A2 WO 2007116390A2
Authority
WO
WIPO (PCT)
Prior art keywords
key
descrambling
data
content
personalization data
Prior art date
Application number
PCT/IL2006/000472
Other languages
English (en)
Other versions
WO2007116390A3 (fr
Inventor
Reuben Sumner
Yaron Sella
Aviad Kipnis
Erez Waisbard
Original Assignee
Nds Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nds Limited filed Critical Nds Limited
Priority to PCT/IL2006/000472 priority Critical patent/WO2007116390A2/fr
Publication of WO2007116390A2 publication Critical patent/WO2007116390A2/fr
Publication of WO2007116390A3 publication Critical patent/WO2007116390A3/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3231Biological data, e.g. fingerprint, voice or retina
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/42Anonymization, e.g. involving pseudonyms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/60Digital content management, e.g. content distribution

Definitions

  • the present invention relates to systems used for secure communications and more particularly to systems fingerprinting keys used for secure communications in order to make a key traceable back to its source.
  • VideoGuardTM system commercially available from NDS Ltd., One London Rd., Staines, Middlesex,
  • Conditional access systems typically include a Conditional Access Module (CAM), typically comprised in a set top box (STB).
  • CAM Conditional Access Module
  • STB set top box
  • ECM Entitlement Control Message
  • ECM includes information necessary to generate a Control Word (CW) used for descrambling content such as broadcast content.
  • the CAM passes the ECM to a secure computation unit, where the ECM is processed, typically using a secret cryptographic function, to obtain the CW.
  • the CW is then passed back to the CAM, which in turn passes the CW to other components of the STB for use in descrambling the content. Examples of such systems are described in US Patents 5,282,249 and 5,481,609 to Cohen et al and in US Patent 6,178,242 to Tsuria, the disclosures of which are hereby incorporated herein by reference.
  • Control word sharing simply stated, is the redistribution of key data from a datastream between a decoder and a legitimate smartcard, in order to enable any appropriately equipped decoder to decode a channel.
  • a single subscription could provide keys for an unlimited number of individuals.
  • control word sharing can also be performed in a non-smart card environment, and that the above discussion is not meant to be limiting. It is also appreciated that if control word sharing cannot be prevented, it would be advantageous at least to locate the source of redistribution of key data, so that the broadcaster may attempt to stop the redistribution of key data.
  • Fingerprinting is a measure that preferably enables a legitimate content provider to gather evidence against unauthorized users and re-distributors of digital content.
  • Fingerprinting is generally divided into two categories, covert fingerprinting and overt fingerprinting.
  • IQ covert fingerprinting information about the unauthorized user or re- distributor' s smartcard ID is typically coded, in a covert manner, along with some other data which is typically inaccessible unless some effort is made to retrieve the information.
  • overt fingerprinting information about the unauthorized user or re- distributor's smartcard ID is typically displayed overtly on the screen of the device on which fingerprinting is activated.
  • PCT application PCT/US02/29881 published in the English language as WO 03/028287 on 3 April 2003 describes a method and apparatus that selectively pairs a receiver configured to receive a media program encrypted according to a media encryption key and a conditional access module.
  • the apparatus comprises a security module for receiving and modifying the media encryption key, and a transport module, comprising a decryptor for decrypting the media program.
  • the media encryption key has a portion indicating a first state in which the media program is to be viewable by a set of receivers or a second state in which the media program is to be viewable only by a subset of the set of receivers.
  • the secure e-commerce trade system includes a trade service center, a data transmission network and at least one user end device.
  • the user end device has a unique hardware serial number for use in verification and encryption/decryption of the trade data. By the uniqueness of the hardware serial number, a user cannot verify and encrypt/decrypt trade data via another user end device with another hardware serial number even in the case of the public key and private key known to the user.
  • European Patent EP 1000511 to Scientific- Atlanta Inc. describes a conditional access system comprising a method of decrypting an instance of a service that has been encrypted with a given short-term key.
  • ISO/DEC 13818-1 Information Technology, Generic Coding of Moving Pictures and Associated Audio Information: Systems (also known as the MPEG-2 standard) is a well known standard for broadcast compression.
  • a distributed key can be distributed anonymously. It is desirable, therefore, to provide a mechanism, such as a fingerprinting mechanism, for the distributed key so that the distributed key can be traced back to its source.
  • a mechanism such as a fingerprinting mechanism
  • the only key an attacker is able to access is personalized.
  • the attacker has no access to a depersonalization device.
  • the present invention in preferred embodiments thereof, seeks to provide an improved content key comprising a fingerprint, the fingerprint comprising information is intended to make identification of the source of the content key easier.
  • a method for producing fingerprinted descrambling keys including providing a conditional access module, providing to the conditional access module a content descrambling key and personalization data, the personalization data including data associated with the conditional access module, combining the content descrambling key and the personalization data, encrypting the combined content descrambling key and personalization data according to a key, and outputting the encrypted combined content descrambling key and personalization data.
  • the personalization data includes personalization data unique to the conditional access module.
  • the key is associated with the conditional access module, and is denoted K CAS ID-
  • the key KQ A C T ⁇ J is hard-coded in the conditional access module.
  • KQ ⁇ JJ-J is hard-coded in ROM included in the conditional access module.
  • JQ is hard-coded in EEPROM included in the conditional access module.
  • j -p is hard-coded in circuitry included in the conditional access module.
  • the personalization data includes a CAM ID.
  • the personalization data includes a subscriber ID.
  • the method also includes passing the outputted encrypted combined content descrambling key and personalization data to a descrambling device.
  • the content descrambling key includes an anonymous content descrambling key.
  • the content descrambling key includes data corresponding to an identifiable entity.
  • the identifiable entity includes a particular individual.
  • the identifiable entity includes a group of individuals.
  • the identifiable entity includes a particular device.
  • the identifiable entity includes a group of devices.
  • conditional access module generates redundant data, denoted R, based on the content descrambling key, and inserts the redundant data in the personalization data.
  • redundant data includes a checksum.
  • a method for utilizing a fingerprinted descrambling key including providing a descrambling device with an encrypted combined anonymous content descrambling key and personalization data, the encrypted combined anonymous content descrambling key and personalization data being encrypted according to a key, further providing the descrambling device with a conditional access system ID (CAS ID), producing a fixed decryption key based on the CAS ID, decrypting the encrypted combined anonymous content descrambling key and personalization data with the fixed decryption key, and uncombining the decrypted anonymous content descrambling key from the decrypted personalization data.
  • the fixed decryption key denoted J-Q, is a result of applying a function/to the CAS ID.
  • the method also includes delivering the decrypted anonymous content descrambling key to a content descrambler, and descrambling encrypted content with the decrypted content descrambling key.
  • the decrypted personalization data further includes redundant data, the redundant data operative to ensure the validity of the decrypted anonymous content descrambling key.
  • a method including providing a descrambling device with an encrypted content descrambling key, the encrypted content descrambling key being encrypted according to a key, further providing the descrambling device with a conditional access module ID (CAM ID), producing a fixed decryption key based on the CAM ID, and decrypting the encrypted content descrambling key with the fixed decryption key.
  • CAM ID conditional access module ID
  • the fixed decryption key denoted a PPty m S a function/to the CAM ID.
  • the method includes delivering the decrypted anonymous content descrambling key to a content descrambler, and descrambling encrypted content according to the decrypted anonymous content descrambling key.
  • a method including providing a descrambling device with a doubly encrypted combined anonymous content descrambling key and personalization data, the doubly encrypted combined anonymous content descrambling key and personalization data being encrypted according to a first fixed decryption key and a second fixed decryption key, the doubly encrypted combined anonymous content descrambling key and personalization data, the personalization data including a conditional access module ID (CAM ID) of the conditional access module, further providing the descrambling device with a conditional access system ID (CAS TD), producing the first fixed decryption key based on the CAS ID, decrypting a first layer of encryption on the doubly encrypted combined anonymous content descrambling key and personalization data with the first fixed decryption key, thereby deriving an encrypted personalized descrambling key and the CAM ID, uncombining the encrypted personalized descrambling key from the CAM ID, producing the second fixed decryption key based on the CAM ID, decrypt
  • CAM ID conditional access module ID
  • the method includes delivering the decrypted anonymous content descrambling key to a content descrambler, and descrambling encrypted content with the decrypted content descrambling key.
  • the decrypted personalization data further includes redundant data, the redundant data being operative to ensure the validity of the decrypted anonymous content descrambling key.
  • a method for utilizing a fingerprinted descrambling key including providing a descrambling device with an encrypted content descrambling key, the encrypted content descrambling key being encrypted according to a key, and including personalization data, uncombining the encrypted content descrambling key into a first data block and a second data block, such that the personalization data is included in the first data block, and an anonymous content descrambling key is included in the second data block, further providing the descrambling device with a conditional access system ID (CAS ID), producing a fixed decryption key based on the CAS ID 5 decrypting the first data.block with the fixed decryption key, uncombining the decrypted first data block into a third data block and a fourth data block, the fourth data block including the personalization data, inputting the fourth data block into a function and producing a result, K, and decrypting the second data block with K, thereby deriving the anonymous content des
  • CAS ID conditional access system ID
  • the fixed decryption key denoted a PPly m S a function/to the CAS ID.
  • the method includes delivering the decrypted anonymous content descrambling key to a content descrambler, and descrambling encrypted content with the decrypted content descrambling key.
  • the decrypted personalization data further includes redundant data, the redundant data being operative to ensure the validity of the decrypted anonymous content descrambling key.
  • a method for producing a fingerprinted descrambling key including providing a conditional access module with personalization data, producing, at the conditional access module, a content descrambling key, and combining, with a combining function, the content descrambling key and one of the personalization data, and a result of an operation of a first function on the personalization data, wherein the combining function produces a result which is a functionally non-separable result.
  • the combining function includes a cryptographic function.
  • the first function includes a block cipher encryption function.
  • the block cipher encryption function is operative to encrypt the content descrambling key and the personalization data as a single block, according to a fixed key.
  • the fixed key is a fixed secret string.
  • the block cipher encryption function is operative to encrypt the content descrambling key as a single block, according to a derived key.
  • the derived key is derived from the operation of a hash function on the personalization data and a fixed key.
  • fixed key is a fixed secret string.
  • a method for utilizing a fingerprinted descrambling key including providing a descrambling device with an encrypted content descrambling key, the encrypted content descrambling key being encrypted according to a key, and including personalization data, and uncombining, with an uncombining function, the encrypted content descrambling key and the personalization data, wherein the encrypted content descrambling key and the personalization data are functionally non-separable.
  • a method for determining a source of an intercepted unauthorized distributed personalized descrambling key the personalized descrambling key including personalization data and a key for decrypting encrypted content, the personalization data being associated with a particular conditional access module, the method including obtaining the unauthorized distributed personalized descrambling key, identifying a portion of the intercepted unauthorized distributed personalized descrambling key including the personalization data, and determining the identity of the conditional access module based on data included in the personalization data.
  • the data included in the personalization data includes a CAM ID.
  • the data included in the personalization data includes a subscriber ID.
  • a system for producing fingerprinted descrambling keys including a conditional access module, a content descrambling key provided to the conditional access module, and personalization data provided to the conditional access module, the personalization data including data associated with the conditional access module, wherein the content descrambling key and the personalization data are combined, and the combined content descrambling key and personalization data are encrypted according to a key, and the encrypted combined content descrambling key and personalization data are ourputted.
  • a system for utilizing a fingerprinted descrambling key including a descrambling device provided with an encrypted combined anonymous content descrambling key and with personalization data, the encrypted combined anonymous content descrambling key and personalization data being encrypted according to a key, the descrambling device including a conditional access system ID (CAS ID) store, storing a CAS ID, and a producer operative to produce a fixed decryption key based on the CAS ID, a decryptor operative to decrypt the encrypted combined anonymous content descrambling key and personalization data according to the fixed decryption key, and an uncombiner operative to uncombine the decrypted anonymous content descrambling key from the decrypted personalization data.
  • CAS ID conditional access system ID
  • a system for utilizing a fingerprinted descrambling key including a descrambling device provided with an encrypted content descrambling key, the encrypted content descrambling key being encrypted according to a key, the descrambling device including a conditional access module ID (CAM ID) store, storing a CAM ID, and a producer operative to produce a fixed decryption key based on the CAM ID, and a decryptor operative to decrypt the encrypted content descrambling key with the fixed decryption key.
  • CAM ID conditional access module ID
  • a system for utilizing a fingerprinted descrambling key including a descrambling device provided with a doubly encrypted combined anonymous content descrambling key and personalization data, the doubly encrypted combined anonymous content descrambling key and personalization data being encrypted according to a first fixed decryption key and a second fixed decryption key, the doubly encrypted combined anonymous content descrambling key and personalization data including a conditional access module ID (CAM XD) of the conditional access module the descrambling device including a conditional access system DD (CAS ID) store, storing a CAS ID, and a producer operative to produce the first fixed decryption key based on the CAS ID, a decryptor operative to decrypt a first layer of encryption on the doubly encrypted combined anonymous content descrambling key and personalization data with the first fixed decryption key, thereby deriving an encrypted personalized descrambling key and the CAM ID 3 an
  • a system for utilizing a fingerprinted descrambling key including a descrambling device provided with an encrypted content descrambling key, the encrypted content descrambling key being encrypted according to a key and including personalization data, the descrambling device being operative to uncombine the encrypted content descrambling key into a first data block and a second data block, such that the personalization data is included in the first data block, and an anonymous content descrambling key is included in the second data block
  • the descrambling device including a conditional access system ID (CAS ID) store, storing a provided CAS ID, a producer operative to produce a fixed decryption key based on the CAS ID, a decryptor operative to decrypt the first data block with the fixed decryption key, an uncombiner operative to uncombine the decrypted first data block into a third data block and a fourth data block, the fourth data block including the personalization data,
  • CAS ID conditional access system ID
  • a system for producing a fingerprinted descrambling key including a conditional access module provided with personalization data, the conditional access module including a producer operative to produce a content descrambling key, and a combining function, operative to combine the content descrambling key and one of the personalization data, and the result of an operation of a first function on the personalization data, the result of the combining function being a functionally non-separable result.
  • an apparatus for determining a source of an intercepted unauthorized distributed personalized descrambling key, the personalized descrambling key including personalization data and a key for decrypting encrypted content, the personalization data associated a particular conditional access module including an interceptor operative to intercept unauthorized distributed personalized descrambling key, an identifier operative to identify a portion of the intercepted unauthorized distributed personalized descrambling key including the personalization data, and a determiner operative to determine the identity of the conditional access module based on data included in the personalization data.
  • Fig. 1 is a simplified block diagram illustration of a system using fingerprinted keys, the system being constructed and operative in accordance with a preferred embodiment of the present invention
  • Fig. 2 is a simplified block diagram illustration of a preferred embodiment of a descrambling device of Fig. 1;
  • Fig. 3 is a simplified block diagram illustration of a preferred embodiment of a personalized descrambling key in the system of Fig. 2;
  • Fig. 4A is a simplified block diagram illustration of a preferred implementation of production of the personalized descrambling key in the system of Fig. 1;
  • Fig. 4B is a simplified block diagram illustration of an alternative preferred embodiment of a descrambling device of Fig. 1;
  • Fig.4C is a simplified block diagram illustration of another alternative preferred embodiment of a descrambling device of Fig. 1;
  • Fig. 4D is a simplified block diagram illustration of still another alternative preferred embodiment of a descrambling device of Fig. 1 ;
  • Fig. 5 is a simplified block diagram illustration of a preferred embodiment of a detective device, operative to utilize personalization data depicted in Fig. 3, in order to determine a source for a pirated personalized descrambling key;
  • Fig. 6 is a simplified flow chart illustration of a preferred method of operation of the apparatus of Fig. 5;
  • Fig. 7 is a simplified flow chart illustration of a preferred method of operation of the apparatus of Fig. 4A;
  • Fig. 8 is a simplified flow chart illustration of a preferred method of operation of the apparatus of Fig. 2;
  • Fig. 9 is a simplified flow chart illustration of a preferred method of operation of the apparatus of Fig. 4B;
  • Fig. 10 is a simplified flow chart illustration of a preferred method of operation of the apparatus of Fig. 4C;
  • Fig. 11 is a simplified flow chart illustration of a preferred method of operation of the apparatus of Fig. 4D;
  • Fig. 12 is a simplified flow chart illustration of an alternative preferred method of operation of the apparatus of Fig. 4A.
  • Fig. 13 is a simplified flow chart illustration of a preferred method of operation of the apparatus of Fig. 5.
  • Fig. 1 is a simplified block diagram illustration of a system using fingerprinted keys, the system being constructed and operative in accordance with a preferred embodiment of the present invention.
  • the system of Fig. 1 preferably implemented in an appropriate combination of hardware and / or software, comprises a descrambling device 100, a conditional access module 300, and an encrypted personalized descrambling key 150.
  • the operation of the system of Fig. 1 is described below, with reference to Figs. 2 - 4D.
  • the system of Fig. 1 may be comprised in any appropriate device, the device being operative to receive scrambled content, decrypt the scrambled content, and display the descrambled content.
  • the system of Fig. 1 may comprise a set top box, personalized video recorder, computer, mp3 player, or other such device.
  • the conditional access module 300 comprises data which can be used to identify the conditional access module.
  • the module preferably combines, with a combining function, the identification data with a control word.
  • the module preferably combines, with a combining function, the result of an operation of some function on the identification data, for example, and without limiting the generality of the foregoing, an encryption function, such as a block cipher encryption function.
  • a block cipher encryption operation is operative to encrypt the content descrambling key and the personalization data as a single block, according to a fixed key, the fixed key being a fixed secret string.
  • the block cipher encryption operation is operative to encrypt the content descrambling key as a single block, according to a derived key, the derived key being derived from the operation of a hash function on the personalization data and the fixed key.
  • the combining function preferably produces a functionally non- separable result (that is, the identification data and the control word cannot be uncombined without an appropriate splitting function).
  • the combining function is typically a cryptographic function.
  • One preferred embodiment of such a method and system is described below, with reference to Fig. 4A. It is appreciated that the splitting function preferably comprises a secret function.
  • the functionally non-separable result is delivered to a descrambling device comprising the appropriate splitting function.
  • the appropriate splitting function is utilized to uncombine, or split, the functionally non-separable result, thereby deriving the control word for use in decrypting content and the identification data, the identification data being ignored by the descrambling device.
  • Fig. 2 is a simplified block diagram illustration of a preferred embodiment of the descrambling device 100 of Fig. 1.
  • the descrambling device 100 receives an input of a conditional access system identifier
  • a third input comprises scrambled content
  • CAS ID 140 is typically embedded in a broadcast stream, comprised in content accompanying metadata.
  • the system of Fig. 1 receives the content accompanying metadata, retrieves the CAS ID, and passes the CAS ID to the descrambling device 100.
  • the CAS ID 140 typically comprises a unique identifier used to identify a particular conditional access system.
  • two broadcasters each of which purchases an identical conditional access system from the same conditional access vendor, each have a different CAS 3D.
  • a conditional access module from one of the two broadcasters will not work within the conditional access system of the second of the two broadcasters.
  • CAS ID is changed for a broadcaster with each new generation of conditional access module. Where the broadcaster is operating with more than one conditional access system, the broadcaster may be using more than one CAS ID.
  • Fig. 3 is a simplified block diagram illustration of a preferred embodiment of a personalized descrambling key 150 in the system of Fig. 2.
  • the personalized content descrambling key 150 comprises two parts: an anonymous content descrambling key 210 and personalization data 220.
  • the anonymous content descrambling key 210 is depicted as comprising 64 bits and the personalization data 220 is depicted as comprising 32 bits.
  • the use of 64 bits and 32 bits for the size of the anonymous content descrambling key 210 and the personalization data 220 respectively is not meant to be limiting. It is appreciated that although Fig.
  • FIG. 3 depicts the personalization data 220 as separate from the anonymous content descrambling key 210, in practice, since the personalized descrambling key 150 is encrypted, with a decryption key JQ 170 referred to below) for the encrypted personalized descrambling key 150, it is difficult to separate the personalization data 220 from the anonymous content descrambling key 210.
  • the encryption of the personalized descrambling key 150 is discussed in detail below, with reference to Fig. 4A.
  • the personalization data 220 may comprise any information which preferably uniquely identifies the source of the data.
  • the personalization data 220 may comprise a unique CAM identification number or a subscriber number.
  • the personalization data 220 is an arbitrary number. It is appreciated that there need not be limitations on the personalization data 220 (such as limitations requiring the personalization data 220 not be all zeros or not be all ones).
  • the CAS ID 140 is input into the secret function/ 110.
  • a value, - j -p 170 is output.
  • the value CAS ID 140 is typically broadcast unencrypted, as part of the MPEG standard conditional access table (see, for example, pages 69 -70 of ISO/IEC 13818-1), and hence is not secret. Since KQ ⁇ J D 170 is a secret value, however, the value of 170 is not easily knowable.
  • secret function/ 110 may be a well known encryption function, such as AES using a global secret key, which is available to all descrambling devices 100.
  • K Q ⁇ g j p j 170 may be hard-coded in one of the following: in ROM comprised in the conditional access module 300; in EEPROM comprised in the conditional access module 300; and in circuitry comprised in the conditional access module 300.
  • the personalized descrambling key both in an encrypted state 150 and in a decrypted state 155, comprises 96 bits.
  • the 96 bit decrypted personalized descrambling key 155 passes through a splitter 125.
  • the splitter 125 separates the 32 bits of the personalization data 220 from the 64 bit anonymous content descrambling key 210.
  • the 64 bit anonymous content descrambling key 210 is passed to a content descrambler 130.
  • the 64 bit anonymous content descrambling key 210 is used by the content descrambler 130 as a key to descramble the scrambled content 160, thereby producing descrambled content 180.
  • the descrambling device 100 typically has no further need for the 32 bits of the personalization data 220. Thus, the 32 bits of the personalization data 220 are preferably ignored by the descrambling device 100.
  • the content descrambler 130 may comprise a typical content descrambler, well known to those skilled in the art, and comprises standard hardware and software, as appropriate. It is further appreciated that data described above as being moved about between components in the content descrambler 130 is preferably moved about between components all comprised inside a single chip therefore making it difficult to eavesdrop in order to intercept the data.
  • the conditional access module 300 comprises a descrambling key production mechanism 310.
  • the descrambling key production mechanism 310 receives an ECM 305 as an input, and, from the ECM 305, produces the anonymous content descrambling key 210, as is well known in the art. (See, for example, US Patents 5,282,249 and 5,481,609 to Cohen et al and in US Patent 6,178,242 to Tsuria, referred to above.)
  • the anonymous content descrambling key 210 is depicted, by way of example only, as comprising 64 bits.
  • the conditional access module 300 inputs the 64 bit anonymous content descrambling key 210 into an encryptor, E 320, comprised therein.
  • the encryptor E 320 also receives an input of the personalization data
  • the personalization data 220 is depicted, by way of example only, as comprising 32 bits.
  • the encryptor E 320 preferably concatenates or otherwise combines the personalization data 220 with the anonymous content descrambling key 210, in order to produce, in accordance with the example of Fig. 3, a 96 bit value.
  • the 96 bit value is encrypted, preferably using encryption key K -Q ⁇ g j p 170.
  • JD 170 is preferably hard coded in the conditional access module 300 for use as the encryption key by the encryptor E 320.
  • the encryptor E 320 preferably encrypts the 96 bit value using the inverse of the decryption method used by the decryptor D 120 (Fig. 2).
  • the decryptor D 120 (Fig. 2) will not decrypt the 96 bit value.
  • the 64 bit anonymous content descrambling key 210 and the personalization data 220 preferably remain encrypted.
  • the encrypted 96 bit result of encryptor E 320 preferably comprises a value which is functionally non-separable. For example, and without limiting the generality of the foregoing, even if the value of the encrypted 96 bit result of encryptor E 320 is known, it is preferably difficult to derive, from the encrypted 96 bit result of encryptor E 320, an encrypted 96 bit result of encryptor E 320 for the 64 bit anonymous content descrambling key 210 and different personalization data (not depicted).
  • the resulting encrypted personalized control word 150 is preferably delivered to the descrambling device 100 for use as described above with reference to Fig. 2.
  • an alternative scheme for combining the anonymous content descrambling key 210 and the personalization data 220 may comprise a concatenation function Cat[(anonymous content descrambling key 210 XOR personalization data 220), personalization data 220].
  • the splitter comprises a function Split[(anonymous content descrambling key 210 XOR personalization data 220), personalization data 220].
  • any other appropriate function may be used to join and split anonymous content descrambling key 210 and personalization data 220.
  • An attempt to eavesdrop on communications between the conditional access module 300 and the descrambling device 100 might intercept a control word being passed from the conditional access module 300 and the descrambling device 100.
  • a point where the encrypted personalized descrambling key 150 might be intercepted is indicated as a theft point 350.
  • the eavesdropper may attempt to distribute the personalized descrambling key, for instance, over the Internet.
  • combining the personalization data 220 with the anonymous content descrambling key 210 to produce the personalized control word 150 enables an investigator to utilize the personalization data 220 to determine the source of the control words being so distributed.
  • a cipher text can be decrypted by any key of appropriate length. However, only a correct key will give a valid plain text message. Decryption with an incorrect key will produce a plain text which is not identical to the original plain text message before encryption. Typically, such a message comprises nonsense.
  • redundant data (not depicted) is preferably added to the personalized descrambling key 150 during the encryption process at the conditional access module 300.
  • redundant data preferably comprises any appropriate function of the personalization data 220.
  • the redundant data may preferably comprise a checksum comprised within the personalization data 220.
  • the redundant data may comprise a data transformation. For example and without limiting the generality of the foregoing: Let X be the bits in the range from bit a until bit b.
  • redundant data NOT (X) 5 where the operation, NOT comprises a bitwise logical NOT operation.
  • Fig.4B is a simplified block diagram illustration of an alternative preferred embodiment of a descrambling device of Fig. 1.
  • the descrambling device 100 receives an input of an identification number of the conditional access module 300 (Fig. 1), hereinafter referred to as CAM ID 143.
  • the CAM ID 143 is input into secret function/ 113.
  • a value, KQ ⁇ j p 173 is output.
  • JQ 170 described above with reference to Fig.2, jj) is not easily knowable.
  • the anonymous content descrambling key 210 is passed to a content descrambler 130.
  • the anonymous content descrambling key 210 is used by the content descrambler 130 as a key to descramble the scrambled content 160, thereby producing descrambled content 180.
  • KQAS ID f° rces a hacker, who is attempting to distribute keys, to blatantly reveal his own CAM ID.
  • CAM ID may preferably be encrypted or hashed with any appropriate encryption or hash function before input into/ 113.
  • h(CAM ID), where h is any appropriate hash function may be hard-coded in one of the following: in ROM comprised in ROM comprised in the conditional access module 300 (Fig. 1); in EEPROM comprised in ROM comprised in the conditional access module 300 (Fig. 1); and in circuitry comprised in ROM comprised in the conditional access module 300 (Fig. 1).
  • Fig.4C is a simplified block diagram illustration of an alternative preferred embodiment of a descrambling device of Fig. 1.
  • the descrambling device 100 receives three inputs: the CAS ID 140; the scrambled content 160; and a doubly encrypted personalized descrambling key 1150 from the conditional access module 300 (Fig. 1).
  • the doubly encrypted personalized descrambling key 1150 is depicted, only for the sake of discussion as being 128 bits.
  • the doubly encrypted personalized descrambling key 1150 comprises a CAM ID 1005 identifying the conditional access module 300 (Fig. 1).
  • the CAS ID 140 is input into a secret function/1110.
  • JPJ 1170 is output.
  • K ( ⁇ g -J j) 1170 is used by a decryptor DI l 120 as a decryption key in order to decrypt the doubly encrypted personalized descrambling key 1150.
  • the 128 bit output of decryptor Dl 1120 is input into Splitterl 1125.
  • Splitterl 1125 splits out the CAM ID 1005 embedded in 32 bits of the 128 bit output of decryptor Dl 1120, thereby potentially identifying the conditional access module associated with the CAM ID 1005.
  • the remaining 96 bits of an encrypted personalized descrambling key 1155 are input into decryptor D2 1121.
  • CAM ID 1005 is input into a secret function_/2 1113, which produces - ⁇ CAM ID 1 ° * 5 • K C AM ID ⁇ * 5 * s use( ⁇ ⁇ decryptor D2 1121 as a decryption key in order to decrypt the encrypted personalized descramblingkey 1155.
  • the 96 bits of decrypted output from decryptor D2 1121 are input into Splitter2 1127.
  • Splitter2 1127 splits the 96 bit output of decryptor D2 1121 into the 32 bit personalization data 220 and the 64 bit anonymous content descrambling key 210. .
  • the anonymous content descrambling key 210 is passed to a content descrambler 130.
  • the anonymous content descrambling key 210 is used by the content descrambler 130 as a key to descramble the scrambled content 160, thereby producing descrambled content 180.
  • CHIP_TYPE an arbitrary value, CHIP_TYPE, may be assigned to each type of decryptor chip.
  • ⁇ CHIP_TYPE preferably produces a key K CHI p_ ⁇ pE .
  • the broadcaster may preferably divide information needed to decrypt the anonymous content descrambling key 210.
  • a conditional access vendor may only be provided by the broadcaster with information required to generate K ⁇ yy ⁇ JJD and KQJJJP ⁇ p£-
  • a chip vendor may only be given information required to generate J-Q and j p.
  • Fig.4D is a simplified block diagram illustration of still another alternative preferred embodiment of a descrambling device 100 of Fig. 1.
  • the CAS ID 140 is input into the secret function/1 1210.
  • a value, KQ ⁇ Q pn 170 is output.
  • KQAS ID ⁇ ma ⁇ P re ⁇ era ⁇ y ⁇ e hard-coded in the conditional access module 300 (Fig. 1).
  • JJJ 170 may be hard-coded in one of the following: in ROM comprised in ROM comprised in the conditional access module 300 (Fig. 1); in EEPROM comprised in ROM comprised in the conditional access module 300 (Fig. 1); and in circuitry comprised in ROM comprised in the conditional access module 300 (Fig. 1).
  • a 128 bit personalized content descrambling key 150 from the conditional access module 300 (Fig. 1) is input into the descrambling device 100. It is appreciated, as in the discussions of Figs.2, 4B, and 4C, bit sizes of data blocks are given by way of example only, and are not meant to be limiting.
  • the 128 bit personalized content descrambling key 150 is input into splitterl 1220. Splitter 1
  • the 128 bit personalized content descrambling key 150 is produced by the conditional access module 300 (Fig. 1) such that personalization data is comprised in the first 64 bit data block (not depicted), and the anonymous content descrambling key is comprised in the second 64 bit data block (not depicted).
  • the first 64 bit data block (not depicted) is input into decryptor Dl 1230, which uses j £> 170 a s a key to decrypt the 64 bit data block (not depicted).
  • the decrypted 64 bit data block (not depicted) is input into splitter 2 1240.
  • Splitter 2 1240 outputs a first 32 bit data block 1250.
  • the first 32 bit data block 1250 is ignored.
  • Splitter 2 also outputs a second 32 bit data block (not depicted), comprising the personalization data.
  • the second 32 bit data block (not depicted) is input into a function, ./2 1260.
  • a value, K 1270 is output by function/2 1260.
  • the first 32 bit data block 1250 is also preferably input into function/2 1260.
  • Inputting the first 32 bit data block 1250 into function/2 1260 provides yet another alternative preferred embodiment, similar to the preferred embodiments discussed above with reference to Figs. 4B and 4C, where, in the case of the alternative embodiment of Fig.4D, personalization data (first 32 bit data block 1250) replaces CAM E) as the input to/113 in Fig.4B, and as the input toj2 1113 in Fig. 4C.
  • the second 64 bit data block (not depicted) is input into a decryptor D2 12S0.- Decryptor 1280 uses K 1270 as a decryption key to produce the 64 bit anonymous content descrambling key 210.
  • the 64 bit anonymous content descrambling key 210 is used as a decryption key by the content descrambler 130 to descramble the scrambled content 160, thereby producing descrambled content 180.
  • Fig. 5 is a simplified block diagram illustration of a preferred embodiment of the detective device 500, operative to utilize personalization data depicted in Fig. 3, in order to determine a source for a pirated personalized descrambling key.
  • An intercepted encrypted personalized descrambling key 150 is input into the detective device 500.
  • the 96 bit intercepted encrypted personalized descrambling key 150 is decrypted by decryptor D 120.
  • the 96 bit decrypted personalized descrambling key passes through splitter 125.
  • the splitter 125 separates the 32 bits of the personalization data 220 from the 64 bit anonymous content descrambling key 210.
  • the 64 bit anonymous content descrambling key 210 is typically ignored, since the detective device 500 typically has no scrambled content to descramble.
  • the 32 bits of the personalization data 220 are preferably input into a personalization data analyzer 510.
  • the detective device 500 may be adapted to operate with any other preferred embodiment of the present invention.
  • the 64 bit anonymous content descrambling key 210 is used to identify the attacker.
  • a frame may be encrypted a number of times, each time with a different encryption key. Any given device is permitted to decrypt only one encrypted version of the frame and therefore to produce only one of many possible decryption keys. Depending on which particular decryption key is produced, information is derived to assist in determining the identity of the attacker.
  • the anonymous content descrambling key 210 has been described as comprising an anonymous content descrambling key, in fact, the content descrambling key may comprise data corresponding to an identifiable entity.
  • the identifiable entity may comprise one of: an individual; a group of individuals; a device; and a group of devices.
  • the detective device may comprise one of: an individual; a group of individuals; a device; and a group of devices.
  • the 64 bit content descrambling key 210 need not be anonymous, and may be recombined in an appropriate fashion with the 32 bits of the personalization data 220 in order to produce information which may assist in determining the identity of the attacker.
  • the personalization data analyzer 510 is operative to analyze the personalization data 220 and determine, from the data comprised therein, the source of the personalization data.
  • the detective device 500 then preferably outputs the identity of the source of the personalization data 520. For example and without limiting the generality of the foregoing, if the personalization data comprises a unique CAM identification number or a subscriber number, as explained above, the unique CAM identification number or subscriber number are determined and output.
  • Fig. 6 is a simplified flow chart of a preferred method of operation of the apparatus of Fig. 5. The method of Fig. 6 is believed to be self explanatory in light of the above discussion of Fig. 5. Reference is now made to Figs. 7 - 13, of which: Fig. 7 is a simplified flow chart illustration of a preferred method of operation of the apparatus of Fig. 4A;
  • Fig. 8 is a simplified flow chart illustration of a preferred method of operation of the apparatus of Fig. 2;
  • Fig. 9 is a simplified flow chart illustration of a preferred method of operation of the apparatus of Fig. 4B;
  • Fig. 10 is a simplified flow chart illustration, of a preferred method of operation of the apparatus of Fig. 4C;
  • Fig. 11 is a simplified flow chart illustration of a preferred method of operation of the apparatus of Fig. 4D;
  • Fig. 12 is a simplified flow chart illustration of an alternative preferred method of operation of the apparatus of Fig. 4A; and Fig. 13 is a simplified flow chart illustration of a preferred method of operation of the apparatus of Fig. 5.
  • 2004/0213406 is not easily made to comply with the DVB SimulCrypt model, and also requires calculations which are comparatively computationally intensive. It is appreciated mat the present invention is not meant to prevent key distribution attacks, but rather to provide a way of reacting to such attacks by identifying a source of key distribution. Once the source of key distribution is identified, steps can be taken to close down the identified source.
  • the 96 bit decrypted personalized descrambling key 155 may alternatively comprise other data which can preferably be used for other purposes as well.
  • the 96 bit decryptedpersonalized descrambling key 155 can be used for copy protection.
  • information passed to the descrambling device may be utilized by the descrambling device to identify black listed control words, which originate from a known pirated device. For example and without limiting the generality of the foregoing, if the anonymous content descrambling key 210 is on a black list, then the descrambling device preferably does not descramble scrambled content.

Abstract

L'invention concerne un procédé permettant de produire des clés de désembrouillage à empreinte. Ce procédé consiste à prévoir un module d'accès conditionnel, fournir à celui-ci une clé de désembrouillage de contenu et des données de personnalisation qui contiennent des données liées au module susmentionné, combiner la clé de désembrouillage de contenu et les données de personnalisation, chiffrer la clé et les données combinées en fonction d'une clé, et restituer la clé de désembrouillage de contenu et les données de personnalisation combinées et chiffrées. Cette invention a aussi trait à des procédés et à un appareil associés.
PCT/IL2006/000472 2006-04-11 2006-04-11 Dactyloscopie de clés de désembrouillage WO2007116390A2 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/IL2006/000472 WO2007116390A2 (fr) 2006-04-11 2006-04-11 Dactyloscopie de clés de désembrouillage

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/IL2006/000472 WO2007116390A2 (fr) 2006-04-11 2006-04-11 Dactyloscopie de clés de désembrouillage

Publications (2)

Publication Number Publication Date
WO2007116390A2 true WO2007116390A2 (fr) 2007-10-18
WO2007116390A3 WO2007116390A3 (fr) 2009-05-07

Family

ID=38581473

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IL2006/000472 WO2007116390A2 (fr) 2006-04-11 2006-04-11 Dactyloscopie de clés de désembrouillage

Country Status (1)

Country Link
WO (1) WO2007116390A2 (fr)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011064613A1 (fr) * 2009-11-25 2011-06-03 Serela Contre-mesures pour lutter contre le partage de carte
EP2369778A1 (fr) * 2010-03-26 2011-09-28 Irdeto B.V. Désembrouilleur personnalisé de boîte blanche
EP2373020A1 (fr) * 2010-03-29 2011-10-05 Irdeto B.V. Suivi de l'utilisation non autorisée de modules sécurisés
EP2391125A1 (fr) * 2010-05-26 2011-11-30 Nagra France Sas Procédé de sécurité pour prévenir l'utilisation non autorisée de contenus multimédia
EP2393293A1 (fr) * 2010-06-01 2011-12-07 Nagravision S.A. A method and apparatus for decrypting encrypted content
US20140079216A1 (en) * 2012-09-20 2014-03-20 Cisco Technology Inc. Method and System for Prevention of Control Word Sharing

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6510519B2 (en) * 1995-04-03 2003-01-21 Scientific-Atlanta, Inc. Conditional access system
US20030061477A1 (en) * 2001-09-21 2003-03-27 Kahn Raynold M. Method and apparatus for encrypting media programs for later purchase and viewing
US6845159B1 (en) * 1998-10-07 2005-01-18 Protego Information Ab Processing method and apparatus for converting information from a first format into a second format

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6510519B2 (en) * 1995-04-03 2003-01-21 Scientific-Atlanta, Inc. Conditional access system
US6845159B1 (en) * 1998-10-07 2005-01-18 Protego Information Ab Processing method and apparatus for converting information from a first format into a second format
US20030061477A1 (en) * 2001-09-21 2003-03-27 Kahn Raynold M. Method and apparatus for encrypting media programs for later purchase and viewing

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011064613A1 (fr) * 2009-11-25 2011-06-03 Serela Contre-mesures pour lutter contre le partage de carte
EP2369778A1 (fr) * 2010-03-26 2011-09-28 Irdeto B.V. Désembrouilleur personnalisé de boîte blanche
CN102238430A (zh) * 2010-03-26 2011-11-09 爱迪德有限责任公司 个性化白箱解扰器
US8594330B2 (en) 2010-03-26 2013-11-26 Irdeto Corporate B.V. Personalized whitebox descramblers
EP2373020A1 (fr) * 2010-03-29 2011-10-05 Irdeto B.V. Suivi de l'utilisation non autorisée de modules sécurisés
EP2391125A1 (fr) * 2010-05-26 2011-11-30 Nagra France Sas Procédé de sécurité pour prévenir l'utilisation non autorisée de contenus multimédia
EP2391126A1 (fr) * 2010-05-26 2011-11-30 Nagra France Sas Procédé de sécurité pour prévenir l'utilisation non autorisée de contenus multimédia
US8571213B2 (en) 2010-05-26 2013-10-29 Nagra France Sas Security method for preventing the unauthorized use of multimedia contents
US8494160B2 (en) 2010-06-01 2013-07-23 Nagravision S.A. Method and apparatus for decrypting encrypted content
EP2393292A1 (fr) * 2010-06-01 2011-12-07 Nagravision S.A. Procédé et appareil de décryptage d'un contenu crypté
EP2393293A1 (fr) * 2010-06-01 2011-12-07 Nagravision S.A. A method and apparatus for decrypting encrypted content
KR101803974B1 (ko) 2010-06-01 2017-12-01 나그라비젼 에스에이 암호화 컨텐츠를 복호화하기 위한 방법 및 장치
US20140079216A1 (en) * 2012-09-20 2014-03-20 Cisco Technology Inc. Method and System for Prevention of Control Word Sharing
GB2506219A (en) * 2012-09-20 2014-03-26 Nds Ltd Prevention of control word (CW) sharing by CW and security element identifier (ID) combination and temporal key encryption
US9124770B2 (en) 2012-09-20 2015-09-01 Cisco Technology Inc. Method and system for prevention of control word sharing
GB2506219B (en) * 2012-09-20 2016-06-29 Nds Ltd Method and system for prevention of control word sharing

Also Published As

Publication number Publication date
WO2007116390A3 (fr) 2009-05-07

Similar Documents

Publication Publication Date Title
US20130262869A1 (en) Control word protection
KR101620246B1 (ko) 콘텐츠의 보안 배포
US9608804B2 (en) Secure key authentication and ladder system
EP1562318B1 (fr) Système et procédé pour la transmission des clés avec un attachement fort au client destinataire
CA2737413C (fr) Partage de cles simulcrypt avec des cles hachees
CN105247883B (zh) 用于给媒体内容加水印的方法以及实现这一方法的系统
US20070180464A1 (en) Method and system for restricting use of data in a circuit
CN101282456B (zh) 数字电视条件接收方法和设备
JPH10271105A (ja) セキュリティ要素からデコーダへ伝送される情報アイテムを保護する方法及びそのような方法を使用する保護システム
US8594330B2 (en) Personalized whitebox descramblers
KR20110096056A (ko) 추가적인 키 층들을 이용하는 콘텐트 복호화 디바이스 및 암호화 시스템
WO2007116390A2 (fr) Dactyloscopie de clés de désembrouillage
KR20150064042A (ko) 디지털 데이터 블록 암호화 및 해독화 방법
US10411900B2 (en) Control word protection method for conditional access system
Eskicioglu et al. A key transport protocol based on secret sharing applications to information security
EP3610652A1 (fr) Réception de contenu audio et/ou vidéo
FR3072848B1 (fr) Procede de reception et de dechiffrement, par un processeur electronique de securite, d'un cryptogramme d'un mot de controle
JP2009089243A (ja) デジタル放送受信装置および方法
WO2014154236A1 (fr) Obtenir ou fournir des données de clé
US9847984B2 (en) System for efficient generation and distribution of challenge-response pairs
JP2005191847A (ja) 放送装置及び受信装置
KR20180007286A (ko) 조건부 액세스 시스템의 컨트롤 워드 보호

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 06728273

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase in:

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 06728273

Country of ref document: EP

Kind code of ref document: A2