CN112602288A - Method for obtaining a sequence of encryption keys - Google Patents

Method for obtaining a sequence of encryption keys Download PDF

Info

Publication number
CN112602288A
CN112602288A CN201980055283.0A CN201980055283A CN112602288A CN 112602288 A CN112602288 A CN 112602288A CN 201980055283 A CN201980055283 A CN 201980055283A CN 112602288 A CN112602288 A CN 112602288A
Authority
CN
China
Prior art keywords
key
time
receiver
server
value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201980055283.0A
Other languages
Chinese (zh)
Inventor
昆汀·齐泽
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Viaccess SAS
Original Assignee
Viaccess SAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Viaccess SAS filed Critical Viaccess SAS
Publication of CN112602288A publication Critical patent/CN112602288A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/088Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Abstract

Method for obtaining L encryption keys k1,m,ki,m,ki+1,m,kL,mThe method of (a), wherein: at time t1,mPreviously, the receiver group establishes (140) a first connection to the key server and receives during this first connection the key k obtained1,mThe required information, then for each index i between 2 and L: the receiver group is formed by using the previous key ki‑1,mPerforming an initialized key derivation algorithm to obtain (150) a subsequent key ki,mWithout the aid of information other than that received during the first connection; and performing a key derivation algorithm by the receiver group to obtain a key ki,mAverage time TC ofi,mGreater than 0.2Vi‑1,mWherein V is1‑i,mIs the previous key ki‑1,mThe duration of the validity interval of (c).

Description

Method for obtaining a sequence of encryption keys
The invention relates to a method for obtaining a sequence of encryption keys and to a method for securely transmitting digital content by implementing the obtaining method. The invention also relates to a data storage medium, a receiver and a key server for implementing the method for obtaining a key sequence.
It is known to obtain L encryption keys k by means of a group of electronic receivers1,m,...,ki,m,ki+1,m,...,kL,mThe method of (a), wherein:
the index i is the key ki,mThe sequence number in the key sequence is,
-L is an integer greater than or equal to two, and
-key k whatever the index i between 1 and L isi,mIntended only for duration Vi,mInterval of validity of [ t ]i,m,ti+1,m[ period, where ti,mAnd ti+1,mRespectively the start time and the end time of the validity interval.
In these known methods:
at a time t1,mPreviously, the receiver group established a first connection with the key server and received the derived key k during this first connection1,mThe required information, then
For each index i between 2 and L, at a time ti,mPreviously, the receiver group obtained the key ki,m
One such method is disclosed in patent application EP 2567500. In patent application EP2567500, each key ki,mA single given block CP all for processing multimedia contenti,mThe playing time is called "key validity period". The term key validity period also refers to the block CPi,mItself. Key ki,mThus, the CP is set to correspond to the validity period of the keyi,mTime interval of [ t ]i,m;ti+1,m[ (i.e. the key validity period CP during the playing of the multimedia content)i,mTime interval of) ofInterval [ t ]i,m,ti+1,m[ period is effective. Therefore, in order to be able to decrypt the key validity period CPi,mMust be at time ti,mPreviously, the key k was obtained by the receiveri,m. Ideally, it must be at time ti,mObtaining the key k as late as possible in advancei,mIn order to minimize its exposure to crypto-analysis or attack attempts at the receiver as much as possible. Typically, during the previous key validity period, i.e. in the interval ti-1,m;ti,mDuring which the key k is obtainedi,m. Under these conditions, the key ki,mOnly in the interval ti-1,m;ti,mDuring a portion of [ i.e., typically during a duration of up to about ten seconds, is exposed to a cryptanalysis or attack attempt. The short duration of this interval makes it difficult to be attacked.
In order to obtain a key ki,mThe receiver must be connected to the key server. Therefore, without any specific setup, the receiver must connect to the key server every key validity period. Since the number of receivers that need to be connected to the same key server can be very large, i.e. greater than 1000 or 10000, the number of connections that the key server must be able to manage during the key validity period is also very large.
In order to limit the computer resources required for implementing such a key server, patent application EP2567500 discloses in particular that, during the connection to the key server, not only will the next key validity period CP be decrypted1,mValid Key k1,mTransmitted to each receiver, and will also be used to decrypt the next L key validity periods1,m;...;kL,mIs transmitted to each receiver. Thus, the receiver does not need to connect to the key server every key validity period, but only every L key validity periods.
Patent application EP2567500 also discloses that transmitting such a key sequence to a receiver in this way before the keys are useful, reduces the security of the method. In practice, for example, during the key validity period CP1,mPreviously, a sequence k was received as L keys1,m;...;kL,mKey k ofL,mAnd only from time tL,mIt is used after being started. Key kL,mAnd is therefore exposed to attack attempts during L consecutive key validity periods. In contrast, if none of the keys k is usedi,mTransmitted to the receiver in advance, the same key kL,mOnly exposed to attack attempts during at most a single key validity period.
In order to remedy this problem while limiting the number of simultaneous connections to the key server, patent application EP2567500 proposes to adjust the number L of keys transmitted in advance to each receiver according to the probability of the receiver being compromised by an attack attempt. Thus, it is possible to both reduce the number of connections to be established with the key server, while maintaining a high level of security.
It is also known from the prior art:
EP2460308A1, and
biming Tian et al: "An effective Self-Healing Key Distribution Scheme", New Technologies, Mobility and Security, NTMS '08', IEEE, 5/11/2008, pages 1-5.
EP24660308 describes a solution for improving the robustness of a secure data transmission system to faults in the data transmission network, such as packet losses. To this end, only in case of network failure, the receiver may construct a new encryption key that may be encrypted in the time interval [ i; the decryption key used during i +1[ time. In case the data transmission network is functioning properly, the number of connections of the receiver to the server is not reduced.
The present invention aims to solve the same problems as described in EP2567500, but does not take into account the safety level of the receiver for this purpose. One subject of the invention is therefore such a method as claimed in claim 1.
Embodiments of the obtaining method may comprise one or more of the features of the dependent claims.
Another subject of the invention is a method for the secure transmission of digital content.
Another subject of the invention is a data storage medium readable by a microprocessor and comprising instructions for implementing the method subject of the present patent application when these instructions are executed by the microprocessor.
Another subject of the invention is a receiver group for implementing the acquisition method according to the subject of the present patent application.
Finally, another subject of the invention is a key server for implementing the acquisition method according to the subject of the patent application.
The invention will be better understood from reading the following description, made with reference to the accompanying drawings, which are given by way of non-limiting example only, and in which:
figure 1 is a schematic view of an encryption system for transmitting and receiving multimedia content;
figure 2 is a flow chart of a method for secure transmission of multimedia content implemented in the system of figure 1;
figures 3 and 4 are flow charts of two different variants of the method of figure 2.
Chapter 1: term(s) for
In the drawings, like reference numerals are used to indicate like elements.
Features and functions well known to those skilled in the art are not described in detail below in the present specification.
Examples of embodiments are given in the specific case of a system for conditionally accessing multimedia content. Therefore, a term specific to this case is used. Several specific definitions for this term are given below. However, to gain more information about this term, the reader is referred to the following documents: "Functional Model of Conditional Access System", EBU Review, Technical European Broadcasting Union, Brussels, BE, No. 266, 12.21.1995.
Herein, the terms "scrambling" and "descrambling" are considered synonyms for "encryption" and "decryption", respectively.
"multimedia content" refers to audio and/or video content that is intended to be reconstituted into a form that can be directly perceived and understood by a human. Typically, multimedia content corresponds to a sequence of images forming a movie, a television program, or an advertisement. The multimedia content may also be interactive content such as games.
"plaintext" data or "plaintext data" corresponds to data before it is scrambled or encrypted. Thus making it directly understandable by a person without having to resort to descrambling operations, and whose visualization is not limited by certain conditions.
In order to keep the visualization of the multimedia content secure and subject to certain conditions, such as paid subscriptions, the multimedia content is distributed in scrambled rather than plain text form. More precisely, each multimedia content is divided into a sequence of key validity periods. The access conditions to the disturbed multimedia content remain unchanged during the whole duration of the key validity period. In particular, the multimedia content is scrambled during the entire duration of the key validity period, using the same encryption key (known by the term "control word"). Generally, the control word varies from one key validity period to the next.
Herein, a "password file" refers to data or information terms that are not sufficient by themselves to discover plaintext data (i.e., data such as that which allows for the establishment of its password file before encryption is applied). Thus, if the transmission of the password file is intercepted, knowledge of the password file alone does not allow clear data to be found. In order to find the plaintext data, the password file must be combined with the secret information. The secret information is typically an encryption key that allows decryption of the cryptographic file. However, the password file may also be a reference to data stored in a table containing a plurality of similar data. In this case, the secret information is a table associating each password file to plaintext data.
Chapter 2: symbol
The symbols defined in this section are used throughout this patent application.
CPmIs the mth cryptoperiod of validity of the multimedia content.
The subscript "m" is a sequential number that identifies a location relative to a reference point. The reference point may be independent ofThe absolute origin of the multimedia content is either relative to the origin of the transmitted multimedia content. Hereinafter, the reference point is a relative origin. The reference point is the start of the multimedia content. Thus, the key validity period CP1Is the first key validity period of the multimedia content, the key validity period CP2Is the second key validity period for the multimedia content and so on.
kmIs an encryption key, known by the term "control word", and is used only for the scrambling and descrambling key validity periods CPm. Key kmThus immediately preceding the key km-1Then and immediately after the next key km+1Before use.
tmAnd tm+1Respectively a key validity period CPmAt the point where it starts and ends as it is played by the receiver. Thus, time t1First key validity period CP corresponding to multimedia contents1Is initiated.
Time interval tm;tm+1Corresponding to the key validity period CP during which it is played by the receivermThe time interval of (c). Interval [ t ]m;tm+1[ also for scrambling key validity period CPmKey k ofmThe effective interval of (2). In fact, the key kmTherefore, it can be only in the interval tm;tm+1During which it is used to descramble the multimedia content. Outside this time interval, the key kmIt is not allowed to descramble the multimedia content correctly.
VmIs the interval [ tm;tm+1The length of time of [ is. When all intervals [ t ]m;tm+1[ having the same duration, and thus when the duration V ismIndependently of the subscript m, this time period is simply denoted as V.
ECMmIs an Entitlement Control Message (ECM). ECMmThe message containing a validity period CP of the descrambling-permitted keymKey k ofmECM message of the identifier of.
SEpIs a key sequence k1;...;km;km+1;...;kNI.e. the key k1To k isNIn order ofColumn, where N is the sequence SEpThe number of keys in the key set.
SRmIs a key sequence km;km+1;...;km+L-1I.e. the key kmTo k ism+L-1Wherein L is the sequence SRmThe number of keys in the key set. The quantity L is symmetrically less than or equal to a pre-stored threshold value Lmax. The threshold value LmaxLess than N and for example two or ten or one hundred times smaller than the number N. Number LmaxIs an integer greater than or equal to two that is pre-stored in the memory 110. Number LmaxIs the sequence SRmIs measured. Thus, each sequence SRmComparing sequence SEpMuch shorter.
ki,mIs the sequence SRmThe ith key of (1). The subscript i indicates the key ki,mIn the sequence SRmRelative to the first key k of the sequencemThe position of (a). The index i is the key ki,mIn the sequence SRmThe sequence number in (1). For sequence SRmThe index i of the first key of (a) has a value equal to 1. Thus, the key ki,mIs equal to the secret key ki+m-1. The same symbol is also used for the key ki,mAny variables associated. For example, symbol Ci,mIndication and ki,mAssociated control information Ci+m-1
Chapter 3: examples of the embodiments
Fig. 1 shows a system 2 for transmitting and receiving scrambled multimedia content. For example, multimedia content corresponds to a sequence of audiovisual programs such as television programs or movies.
Plaintext multimedia content is generated by one or more sources 4 and transmitted to a transmitting device 6. The device 6 transmits the multimedia content to a plurality of receivers synchronously via a data transmission network 8. The number of receivers is typically very large, i.e. greater than 1000 or 10000. To simplify fig. 1, only three receivers 10 to 12 are shown.
The network 8 is typically a long-range data transmission network, such as an internet network or a satellite network, or any other transmission network, such as a transmission network for transmitting terrestrial digital television (TNT).
The device 6 comprises an encoder 16 which compresses the multimedia content it receives. The encoder 16 processes the digital multimedia content. For example, the encoder operates according to the MPEG2(Moving Picture expert Group-2) standard or the UIT-T H264 standard.
The compressed multimedia content is directed to an input 20 of a scrambler 22. The scrambler 22 scrambles each compressed multimedia content so that its visualization is limited by certain conditions (such as the purchase of access rights by the user of the receiver). The scrambled multimedia content is sent to an output 24 connected to an input of a multiplexer 26.
The scrambler 22 operates by using the corresponding key km(known in the field of conditional access systems by the term "control word") to scramble each key validity period CP of the compressed multimedia contentm. In general, the Scrambling conforms to standards such as DVB-CSA (Digital Video Broadcasting-Common Scrambling Algorithm), ISMA Cry (Internet Streaming Media Alliance Cry), SRTP (Secure Real-time Transport Protocol), AES (advanced Encryption Standard), and the like.
Key validity period CPmDuration V ofmTypically greater than five seconds and preferably between 5 seconds and 10 minutes. In the present embodiment, all the key validity periods CPmWith the same duration V.
The device 6 also comprises an access control system 28. This system 28 is more known by the abbreviation cas (conditional Access system). Here, the CP is valid for each keymIn other words, system 28:
-key k to be used for scrambling the key validity periodmTo the scrambler 22, and
-generating an ECMmA message containing at least a validity period CP to be used for descrambling the keymKey k ofmId ofm
ECMmThe message is here multiplexed with the key validity period CP by means of a multiplexer 26mAnd (6) associating. To this end, in this example, the ECMmMessage and key validity period CPmAre synchronized with respect to each other in time by multiplexing them on the same audiovisual signal transmitted on the network 8. Rather, the key validity period CP immediately precedes itmKey validity period CPm-1During the period, ECM will be usedmThe message is transmitted to the receiver.
Here, the receivers 10 to 12 are identical, and only the receiver 10 is explained in more detail.
The receiver 10 comprises a module 70 for receiving the transmitted multimedia content. This module 70 is connected to the input of a demultiplexer 72. The demultiplexer 72 on the one hand validates each received scrambled key validity period CPmTo the descrambler 74 and, on the other hand, to the processor 76, of the messages ECM and emm (entitlement Management message).
The processor 76 processes confidential information such as encryption keys. In order to protect the confidentiality of this information, it is designed to be as robust as possible to hacking attempts. Which is therefore more robust to these attacks than other components of the receiver 10. This robustness is obtained, for example, by implementing software modules dedicated to protecting secret information.
The processor 76 is generated, for example, by using a programmable microprocessor 77 capable of executing instructions stored on a data storage medium. To this end, the processor 76 also includes a memory 78 containing instructions necessary to perform the method of FIG. 2.
The memory 78 also includes, for example:
a single symmetric secret encryption key shared with the key server 106;
an asymmetric cryptographic secret key and an associated cryptographic certificate, i.e. an associated public key, to authenticate the receiver 10.
The memory 78 also contains a local table 79 containing the currently available key km
The descrambler 74 operates by using the key k transmitted by the processor 76mTo descramble the scrambled multimedia content. The descrambled multimedia content is transmitted to a decoder 80 which decodes it. Will be decompressed or decodedTo a graphics card 82 which manipulates the display of the multimedia content on a display 84 provided with a screen 86.
The display 84 displays the multimedia content plaintext on a screen 86.
The receiver 10 also includes a transceiver 88 that allows a secure connection to be established between the processor 76 and the headend 90 via a data transmission network 92. For example, the network 92 is a long-range data transmission network, and more specifically a packet-switched network (such as the internet). The secure connection is, for example, a secure tunnel using an encrypted certificate of the processor 76.
The head end 90 comprises a module 100 for managing the access rights of the different users of the system 2. This module 100 is more known by the term "user authorization system". The module 100 generates and updates a database 102. The database 102 associates each user identifier with the access rights acquired by the user. The database 102 is stored in a memory 104.
The headend 90 also includes a key server 106. The server 106 comprises, inter alia, a key kmA generator 108 and a memory 110.
The memory 110 includes:
counter C of the number of connections per unit timenbc
-including each generated key kmAnd for each key k whose index is greater than or equal to 1mControl information C ofm
Counter CnbcThe number of connections per unit time established by all receivers of the system 2 with the server 106 is counted. In general, the counter CnbcIncluding the number of such connections recorded during a sliding time window of duration deltat. The sliding window ends at the current time. The time period Δ T is, for example, V to 24 hours, or V to 1 hour.
Typically, the server 106 is generated using a programmable microprocessor 114 capable of executing instructions stored on a data storage medium. To this end, the memory 110 also includes instructions for performing the method of fig. 2.
The operation of the system 2 will now be described in more detail with reference to the method of figure 2. Here, it is assumed that table 79 is initially empty.
The method starts, in response to a request for content transmission, with an initialization phase 114 of the values of the different parameters required for carrying out the subsequent steps. The values of these parameters are stored in memory 110. These parameters are presented step by step in the description of the following steps. So, although it is positioned chronologically before the following steps, in the present description the way in which the values of these parameters are set during stage 114 is explained after these steps. Once phase 114 terminates, the transmission of the multimedia content may begin.
During step 116, generator 108 generates sequence SE one by onepKey k ofm. Each key k of the sequencemCorresponding key validity period CP for multimedia content to be transmittedmAnd (4) scrambling. Over time, generator 108 successively generates key k1To k isN. Here, sequence SEpThe number N of keys in (a) is for example equal to or greater than the key validity period CP of the multimedia content to be scrambledmThe number of the cells.
To generate a sequence SEpThe generator 108 obtains the key k1Starting then, for any index m greater than or equal to two, by performing the operations for deriving the key kmFrom the previous key k, D1m-1To derive a subsequent key km
During operation 117, the generator 108 obtains the key k1E.g. by randomly or pseudo-randomly drawing the set EkTo obtain the key k1. Here, set EkIncluding its binary representation including at most NkAll integers of bits. Number NkIs pre-stored in the memory 110. E.g. number NkIs equal to 16, 32, 48 or 56. Generated key k1And then stored in table 112.
Next, during operation 118, the generator 108 generates the key k by executing the previous key km-1The same algorithm D1 parameterized from the previous oneKey km-1To derive each subsequent key km. Therefore, it is not possible to locate the key km-1Generating a key k beforehandm. Key kmAnd thus are generated one by one.
Here, the algorithm D1 is also denoted by PCpIs parameterized, as will be explained below, which allows increasing or decreasing the average number of operations performed by the receiver for the slave key km-1Obtaining a secret key km. Parameter PCpThus allowing to increase or decrease the key k used for deriving performed by the receiveri,mAverage execution time TC of the second algorithm D2i,m. Mean time TCi,mAlgorithm D2 is started to be executed at processor 76 to obtain key ki,mThe time of day and the processor 76 since the key k has been obtainedi,mWhile the average time elapsed between the times of execution of algorithm D2 is terminated. Mean time TCi,mThus generally corresponds to the average of the times spent by the processors 76 of the terminals of the system 2 for obtaining the key k by executing the algorithm D2i,m. In this first embodiment, the parameter PCpIs a set of integers ERThe size of (2). Set ERIncluding binary representation thereof including at most NRAll integers of bits. E.g. number NREqual to parameter PCpThe value of (c).
In this embodiment, algorithm D1 is a key calculation involving a calculation from set ERRandomly extracting the sequence of the number R. Hereinafter, this type of algorithm is referred to as "random key calculation". For example, each time algorithm D1 is executed, generator 108 performs the following operations to generate a subsequent key km
1) From the set ERIn which the number R is randomly or pseudo-randomly extractedmThen, then
2) Calculating the secret key k by using the following relationm:km=F1(Rm//km-1) Wherein:
the symbol "/" denotes the key Km-1Value and number R ofmPerforming a combined operation, and
-F1is a known function of the generator 108 and the receiver.
For example, here, the operation "//" is an exclusive or operation, typically indicated by the symbol XOR. Function F1Typically a one-way function. For example, function F1Selected from the group of one-way functions G consisting of symmetric cryptographic functions, asymmetric cryptographic functions and hash functions1
In the present embodiment, during additional operation 119, for each key k generated by executing algorithm D1mThe generator 108 also generates control information Cm. Control information CmIs from the key km-1To obtain a key kmParameters of the required algorithm D2. In the present embodiment, control information CmIs to allow the receiver to know the quantity RmFrom the previous key km-1To obtain a key kmThe information of (1). For example, control information CmIs calculated by the generator 108 by using the following relation: cm=H1(km) In which H is1Is a one-way cryptographic function. Due to H1Is a one-way function, i.e. for which it is very difficult to calculate the pre-image from its image, so based on knowing only the control information CmThe key k cannot be derivedm. Function H1Is also typically selected from the group of functions G1. Here, the function F1And H1Are consistent. For example, function F1And H1Both are the same hash function.
Will be associated with control information CmAssociated with each key k generated by the execution of the algorithm D1mIs stored in table 112. The generator 108 will also pass each key kmTo the system 28.
Trigger step 116 early enough that the value of index m, however, key kmUsing the key k for the scrambler 22mTo scramble the key validity period CPmAre available in a timely manner. In addition, the execution of step 116 is triggered here sufficiently early that at each instant tmTable 112 already contains at least the key kmTo k ism+LmaxAnd associated control information CmTo Cm+Lmax. Number LmaxIs an integer greater than or equal to one that is pre-stored in the memory 110. Number LmaxIs the sequence SRmIs measured.
In parallel with step 116 or after step 116, during step 120, device 6 divides the multimedia content into successive key validity periods, by using the corresponding key kmTo scramble each key validity period CPmThe scrambled key validity is then transmitted. Containing a secret key kmId ofmOf (2)mThe message is multiplexed with the corresponding key validity period of the transmitted multimedia content. This multiplexing allows to Id each identifiermTransmission and key validity period CP of multimedia contentmThe transmission of (a) is synchronized. Here, the CP is only in the key validity periodmPrevious key validity period CPm-1During which the identifier Id will bemTo be transmitted to a receiver. In the first key validity period CP1In the case of (2), immediately before the first key validity period CP1Time interval of [ t ]0;t1[ period, identifier Id1To be transmitted to a receiver. Interval [ t ]0;t1The duration of [ is equal to the duration V of the key validity period, for example.
The scrambled multimedia content is received substantially synchronously by each of the receivers of the system 2. Thus, for each of these receivers, the following steps are performed substantially in parallel. In the particular case of the receiver 10, the following steps are explained.
In step 122, the content containing the scrambled multimedia content and the ECM is received by the receiving module 70mAudiovisual signal of a message.
Next, in step 124, the demultiplexer 72 receives from the scrambled multimedia content and ECM as it is receivedmExtracting scrambled key validity CP from messagem. The demultiplexer 72 extracts the validity period CP of the disturbed keymTo the descrambler 74. Extracted ECMmThe message is transmitted to the processor 76.
At least in response toIn ECMmEach first receipt of a message and at the latest at a time tmA predetermined length of time d before, in step 126, the processor 76 verifies whether it has obtained the key ki,m. To this end, it searches in table 79 whether the table already contains the key kmThe key corresponding to the ECM contained in the received ECMmIdentifier Id in messagesm. The duration d is set by the operator of the system 2 to be slightly greater than the time at which the receiver obtains the key k from the server 106i,mThe time required.
If so, processor 76 will find key k in table 79 in step 128mTo the descrambler 74. Then there is no key k to obtainmAnd any connection is established with the server 106.
Next, in step 130, the descrambler 74 operates by using the key kmTo descramble the received key validity period CPm
Next, in step 132, the descrambled key validity period CPmDecoded by decoder 80 and then transmitted to video card 82.
Finally, in step 134, the video card 82 validates the descrambled and decoded key with the validity period CPmConverted into a video signal. Here, the video signal is then transmitted to the display device 84.
In response, the device 84 displays the key validity period CP of the multimedia content on the screen 86 in a manner that can be directly perceived and understood by a personm
If in step 126, it corresponds to the identifier IdmKey k ofmNot contained in table 79, the method continues to step 140 and does not directly perform step 128.
In step 140, processor 76 establishes a secure connection with server 106 and transmits a request via the connection to receive get key kmThe required information. For example, the request contains, inter alia, the key kmId ofm
The request is transmitted to server 106 via transceiver 88 and network 92. Processor 76 and server106 are all exchanged via a secure tunnel established through network 92. The establishment of the tunnel requires the server 106 to authenticate and identify the receiver, for example by using cryptographic certificates contained in the memory 78. Thus, the server 106 has the identifier Id of the receiver to which the request is sentT
Since the table 79 of the receiver is initially empty, immediately following the first key validity period CP to be descrambled of the multimedia content1Immediately preceding time interval t0;t1During which step 140 is performed systematically by each of the receivers. Next, there is no descrambling key validity period CP in each table 79mRequired key kmThen step 140 is performed.
The receipt of the request by the server 106 informs the server at time ti,mThe key k not previously availablei,m. In response, server 106 counts the connection counter per unit time, C, in step 142nbcAnd (6) updating. For example, the server 106 counts the number of established connections (including the current connection) between all receivers of the system 2 and itself during a sliding window of duration Δ T. Here, the server 106 only requests during it to obtain the key kmThe connections of the necessary information are counted.
Next, in step 144, the server 106 obtains the value of the integer L. The number L allows for adjusting the number of key validity periods that will elapse between this connection of the receiver 10 to the server 106 and the next necessary connection of the receiver 10 to the server 106. More specifically, the number L sets the slave key k available to the receiver 10 without reconnecting to the server 106mThe maximum number of subsequent keys derived in (c). The number L thus sets the key kmTo k ism+L-1Sequence SR ofmThe key is obtainable by the receiver 10 based solely on the information contained in the response to its request.
The number L is here set to distribute the connections of the receivers to the server 106 as evenly as possible. For this purpose, a first connection at the receiver 10 (i.e. in order to obtain the key k) is made1To establish a connection), the server 106 selects a first value that is different from the number L selected for the other receivers of the system 2. For example, server 106 is in interval [ 2; l ismax]To randomly extract the first value. In another example, server 106 is forming interval [ 2; l ismax]The first values are randomly drawn in succession in the subintervals of the partition. Next, during a subsequent connection of the receiver 10, the server 106 uses a second value of the number L that is the same and constant for all receivers of the system 2. The subsequent concatenation is to obtain the key kmWhere the subscript m is strictly greater than one. The second value of the number L is pre-stored in the memory 110, for example in the phase 114. The second value of the number L is also between 2 and Lmax
In step 146, in response to the request of the receiver 10, the server 106 transmits to the processor 76, via the connection established in step 140, a sequence SR enabling the receiver 10 to obtain the key without establishing a subsequent connection with the server 106mThe necessary information. In other words, the server 106 transmits to the receiver 10 during the connection so that it can obtain the key k1,mTo k isL,mAll information required. To this end, in this embodiment, during this connection, the server 106 transmits and the receiver 10 receives the following information:
-parameter PCpThe current value of (a);
-a key k1,mAnd an
-control information C2,mTo CL,m
After the information is transmitted, the connection between the server 106 and the receiver 10 is interrupted. The connection is thus over the key validity period CPmStarting time tmThe previous interrupt.
Next, in step 148, processor 76 applies the received key k1,mStored in table 79, and the method then returns to step 128. Thus, at time tmBefore, the key k is1,mIs transmitted to the descrambler 74 so that the key validity period CP can be correctly descrambled in timem
In parallel, in step 150Processor 76 immediately triggers the following key to be obtained from the information received in response to its request: k is a radical of2,mTo k isL,mThe process of (1). Upon receipt of the key k1,mThereafter, step 150 is systematically triggered. In particular, the triggering of step 150 is independent of the operational state of networks 92 and 8.
To this end, the processor 76 executes a key derivation algorithm D2 in step 150. Algorithm D2 allows a key k to be derived from a previous keyi-1,mAnd here also from the parameter PCpAnd slave control information Ci,mTo obtain the following key ki,m. Thus, the algorithm D2 is executed for the first time to derive the key k from the received key1,mTo obtain a key k2,mThen a second time to slave key k2,mTo obtain a key k3,mAnd so on until the slave key kL-1,mTo obtain a key kL,m
Here, each time the algorithm D2 is executed by the processor 76, the processor implements the following operations to obtain the key ki,m
1) From the set E, the processor 76RA medium random number R is extracted, then
2) Processor 76 computes candidate key k by using the following relationshipcd:kcd=F1(R//ki-1,m) Then, then
3) Processor 76 calculates control information C by using the following relationshipcd:Ccd=H1(kcd) Then, then
4) Processor 76 will control information CcdWith the control information C received in step 146i,mMake a comparison, then
5) If the control information CcdAnd Ci,mIf they are identical, the key kcdIs equal to the secret key ki,mAnd thus obtain the key ki,m. Then the key k is comparedi,mStored in table 79 and terminates execution of algorithm D2. In the opposite case, the processor 76 returns to operation 1). Thus, operations 1) to 5) are cyclically repeated until the key k is obtainedi,mOr until processor 76 performs step 126 to determine whether key k has been obtainedi,m Step 140 is then implemented to obtain the key from the server 106. In the latter case, at least at time tmThe key k is not obtained by the receiver during the previous duration di,mAnd step 150 is interrupted before the key is obtained by executing algorithm D2.
Function F implemented by processor 761、H1And/and for constructing sequence SE by generator 108pThe functions implemented are the same.
Set ERIs based on the parameter PCpIs determined by the processor 76 in association with the key k1,mAnd control information Ci,mReceived at the same time.
Average execution time TC of the algorithm D2i,mDepending on the set ERSize C ofa. In fact, set ERSize C ofaThe larger the key k is extracted to be equal to the allowed key ki,mNumber R ofmThe larger the average number of random extractions performed before the number R. Here, the average number of the random extractions is equal to Ca/2. In order to obtain a key ki,mAverage time TC ofi,mThus given by the following relation: TC (tungsten carbide)i,m=(Ca/2)t1-5Wherein, t1-5Is the time required for the processor 76 to perform operations 1) through 5) once.
After step 146, e.g., in parallel with step 148, server 106 updates counter C in step 160nbcAnd a predetermined threshold value S stored in the memory 110nbc-hAnd Snbc-iA comparison is made. Threshold value Snbc-hEqual to or strictly greater than the number of connections per unit time: if each receiver is able to calculate the key k in time2,mTo k isL,mAnd thus only in the acquisition of the key sequence SR by executing the algorithm D2 except for the first timemLast key k ofL,mAnd then subsequently to the server 106, the number of connections per unit time can be expected. Thus, the threshold Snbc-hIs equal to or greater than Nrec/(L.V), wherein:
-Nrecis equal toThe total number of system 2 receivers connected to server 106;
the symbol ". multidot..
Threshold value Snbc-hIt must also be small enough to allow counting at counter CnbcBecomes much larger than Nrec/(L.V) adjusting the parameter PC beforepThe value of (c). For example, threshold Snbc-hLess than 2Nrec/(L.V) alternatively less than 1.5Nrec/(L.V)。
If the counter CnbcIs greater than a threshold value Snbc-hThis means that an excessively large number of receivers cannot be used at the time ti,mPreceding termination of the calculation of the key ki,m. As a result, the number of connections established with the server 106 is much larger than the initial setup. In response, server 106 changes the parameter PC in step 162pSo that the receiver can calculate the key k after it more quicklyi,m. In this embodiment, for this purpose, the parameter PC is reducedpTo reduce the set ERSize C ofa. Next, the method returns to step 116 to determine the PC parameter by consideringpTo generate a sequence SEpThe subsequent key of (1).
If the counter CnbcFalls to the threshold value Snbc-iIn the following, this means that an excessively small number of receivers cannot be used at the time ti,mPreceding termination of the calculation of the key ki,m. This generally corresponds to the average time TCi,mToo small with respect to the duration V. Threshold value Snbc-iStrictly less than threshold Snbc-hAnd generally approaches the limit Nrec/(L.V). For example, threshold Snbc-iBelongs to the interval [ Nrec/(L.V);1.3Nrec/(L.V)]Or belong to the interval [ Nrec/(L.V);1.1Nrec/(L.V)]. In this case, in response, server 106 changes the parameters PC in step 164pTo increase the value used to calculate the key ki,mAverage time TC ofi,mAnd then returns to step 116 and step 120. For this purpose, the parameter PC is increasedpTo increase the set ERSize C ofa
If it is notCounter CnbcIs the threshold value Snbc-hTo Snbc-lThe server 106 then causes the parameter PC to bepThe current value of (c) remains unchanged.
The method for setting the aforementioned various parameters in stage 114 will now be described.
The second value of the number L saved in advance is set to, for example, the target number N of connections to the server 106 per secondcn. Number NcnSelected by the designer of the system 2. For this purpose, at each key kmIn this particular embodiment in which the duration V of the validity intervals is the same, the second value of the number L is determined by using the following relation: l is Nrec/(Ncn.V)。
Parameter PCpIs set such that the key k is being obtained by the receivermExpected average time TC of previously executed algorithm D2i,mGreater than 0.2Vi-1,mOr 0.5Vi-1,mOr 0.9Vi-1,mWherein V isi-1,mIs a key validity period CPi-1,mThe length of time.
For example, the parameter PCpIs designed so that the value of index i, whatever the value of 2 to L, is per average time TCi,mThe following conditions (1) to (3) are satisfied:
Figure BDA0002947413200000161
in this case, the index i, whatever its value greater than or equal to two, cannot be taken at the instant ti-1,mPreviously obtained key ki,m. Thus, the key kL,mOnly at most in the interval tL-1,m;tL,mDuring which exposure to attack attempts. Interval [ t ]L-1,m;tL,m[ ratio interval [ t ]1,m;tL,m[ much shorter. Interval [ t ]1,m;tL,mCorresponding to the key k during which the key k is to be used in the known methodL,mTime intervals exposed to attack attempts, such as where the key k is to be usedL,mAt the same time as the key k1,mTo the receiver at the same time as in patent application EP 2567500.
In which the key validity period CPmAll equal to V and wherein all mean times TC are mandatoryi,mIn this particular embodiment equal to the constant TC, then, for example, by selecting the parameter PCpSo that the average time TC is (L-1) V/L to V, to satisfy the conditions (1) to (3).
Here, the maximum number N is determined so that the following condition is satisfiedRTo select the parameter PCpInitial value of (a): t is t1- 5.CaV is more than or equal to/2, wherein:
-t1-5is the time taken by the receiver to perform operations 1) through 5) of step 150,
-Cais a set ERAnd C is the number of elements ofaIs equal to 2NRAnd an
V is the key kmThe duration of each validity interval of (a).
For example, in stage 114, time t is experimentally measured at the receiver1-5. The duration V is set and known.
Fig. 3 shows the same method as that of fig. 2, except that steps 116 and 150 are replaced by steps 180 and 182, respectively. To simplify fig. 3 and the following figures, only the modified steps are shown. Unmodified and therefore not shown steps are symbolized in these figures by dashed lines.
Steps 180 and 182 are identical to steps 116 and 150, respectively, except that algorithms D1 and D2 are replaced by algorithms D3 and D4, respectively.
Algorithm D3 is a deterministic key calculation and is no longer a random key calculation. Unlike random key computation, deterministic key computation does not involve an average time TC that may significantly modify the execution of algorithm D4i,mIs randomly extracted.
Is executed as a slave key km-1In generating a key kmAlgorithm D3 is composed of a one-way encryption function H2With its own Qm1 time to make up. Therefore, the key k is obtained by using the following relational expressionm:km=H2 Qm(km-1) Wherein:
-H2is a one-way cryptographic function;
-
Figure BDA0002947413200000171
indicates the function H2Is Q with itselfm1 time.
In general, the function H2Function group G belonging to the preceding definition1. Here, the function H2Is a hash function. Function H2And its own composition is that of the function H2First time to key km-1To obtain a first result H2(km-1) Then in that the function H is2Second application to first result H2(km-1) To obtain a second result H2 2(km-1)=H2(H2(km-1) And repeat Q as such)mNext, the process is carried out. In this embodiment, the control information includes a parameter Qm
Parameter QmThe value of (b) varies according to the subscript m. For example, for each subscript m greater than or equal to two, at approximately V/t182Set of values of EQIn random parameter QmA value of (a), wherein t182Equal to the receiver performing a linear function H2The time taken. For example, set EQIs included in the interval [0.7V/t182;1.3V/t182]Or interval [0.9V/t182;1.1V/t182]The set of integers of (1). In this case, the control information transmitted to the receiver 10 includes the parameter Q each time2,mTo QL,mThe value of (c). Thus, when the receiver 10 connects to the server 106 to obtain the sequence SRmIn response, the receiver receives:
-a key k1,m
-control information Q2,mTo QL,m
Set EQRatio set ERMuch smaller. For example, set EQComprises 103Or 106An integer number. Here, the subscript m has a value of whatever, the set EQIs constant in magnitude.
In this embodiment, the complexity parameter PCpIs a set EQAverage value M ofQAnd is not the number of integers it contains. Average value MQIs contained in the set EQWherein each of these integers is assigned the same weighting factor. Average value MQThe more increase, for the slave key ki-1,mTo obtain a key ki,mCalculated time TC ofi,mThe larger. In stage 114, set E is constructedQSo that its average value is equal to V/t182. In this embodiment, it is not necessary to apply the value MQAnd thus the complexity parameter PCpTo be transmitted to a receiver.
Next, in steps 162 and 164, set E is modifiedQTo decrease its average value in step 162 and, alternatively, to increase its average value in step 164. For example, to increase the set E by εQAdding the integer epsilon to the set EQEach of the integers of (1).
In step 182, execution by the receiver to slave the key ki-1,mTo obtain a key ki,mAlgorithm D4 of (1) is the same as Algorithm D3, except for the parameter Qi,mIs obtained from the received control information. In other words, in step 182, the receiver 10 obtains the key k by using the following relationi,m:ki,m=H2 Qi,m(ki-1,m)。
Fig. 4 shows the same method as that of fig. 3, except that steps 180 and 182 are replaced by steps 190 and 192, respectively. Steps 190 and 192 are the same as steps 180 and 182, except that the generator 108 uses the function HG5And the receiver 10 uses the function H at its sideD6Instead of using the same function H2To obtain a key km. Thus, the following key k is implemented by the generator 108 by using the following relationmThe calculation of (2): k is a radical ofm=HG5 Qm(km-1)。
Processor 76 calculates by using the following relationshipki,m:ki,m=HD6 Qi,m(ki-1,m). Function HG5Designed to implement function HD6Much faster coming from key km-1In calculating the key km. For this purpose, a one-way encryption function H with a back door is usedD6Such as using a one-way encryption function for implementing asymmetric encryption. The operating principle of such a one-way encryption function with a back door is well known. For example, the principle is the same as that used in an asymmetric cryptographic algorithm known as the RSA (Rivest-Shamir-Adleman) cryptographic algorithm. In the following, therefore, only one detailed example of such a function is explained, since a person skilled in the art can derive other possible embodiments without difficulty on the basis of this example.
For example, here, the generator 108 generates the function H by using a function defined by the following relationG5To calculate a key km:km=(km-1^(e^Qm[(P-1)(Q-1)]))[N]Wherein:
- (A ^ B) [ C ] refers to a modular exponentiation, i.e. the power of the number B of the number A, the whole modular division C,
p and Q are large prime numbers, i.e. their binary representation comprises at least 500 or 1000 bits of prime numbers, and they are additionally different from each other,
-N is equal to the product of the number P and the number Q;
-e is the prime number of the product (P-1)/(Q-1) which is greater than 1 and not between a (P-1) (Q-1) and a (P-1) (Q-1) +2s, where "a" is a non-zero natural number and s is a natural number generally equal to or greater than 80, called the safety parameter.
Processor 76 operates by using a function H defined by the following relationshipD6To calculate a key ki,m:ki,m=((ki-1,m^e)[N])Qi,m
The numbers P and Q are only known to the generator 108 and correspond, for example, to its secret key. The numbers N and e are known to the generator 108 and the receiver 10 and then correspond to the public key of the generator 108. Since the numbers P and Q are known, the generator 108 is able to derive the key k from the key k by performing only two modular exponentiationsm-1In calculating the key kmIn order to obtain a phaseWith the same key, the processor 76 must implement Qi,mA sub-modular exponentiation.
Chapter 4: modification:
chapter 4.1: method variants
Alternatively, the control information may be omitted. For example, in deterministically computing the key ki,mIn the case of (2), if it is necessary to execute the function H2To slave key ki-1,mIn the construction of a secret key ki,mNumber of times Qi,mIs a constant known to all receivers, the server 106 does not need to transmit this control information to the receivers on every connection. In this particular case, the parameter PCpIs also a constant. Thus, the server 106 will only key k1,mTransmitted to the receiver and the receiver derives the key k from the key1,mIn which the key k is derived2,mTo k isL,mWithout receiving other information from portions of the server 106.
Sequence SEpThe number of keys N of (a) may be the number L max10 or 100 or 1000 times higher than the desired value.
At any given time tp+1The generator 108 may stop using the sequence SEpThis includes after the key k has been appliedNFor encrypting the key validity period CPNBefore. From time tp+1From now on, the generator starts to use another key sequence SEp+1. In this case, preferably, at time tp+1Previously, the server 106 transmitted a signal to the receiver to indicate to it that another sequence SE will be used since that momentp+1. In response, the receiver immediately establishes a connection with the server 106 to receive the derived key k1,mAnd deducing the new sequence SEp+1After L keys ki,mThe required information.
Sequence SEpMay also be smaller than the number of key validity periods of the multimedia content to be scrambled. In this case, the key k is generated alreadyNThereafter, the generator 108 starts generating the intended scrambling key validity period CPNSubsequent key validity period (e.g. CP)N+1To CP2NOr CPN+1To CPN+M) Another sequence of keys SEp+1. Independently ofSequence SEpIn particular independent of the key kNGenerating a sequence SEp+1First key k ofN+1. If necessary, the numbers N and M must still be chosen to be greater than or equal to the number Lmax
The number N may also be a priori indeterminate. In this case, the generator 108 is continuously a sequence SEpGenerating a new key km. In this case, the generator 108 preferably generates a new sequence SE in response to an external instruction to change the key sequencep+1. For example, when a key pair sequence SE is detectedpOr an attempt to attack, an instruction to replace the key sequence is sent. Successful cryptanalysis of the key derivation algorithm can be detected, for example, from the fact that an increased number of receivers no longer need to connect to the server 106 every L.V seconds to be able to descramble the multimedia content correctly.
As a variant, in step 142, the server 106 updates the counter C only if the last key obtained is not the last key of the current key sequence, i.e. only if a current connection is not expectednbc
In a simplified embodiment, the number L is not adjusted to more evenly distribute the receiver's connections to the server 106 over time. In this case, the number L is, for example, a predetermined constant and is the same for all receivers.
As a variant, in order to limit the amount of information that the server 106 transmits to the receiver 10 during each connection, the parameter QmIs independent of the subscript m, and the parameter QmIt is simply denoted as Q. In this case, the numbers L and N may be selected to be equal. The generator then systematically replaces the sequence SE after having generated the L keysp
Alternatively, step 160 is performed non-systematically after step 146. Step 160 is performed periodically, for example, with a predetermined period, in the form of, for example, the number of times step 146 is performed or in the form of a duration. When step 160 is not implemented after step 146, steps 162 and 164 are also omitted and server 106 causes parameter PCpMaintenance of current value ofAnd is not changed.
For setting parameters PCpOther methods of the values of (c) are possible. For example, except by setting a counter CnbcValue of (D) and threshold value Snbc-hAnd Snbc-iIn addition to the comparison, to trigger the parameter PCpSetting of the value of (c). For example, the time TC taken by the processor 76 to execute the derivation algorithm may be measured, for example, by the processor 76i,mAnd then transmitted to the server 106. In response, the server 106 compares the measured execution time to the duration V. If the measured execution time is less than the duration V, the complexity parameter PC is increasedpThe value of (c). In the opposite case, the value is decreased.
In another example, as the time TC measured by the processor 76 for receptioni,mIn response, the server 106 calculates an average time to execute the derivation algorithm and then compares the average execution time to the duration V. If the average execution time is less than the duration V, the complexity parameter PC is increasedpThe value of (c). In the opposite case, the value is decreased. In this example, the server 106 calculates the average time of execution of the derivation algorithm for all receivers or, for example, a set number of, for example, randomly composed receiver samples. In this example, alternatively or synchronously, the server 106 calculates the average time of execution of the derivation algorithm over a sliding time window of a predetermined magnitude (e.g., on the order of one minute, ten minutes, one hour, or ten hours).
As a variant, the complexity of the derivation algorithm is not adjustable. In this case, as previously described, the parameter PC is selected in, for example, stage 114pThe value of (c). Then, during execution of the method of fig. 2, the parameter PC can no longer be changedp. In this embodiment, steps 142, 160, 162 and 164 are omitted.
Can use the parameters PCpSet so that the average time TCi,mGreater than the duration V. In this case, in the case of the embodiment of fig. 2, this results in a single subset PP of receivers only (of a size smaller than with the pair of parameters PC described above)pThe size of the subset PP obtained by the adjustment) will be randomly chosen to allow timely (i.e., at time t)i,mBefore) obtain key ki,mThe number R of (2). Receivers not belonging to this subset PP will have to connect to the server 106 to obtain the key ki,m,. However, this setting still allows reducing the number of receivers connected to the server 106 per key validity period, while increasing the security of the system.
As a variant, the construction sequence SR is transmitted by the servermAfter the required information, the connection between the server 106 and the receiver 10 is not interrupted.
Chapter 4.2: variations of the derivation algorithm of the key
Other functions than those described above may be used. For example, function F1Not necessarily a one-way function. It can be as simple as a function of the identity function. However, in this case, the function H1Is different from function F1And still be a one-way function.
Other deterministic key computations are possible. For example, algorithm D3 may be replaced by another algorithm in which the pair key k is implemented by using the following relationmThe calculation of (2): k is a radical ofm=H3 Q(f(km-1,Dm) Whereinsaid:
-Dmis from the set EDA set containing integers whose binary representation is at most 18 bits or 10 bits;
f is a simple function, such as km-1And DmAddition or multiplication of (c); and
-H3is of the aforementioned group G1And preferably a hash function; and
-Q is a complexity parameter.
In this embodiment, the control information contains data DmAnd a parameter Q. Parameter Q defined in the example of FIG. 3mThe number of bits required for encoding is preferably at least twice as small as the number of bits required for encoding the data DmAnd (6) coding is carried out. Thus, in this variant, the bandwidth required to transmit control information to the receiver 10 is reduced.
Other embodiments of the derivation algorithm are possible. For example, a numberR is initialized to 0 and then incremented by 1 at each iteration of operations 1) through 5) of step 150, rather than each time from set ERThe number R is randomly extracted.
Chapter 4.3: other variations:
here, the method for obtaining the key sequence is explained in the specific case where the generated and received keys are control words directly used for encrypting and decrypting multimedia content. However, these methods may be used to obtain keys other than control words. For example, the generated and received key may be a session key used to encrypt and decrypt control words transmitted to the receiver. In this case, the session key is typically replaced at a frequency 10, 100, 1000, or 10000 times less than the frequency of replacing the control word. For example, the validity interval of the session key may have a duration of greater than one minute, one hour, or 24 hours. In this case, the complexity parameter PC is adjustedpTo correspond to such a duration of the validity interval.
The method for obtaining a key sequence described herein may also be used to obtain a key sequence for encrypting and decrypting digital content other than multimedia content. For example, the obtained key sequence may be used to encrypt or decrypt a digital document, such as a text file, or any data exchanged over a communication channel.
What has been described herein also applies to systems other than conditional access systems. For example, what has been described herein applies to any system in which key sequences, each associated with a validity interval, are used. For example, the teachings presented herein are transferred without particular difficulty to Digital Rights Management systems known by the acronym DRM ("Digital Rights Management"). In these DRM systems, each key of the sequence is obtained from the license. The license typically contains a validity interval for the key.
At key ki,mWhat has just been described in the specific case of a decryption key may also be applied to key ki,mFor encrypting the digital content rather than for decrypting the digital content. More generally, what has been described herein may also be used to obtain information for other purposes (such as authenticity verification)Integrity verification of the digital data, initialization of the pseudo-random generator, and others).
As a variant, the duration V of the validity intervali,mNot constant. In this case, time TCi,mE.g. different for obtaining each key ki,m. By using, for example, the control information QmTo set the time TCi,m. In this case, normally, the control information QmIs selected such that the time TCi,mIs 0.5Vi-1,mTo Vi-1,mPreferably 0.9Vi-1,mTo Vi-1,m. Preferably, the control information QmChosen such that the execution time is such that no matter which interval belongs to [ 2; l is]Is what is i, time TCi,mThe above conditions (1) to (3) are satisfied. When these conditions are met, the interval t can be reached by the receiver at the earliest timei-1,m;ti,m[ in obtaining the secret key ki,m. Thus, the key ki,mMay be only for a duration of Vi-1,mInterval of [ t ]i-1,m;ti,mThe interval is attacked.
As a modification, the above condition (2) is omitted.
In another variant, the execution of the derivation algorithm is distributed over a group of M receivers that can safely exchange information with each other. The number M is greater than or equal to two and preferably greater than or equal to 100 or 1000. For example, receivers in the same group of receivers are connected to each other via a public or private network. Receivers belonging to one receiver group do not belong to another receiver group. The exchange of information between the set of receivers is encrypted, for example by using a key known only to the set of receivers. For example, in the case where the derivation algorithm is a random key calculation, set E will beRInto M separate subsets of the same size. Each of these subsets is assigned to a respective receiver of the group. As a pair of receiving keys k1,mEach receiver of the group tries to calculate k as described above but by selecting only the number R from the subset assigned to it2,m. Obtaining a secret key k2,mThe first receiver of the group then transmits the key toOther receivers of the same group. Once the key k has been applied2,mDistributed to all receivers of the same group, these receivers have stopped obtaining the key k2,mAnd starts with the same derivation algorithm as described above for key k2,mSaid similar way to perform the derivation algorithm to obtain the key k3,m
The receiver group is thus equal to TCri,mTime TC of/Mi,mTo perform a derivation algorithm, wherein TCri,mIs the average time that the same derivation algorithm is performed but by the single receiver of the group, which therefore has to be derived from the entire set ERInstead of selecting the number R only in the subset. This variant therefore allows to increase the set ERAnd thus increasing the safety of the process.
In case the derivation algorithm is a deterministic key calculation, the execution of the derivation algorithm may also be distributed between each receiver of the group to benefit from the computational power of all processors 76 of these receivers. Distributing algorithm execution among different microprocessors so that portions of the algorithm are executed by each of the microprocessors in parallel is well known and will not be described in detail herein. Distributing the execution of the derivation algorithm over all receivers of the group, as in the case of a random key derivation algorithm, allows for increased security, since it makes obtaining the key more complicated. In particular, this increases the computational power required to be able to perform the derivation algorithm fast enough by illegal receivers.
If the key k just received by the receiver 10 is illegally distributed and recoveredi,mRequired time length TA1Is known, the complexity parameter PC can be adjustedPSo as to make time TCi,mOnly included in the interval [ V-TA ]1;V]In (1).
If the key k received by the receiver 10 is illegally distributed and recovered1,mRequired time length TA2Is known and the derivation algorithm is known by the illegal receiver, the complexity parameter can be adjusted so that the time TC isi,mSatisfies only the following conditions:TA2+(L-1)TCi,m≥(L-1)V。
Chapter 4: advantages of the described embodiments:
in the method, the receiver can only complete the key k after it has been completedi-1,mIs calculated before obtaining the key ki,m. Therefore, the receiver must compute the key k in order of increasing index ii,m. In addition, a key k is calculatedi,mAverage time TC ofi,mLong, i.e. here greater than or equal to 0.2Vi-1,m. Thus, although at time t1,mPreviously received acquisition Key k1,mTo k isL,mAll information required can only be found at this time t1,mThe key k after it is obtained long later2,mTo k isL,m. E.g. only at time tR+TC2,m+TC3,m+...+TCL,mAfter which the key k is obtainedL,mWherein, tRIs that a get key k is received1,mTo k isL,mThe time of each required message. By contrast, in a known method such as that described in patent application EP2567500, at the instant tRTo obtain a key kL,m. In other words, the method described herein will be applied to the key kL,mIs delayed from obtaining TC1,m+...+TCL,m. Since the key k is obtained in the receiver later than in the known receiverL,mAt time tL,mCan be used to attack the key k beforeL,mIs shorter than in the known method, which improves the safety of the method.
Furthermore, as in the method of EP2567500, in order to obtain the sequence SRmThe receiver only needs a single connection to the key server 106. Thus, the method also allows reducing the number of connections or information exchanges between the server 106 and each of the receivers. Finally, the method may be applied without having to determine the security level associated with each of the receivers.
According to the use for indicating at time ti,mThe key k not previously availablei,mTo dynamically adjust the parameters PCPThe fact that the value of (c) is such that the root can be reachedThe actual performance of the receiver is automatically adjusted according to the situation.
Using different values of the number L for different receivers or groups of receivers thus allows a better distribution of different connections to the server 106 in time.
The fact that the execution of the derivation algorithm is distributed over a plurality of receivers allows to improve the security of the method in terms of collusion attacks. In fact, in order to obtain the sequence SR more quicklymAn attacker may attempt to distribute the execution of the derivation algorithm over multiple illegal receivers. However, the number of legitimate receivers is generally much larger than the number of illegitimate receivers. This therefore allows increasing the parameter PCPTo account for detection of collusion attacks. It becomes more difficult to successfully implement such collusion attacks.
If the receiver fails to obtain the key k in time from the information received in the first connectioni,mThe fact that the receiver retains the ability to establish a second connection with the server 106 to obtain the key allows the claimed method to be implemented with some receivers, some of which are slower than others or than receivers desiring to perform the derivation algorithm. This allows for a floating of the receiver diversity and their computational performance, if necessary.
The derivation algorithm includes repeating the same one-way function by Qi,mThe fact that it allows obtaining a system that can be determined in advance and therefore can be included more reliably in the interval [ V ]i-1,m/2;Vi-1,mAverage time TC ini,m
The fact that the one-way function is a one-way cryptographic function with a back-gate allows shortening the generation sequence SEpThe time required.
The fact that the key derivation algorithm is a random key calculation allows the generator 108 to perform much fewer operations to calculate the key k than the receiver would have to perform to calculate the same keyi,m
Implementing the calculation of the random Key ki,mThe fact that the derivation algorithm is carried out thus makes it possible to obtain the time taken to carry out the derivation algorithm, at that timeThe cells are longer on the receiver side and much shorter on the generator side.
Receiving only the sequence SR of L keys obtained during the first connectionmThe information required so that the receiver 10 can be forced to obtain the key k at the latestL,mA new connection is then established with the server 106.

Claims (16)

1. Method for obtaining L encryption keys k by electronic receiver group1,m,...,ki,m,ki+1,m,...,kL,mThe method of (a), wherein:
the index i is the key ki,mThe sequence number in the key sequence is,
-L is an integer greater than or equal to two, and
-said key k, whatever the value of said index i between 1 and Li,mOnly during a time period of Vi,mInterval of validity of [ t ]i,m,ti+1,m]A period is used, wherein ti,mAnd ti+1,mRespectively the start time and the end time of the validity interval,
wherein:
at a time t1,mPreviously, the set of receivers establishes (140) a first connection with a key server and receives during this first connection the key k obtained1,mThe required information, then
-for each index i between 2 and L, at said instant ti,mPreviously, the receiver group obtains (150) a key ki,m
Characterized in that, for each index i between 2 and L, and in increasing order of these indices:
-the receiver group is passed through the execution of the key k before the usei-1,mPerforming an initialized key derivation algorithm to obtain (150; 182; 192) a subsequent key ki,mWithout having recourse to information other than that received during said first connection, and
-performing a key derivation algorithm by the receiver group to obtain a key ki,mAverage time taken TCi,mGreater than 0.2Vi-1,m
2. The method of claim 1, wherein for at least one subscript i ranging from 2 to L:
at a time ti-1,mThereafter and at time ti,mBefore, the receiver group verifies (126) whether obtaining the key k has been completedi,mIn the above-described manner, the process (a),
if at said time ti,mObtaining key k has not been done beforei,mThe receiver group establishes (140) a second connection with the key server and transmits a second connection to the key server for indicating at time ti,mThe key k not previously availablei,mAnd in the opposite case, the receiver group does not transmit to the key server a message indicating at time ti,mThe key k not previously availablei,mThe information of (1).
3. The method of claim 2, wherein:
-indicating at said time t in response to receivingi,mThe key k not previously availablei,mThe key server changing (162) a complexity parameter PC of a key derivation algorithmpThe value of (C), the parameter PCpCorresponds to an average execution time TC less than the current average execution timei,mOr is or
-in response to not receiving a signal indicating at said time ti,mThe key k not previously availablei,mThe key server changing (164) a parameter PCpSuch that the value of said parameter corresponds to an average execution time TC greater than the current average execution timei,m
4. The method of claim 3, wherein indicating at the time t is in response to receivingi,mThe key k not previously availablei,mThe information of (2):
-the key server updating (142) a counter of the number of connections established per unit time, then
-the key server comparing (160) the value of the counter with a predetermined high threshold, and then, in response, if the value of the counter crosses the predetermined high threshold, the key server modifying (162) the value of a complexity parameter to reduce the number of connections established per unit time, and/or
-the key server comparing (142) the value of the counter with a predetermined low threshold value, and then, in response, the key server altering (164) the value of the complexity parameter to increase the number of connections established per unit time if the value of the counter crosses the predetermined low threshold value.
5. The method according to any of the preceding claims, wherein the method for obtaining a key sequence is carried out for a first receiver group and a second receiver group, and the key server uses (144) a first value of the index L for the first receiver group and a different second value of the index L for the second receiver group.
6. The method of any preceding claim, wherein the group of receivers comprises a plurality of receivers and execution of the derivation algorithm is distributed over each of the receivers of the group.
7. The method of any one of claims 1 to 5, wherein the group of receivers comprises a single receiver and the derivation algorithm is implemented by the single receiver.
8. The method according to any one of the preceding claims, wherein for at least one subscript i ranging from 2 to L:
-at said time ti-1,mAfter and at time ti,mBefore, the receiver group verifies (126) whether obtaining the key k has been completedi,mIn the above-described manner, the process (a),
-if the obtaining of the key k has not been completedi,mThe process of (2):
a stationThe set of receivers establishes (140) a second connection with the key server and receives the derived key k during the second connectioni,mThe required information without performing a key derivation algorithm, and then
Obtaining the key k from the required information received during the second connectioni,mWithout performing the key derivation algorithm, and then
The receiver group is programmed by executing the key k before the usei,mPerforming an initialized key derivation algorithm to obtain (150; 182; 192) a subsequent key ki+1,mWithout the aid of information other than that received during the second connection, wherein the previous key ki,mIs obtained by using information received during the second connection; and
-obtaining said key k if it has been completedi,mBy using the previous key k, the receiver group does not establish the second connection and by performing the process ofi,mPerforming an initialized key derivation algorithm to obtain (150; 182; 192) a subsequent key ki+1,mWithout having to resort to information other than that received during the first connection.
9. The method according to any of the preceding claims, wherein the receiver group when it executes a key derivation algorithm performs the following operations:
1) by using said previous key ki-1,mTo initialize the value of the variable, and then
2) Converting the value of the variable by using a one-way function to obtain a new value of the variable, and then
3) Iterating the operation 2) a predetermined number of times Q by taking the new value of the variable obtained at the end of the previous iteration of operation 2) as the value of the variable to be convertedi,m
10. The method of claim 9, wherein the one-way function is a one-way encryption function with a back door.
11. The method according to any of claims 1 to 8, wherein the receiver group, when it executes a key derivation algorithm, performs the following operations:
1) from the set ERTo select a number R, then
2) Calculating a candidate key k by using the following relationcd:kcd=F(R//ki-1,m) Wherein F is a predetermined function, the symbol "//" indicates the numbers R and ki-1,mIs then combined, and
3) calculating the control information C by using the following relational expressioncd:Ccd=H(kcd) Where H is a one-way function, then
4) The control information C is transmittedcdWith control information C received during said first connectioni,mMaking a comparison, and
5) if the control information CcdAnd Ci,mCorresponding, then the calculated key kcdIs equal to the secret key ki,mThus obtaining said key ki,mOtherwise, the receiver group is for the set ERTo repeat said operations 1) to 5).
12. The method of any one of the preceding claims, wherein a key derivation algorithm is performed by the receiver group to obtain a key ki,mAverage time taken TCi,mLess than or equal to Vi-1
13. A method for securely transmitting digital content, wherein:
-the device dividing (120) said digital content into successive key validity periods, using a key k1To k isNOf the ordered sequence of corresponding keys kmTo encrypt each key validity period CPmAnd transmits each encrypted key validity period to the receiver group,
-the receiver group using the corresponding key k of the ordered sequence of keysmTo decrypt (130) each received key is validDuring the period of time of the operation,
characterized in that the receiver group obtains (150; 182; 192) a key sequence by implementing the method according to any one of the preceding claims.
14. A data storage medium readable by a microprocessor, the data storage medium comprising instructions for carrying out the method of any one of the preceding claims when the instructions are executed by the microprocessor.
15. A group of receivers for implementing the method of any one of claims 1 to 13, each receiver of the group comprising a microprocessor (77) programmed to implement:
at a time t1,mPreviously, the receiver group establishes a first connection with a key server and receives during this first connection the key k obtained1,mThe required information, then
-for each index i between 2 and L, at said instant ti,mBefore, the receiver group obtains the key ki,m
Characterized in that, for each index i between 2 and L, and in increasing order of these indices, each microprocessor is further programmed to carry out the following steps:
-the receiver group is passed through the execution of the key k before the usei-1,mPerforming an initialized key derivation algorithm to obtain a subsequent key ki,mWithout having recourse to information other than that received during said first connection, and
-performing a key derivation algorithm by the receiver group to obtain a key ki,mAverage time taken TCi,mGreater than 0.2Vi-1,m
16. A key server for implementing the method of any one of claims 3 to 4, the server comprising a microprocessor (114) programmed to perform the steps of:
-atTime t1,mBefore, the key server establishes a first connection with the receiver group and transmits the key k obtained during this first connection1,mThe information that is required is, for example,
characterized in that the microprocessor (114) is further programmed to perform the steps of:
-indicating at said time t in response to receivingi,mThe key k not previously availablei,mThe key server changing a complexity parameter PC of a key derivation algorithmpThe value of (C), the parameter PCpCorresponds to an average execution time TC less than the current average execution timei,mOr is or
-in response to not receiving a signal indicating at said time ti,mThe key k not previously availablei,mThe key server changing (164) a parameter PCpSuch that the value of said parameter corresponds to an average execution time TC greater than the current average execution timei,m
CN201980055283.0A 2018-07-04 2019-07-01 Method for obtaining a sequence of encryption keys Pending CN112602288A (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
FR1856170 2018-07-04
FR1856170A FR3083660B1 (en) 2018-07-04 2018-07-04 PROCESS FOR OBTAINING A SUCCESSION OF CRYPTOGRAPHIC KEYS
PCT/FR2019/051616 WO2020008131A1 (en) 2018-07-04 2019-07-01 Method for obtaining a sequence of cryptographic keys

Publications (1)

Publication Number Publication Date
CN112602288A true CN112602288A (en) 2021-04-02

Family

ID=65031368

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201980055283.0A Pending CN112602288A (en) 2018-07-04 2019-07-01 Method for obtaining a sequence of encryption keys

Country Status (4)

Country Link
EP (1) EP3818659A1 (en)
CN (1) CN112602288A (en)
FR (1) FR3083660B1 (en)
WO (1) WO2020008131A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114143273A (en) * 2021-11-24 2022-03-04 深圳数马电子技术有限公司 Channel allocation method, device, computer equipment and computer readable storage medium
CN114143273B (en) * 2021-11-24 2024-05-17 深圳数马电子技术有限公司 Channel allocation method, channel allocation device, computer equipment and computer readable storage medium

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10964702B2 (en) 2018-10-17 2021-03-30 Micron Technology, Inc. Semiconductor device with first-in-first-out circuit
CN116663041B (en) * 2023-07-28 2023-10-31 青岛农村商业银行股份有限公司 RPA flow robot data intelligent processing method and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110026715A1 (en) * 2009-07-31 2011-02-03 Telefonaktiebolaget Lm Ericsson (Publ) Self-healing encryption keys
CN103283176A (en) * 2010-12-29 2013-09-04 维亚塞斯公司 Method of transmitting and receiving a multimedia content
CN103560892A (en) * 2013-11-21 2014-02-05 深圳中兴网信科技有限公司 Secret key generation method and secret key generation device
CN104756458A (en) * 2012-10-29 2015-07-01 瑞典爱立信有限公司 Method and apparatus for securing a connection in a communications network

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2959905B1 (en) 2010-05-04 2012-07-27 Viaccess Sa METHOD OF DETECTING, TRANSMITTING AND RECEIVING CONTROL WORDS, RECORDING MEDIUM AND SERVER OF CONTROL WORDS FOR THE IMPLEMENTATION OF SAID METHODS

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110026715A1 (en) * 2009-07-31 2011-02-03 Telefonaktiebolaget Lm Ericsson (Publ) Self-healing encryption keys
CN103283176A (en) * 2010-12-29 2013-09-04 维亚塞斯公司 Method of transmitting and receiving a multimedia content
CN104756458A (en) * 2012-10-29 2015-07-01 瑞典爱立信有限公司 Method and apparatus for securing a connection in a communications network
CN103560892A (en) * 2013-11-21 2014-02-05 深圳中兴网信科技有限公司 Secret key generation method and secret key generation device

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114143273A (en) * 2021-11-24 2022-03-04 深圳数马电子技术有限公司 Channel allocation method, device, computer equipment and computer readable storage medium
CN114143273B (en) * 2021-11-24 2024-05-17 深圳数马电子技术有限公司 Channel allocation method, channel allocation device, computer equipment and computer readable storage medium

Also Published As

Publication number Publication date
EP3818659A1 (en) 2021-05-12
WO2020008131A1 (en) 2020-01-09
FR3083660A1 (en) 2020-01-10
FR3083660B1 (en) 2020-12-04

Similar Documents

Publication Publication Date Title
US6934389B2 (en) Method and apparatus for providing bus-encrypted copy protection key to an unsecured bus
EP1560361B1 (en) A secure key authentication and ladder system
TWI271079B (en) System and method for security key transmission with strong pairing to destination client
RU2433548C2 (en) Method of descrambling scrambled content data object
KR100564832B1 (en) Method and system for protecting the audio/visual data across the nrss interface
CA2362935C (en) Protecting information in a system
CN101123496A (en) Digital content protection method
CN101282456B (en) Method and apparatus for receiving digital television condition
JP2007133400A (en) Methods of scrambling and descrambling unit of data
EP2487829A1 (en) Method and device for generating control words
US20040234074A1 (en) Generation of a mathematically constrained key using a one-way function
Jiang et al. Secure communication between set-top box and smart card in DTV broadcasting
EP2567500B1 (en) Method, recording medium and server for decryption, transmission and reception of the control words
Kanjanarin et al. Scrambling and key distribution scheme for digital television
TWI523533B (en) Control-word deciphering, transmission and reception methods, recording medium for these methods and control-word server
CN112602288A (en) Method for obtaining a sequence of encryption keys
US9544276B2 (en) Method for transmitting and receiving a multimedia content
Pippal et al. Secure key exchange scheme for IPTV broadcasting
CN106559682B (en) A kind of method and device of DTV finger water-print protection
WO2013186274A1 (en) Obtaining control words using multiple key ladders
EP3646526B1 (en) Method for receiving and decrypting a cryptogram of a control word
WO2014154236A1 (en) Obtaining or providing key data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination