IES20110508A2 - Process for retrieving an identifier of a security module - Google Patents

Abstract

The invention concerns a process for retrieving an identifier UA of a security module intended to control the access to a conditional access content, said content being encrypted by at least one control word, each control word being intended to give access to at least a part of said content, said content being broadcast to a plurality of receiver being linked to a security module having at least an identifier UA, said process being characterized in that it comprises the steps of: - receiving at least one entitlement message by the receiver, said entitlement message containing at least one command: - processing said command, said processing having the effect of retrieving at least a part of the identifier UA of the security module and of applying a one way function on said at least a part of said identifier in order to obtain a processed identi

Description

ving an identifier of A^ecbRiTY Module TECHNICAL FIELD The present invention relates to a process for retrieving an identifier UA of a security module intended to control the access to a conditional access content, said content being encrypted by at least one control word, each control word being intended to give access to at least a part of said content, said content being broadcast to a plurality of receivers, each receiver being linked to a security module having at least an identifier UA.

The present process is applied in particular in the field of the Pay-TV.

A security module can typically be produced in the form of a microprocessor card (smart card), for instance a chip card having electrically connectible contact pads such as ISO 7816 compatible smartcards.

BACKGROUND ART In a well-known method, in particular in the aforementioned field of Pay-TV, data is encrypted by a data supplier by means of encryption keys called control words cw. This data is transmitted to multimedia units of users or subscribers. Parallel to this, the control words are transmitted to these multimedia units in the form of a stream of entitlement control messages ECM.

The multimedia units are generally made up of a processing unit that, in the case of Pay-TV, is a decoder or a receiver receiving the aforementioned stream and of a security module responsible for the cryptographic operations related to the use of these streams.

As is well known io those skilled in the art, this type of security module can essentially be produced according to four distinct forms. One of these is a microprocessor card, a smart card, or more generally an electronic module (in the form of a key, of badge,...). This type of module is generally removable and can be connected to the decoder. The form with electrical contacts is the most widely OPEhl TO POCUC INSPECTS ON UNDER SECTIOAI 28 AMD RULE 23 IE 11 ΟΚΟ 8 used, however the use of a contactless connection is not excluded, for example of the ISO 14443 type.

A second known form is that of an integrated circuit box placed, generally in a definitive and irremovable way, in the decoder box. One variant is made up of a circuit mounted on a base or connector such as a SIM module connector.

In a third form, the security module is integrated into an integrated circuit box also having another function, for example in a descrambling module of a decoder or the microprocessor of a decoder.

In a fourth embodiment, the security module is not materially produced, but rather its function is only implemented in the form of software. Given that in the four cases, although the security level differs, the function is identical, it is possible to talk about a security module regardless of the way in which it functions or the form that this module may take.

When a multimedia unit has received the stream containing the control words, first it is verified if the user disposes of the rights to decrypt the specific data. If this is the case, the entitlement control messages ECM are decrypted in order to extract the control words. These control words are in turn used to decrypt the data.

As it is also known, each control word generally allows the decryption of a small part of the data transmitted. Typically, one control word allows 10 seconds of a Pay-TV event to be decrypted. After this time duration, called a cryptoperiod, the control word is changed for security reasons.

One possible way lo enjoy access to encrypted data without being authorized consists in using a genuine multimedia unit with a real security module, but distributing the control words to a set of decoders. This can be done by means of a server or separating device known as a splitter. Therefore, the amounts related to the acquisition of access rights to encrypted data are paid by a single multimedia unit while the events are accessible from several multimedia units.

Several inventions exist which have the aim of preventing a user from distributing the control words, or more often, of preventing other users to be able to use the IE 1 1 0 JO 8 distributed control words. The present invention does not have the object of preventing the control words to be used by several users, but rather, has the object of detecting which control module was used to provide the control words.

The publication WO 2008/023023 also has the aim of detecting the fraudulent usage of a security module. In this document, the security modules receive a normal entitlement control message containing two control words. The security module further receives an entitlement message containing a command and an activation value. This activation value can be a date or the like. The command has the effect of replacing one of the control words in an Entitlement control message ECM by a data which is a function of a unique identifier of the security module. When the data is used by the receiver, said receiver is able to retrieve the control word from the data. If the control words are shared, for example on a server, a spy receiver can retrieve the unique identifier from the shared control word. Thus, the security module can be detected and countermeasures can be applied.

A drawback of this method is that the command may be sent via a conventional Entitlement management message. As it is well known, it is possible for fraudulent users to discard or to block this kind of messages. In this case, the command is not processed and it is not possible to retrieve the security module which was used to distribute the control words.

Another drawback comes from the fact that the process requires two functions which have very specific features. A first function G is applied to the unique identifier UA and gives a first value X. A second function H, which is the reverse of the function G is applied to G(UA) and gives UA. Moreover, the same function H is further used to retrieve the control word. These pairs of functions may be difficult to find. This can limit the application of the invention.

A third point is that the unique identifier of a security module can be found for a fraudulent user, as the function G is a reversible function. Thus, such a fraudulent user could send a wrong unique identifier in order to imitate another security module and to avoid countermeasures, 1Ει 1 ojro 8 Regarding the aforementioned chip cards, these smart cards are generally known, which comply with the industry standard known as ISO 7816, managed jointly by the ISO (International Organisation for Standardisation) and the IEC (International Electrotechnical Commission). The ISO 7816 Standard includes specifications pertaining to the physical locations of contacts used to interface to the smart card and specifications pertaining to the electrical characteristics and operating characteristics of the smart card and said interface.

As it is well known, cards conforming to this standard comprise eight contacts accessible from the exterior of the cards by means of elements which form an electrical junction with the contacts of the card when the latter is inserted into a reader. Six of the eight contacts have a function well defined by the ISO 7816 Standard, tn particular, a contact VDD is responsible for providing the power supply to the card's chip, a contact GND provides the grounding of this chip, a contact RST allows resetting, a contact VPP provides the supply of the chip in programming voltage, a contact CLK allows the input of a clock signal and a contact I/O allows the input/output of data. This leaves two contacts which are not reserved for any particular function according to the ISO 7816 Standard. These contacts are referred to as being reserved for future use (RFU).

These cards are particularly adapted for use in a Pay-TV system since they conveniently allow for the security required for this type of application to be provided. However, they suffer from a defect in that they do not allow significant data processing speeds. Thus, when such cards are used to decrypt control messages in order to extract the control words, their processing capacity is sufficient. However, the processing capability of these cards is not sufficient for processing the larger data streams typically required in today’s increasingly complex and bandwidth-hungry audio/video content transmission protocols.

State of the art smart cards may comply with another internationally accepted industry standard known as ISO 14443, which applies to contactless smart cards, where communication is made through RF transmission between a reader and a smart card placed sufficiently close to the reader. Transfer rates using this standard ΙΕι 1 ο are again insufficient for decrypting the large data streams typically required for audio/video content.

Newer transmission protocols such as TSIO (Transport Stream I/O) require that backward compatibility be maintained. In other words, a smart card which is compatible with a TSIO standard must maintain compatibility with the ISO 7816 standard in order that such a smart card will be backward compatible with older card readers. On the other hand, this places severe constraints on the smart card since ISO 7816 limits the number of available contacts on the card and the number of connections in the reader whereas the smart card may be able to take advantage of newer capabilities provided by the newer specifications such as TSIO.

United States Patent Application Publication Number US 2003/0085287 A1 describes a smart card having a set of contact pads conforming to the ISO 7816 Standard and an additional set of contacts to provide additional performance characteristics. The additional contacts are formed on the smart card on the area located between the ISO 7816 standardised contacts, an area which was previously used solely as a ground plane connection. The additional contacts are usable as input/output connections providing higher performance capabilities to the smart card while maintaining backward compatibility with legacy 7816-type card readers.

The present invention proposes to avoid the drawbacks of the prior art and to enable retrieving the unique identifier of a fraudulent user.

STATEMENT OF INVENTION One of the objects of the invention is achieved by a process as defined in the preamble and characterized in that it comprises the steps of: - receiving at least one entitlement message by the receiver, said entitlement message containing at least one command Cmd; - processing said command, said processing having the effect of retrieving at least a part of the identifier UA of the security module and of applying a one way function on said at least a part of said identifier in order to obtain a processed identifier UA*.

According to a first embodiment of this invention, conventional entitlement control messages ECM are used to enable retrieving the identifier of control modules.

Such messages must be received and processed by the security module, failing which, the security module will not give access to a portion of the event or data, in the entitlement control message, a command which may have the same format as a conventional control word or conventional access conditions can be introduced. Thus, the detection of the command by a fraudulent user can be very difficult.

Moreover, it can be arranged for the command not to be executed immediately upon reception, but rather when a given condition is fulfilled, in particular a condition linked to a time or date. Thus, the fraudulent user may have difficulties to establish a link between one specific message and countermeasures.

According to a second embodiment of this invention, an Entitlement management message EMM is used to retrieve the identifier of the control modules. In order to prevent fraudulent users from discarding such entitlement management messages, it is possible to send a new transmission key in the message. Thus, if the user does not process this message, he will not obtain the transmission key and wili not be able to decrypt the entitlement control message ECM containing the control words.

The following description refers to the use of entitlement control messages. The use of entitlement management messages is similar and is not described with further details herein.

It should be noted that usually, the unique identifier is unique and different for each security module. However, it can also be unique and different for a group of security modules. In this case, the security modules of the same group have the same identifier UA.

It should also be noted that a security module can have more than one unique identifier. As an example, a security module could have one identifier concerning a group of security modules and one identifier concerning only this security module.

The unique identifier can be known to the user, for example printed on the module IE 1 1 0 5 0 8 itself, or secret, for example stored in a memory of the module. One unique identifier or at least a part of it could be printed on the module and another part of said identifier or another unique identifier can be stored in the module.

Another object of the invention allows for a smart card with enhanced performance 5 capabilities such as high speed input/output capabilities to be realised while maintaining backward compatibility of the smart card with legacy ISO 7816-type smart card readers. This is achieved by providing a smart card including a plurality of primary contacts conforming to the ISO 7816 Standard and further comprising a plurality of additional or extra contacts allowing for extra connectors in a compatible reader to communicate with the smart card. The connectors which provide electrical connectivity between the card reader and the contacts of the smart card are known as prongs or resilient contacts. According to the invention, the reader comprises extra prongs to provide electrical connectivity between the card reader and the extra contacts on the smart card. Given that the extra prongs will be used to allow the smart card to achieve enhanced communication capabilities with the reader, the extra contacts need to be arranged such that any extra heat generated due to the higher performance operation can be adequately dissipated.

It is a further goal of the present invention to disclose adequate management of any extra electromagnetic effects due to the increased performance of the smart card.

It is yet a further goal of the present invention to allow for improved management of power-on and power-down sequences of the circuitry within the smart card as the smart card is being inserted or removed from the card reader.

From the foregoing, the present invention also discloses a smart card comprising a set of contacts including a plurality of primary contacts and a plurality of extra contacts, wherein: the plurality of primary contacts is configured to provide electrical connectivity between a chip in the smart card and a plurality of resilient contacts on a smart card reader, and are disposed on the smart card according to an ISO 7816 Standard configuration; and IE1 1 0 5 0 8 the plurality of extra contacts is configured to provide electrical connectivity between the chip in the smart card and a plurality of extra resilient contacts on the smart card reader; said smart card characterised in that: the extra contacts are suitably dimensioned so as to maximize a transfer of heat away from the smart card; and the extra contacts are suitably dimensioned and disposed on the smart card in order to ensure that the resilient contacts on the card reader enter into contact with the plurality of primary contacts and the plurality of extra contacts according to a predetermined sequence while the smart card is being presented to or removed from the card reader.

BRIEF DESCRIPTION OF DRAWINGS The present invention and its advantages will be better understood with reference to a detailed description of a specific embodiment and to the attached drawings in which: - Figure 1a, 1b and 1c schematically illustrates three messages as used in the process of the present invention; - Figure 2 schematically illustrates the implementation of the method of the invention; - Figure 3 illustrates a smart card showing contacts according to existing prior art; - Figures 4 to 6 show smart cards and their contacts according to various embodiments ofthe present invention.

DETAILED DESCRIPTION According to the present invention, the process has two phases. One phase takes place essentially at the user's side, i.e. in the user unit and consists in forcing the security module to introduce a unique identifier in a message. The second phase takes place essentially in a management center or at a provider's place and consists in retrieving the unique identifier of a security module which was used to distribute control words. Thus, if a user fraudulently distributes control words on a control word server, he will also send data concerning his user unit's identifier. The second phase of the invention will be used to determine which user unit distributed the controi words. Herein, the control word server refers in particular to a public server which can be accessed by the users, as well as a computer or any other similar device which sends controi words to other users.

In the first phase, entitlement control messages ECM are prepared in a management center. Most of the messages are conventional messages and contain at least one control word cwj used to decrypt a content corresponding to a current cryptoperiod and a control word cwi+1 used to decrypt a content corresponding to the next cryptoperiod. These messages correspond to a first type of entitlement control messages. Such a control message is illustrated by Fig. 1(a) and Fig. 1 (c) in particular. The message further comprises access conditions AC that must be fulfilled to enable the content to be decrypted. The entitlement control message can further comprise additional elements such as for example a header H, additional data or padding. Fig. 1(a) illustrates an Entitlement control message ECM received at a given time and corresponding to a given cryptoperiod and Fig. 1(c) illustrates a conventional entitlement controi message ECM intended to decrypt data corresponding to the next cryptoperiod. These messages are conventionally encrypted by a so called transmission key TK. These messages must be used to gain access to encrypted data.

According to the method of the invention, some of the ECMs, corresponding to a second type of entitlement control messages, contain, instead of or in addition to one of the control words and/or a part of the access conditions or other data, a command Cmd having a specific function as described below. As an entitlement control message ECM usually has a fixed format, the command must fit into the available space. In order to have space, the command can replace padding, additional data or even a control word. An example of such a message is illustrated by Fig. 1(b) and is noted ECM*. It is also encrypted by the transmission key TK.

The process of the invention is more particularly illustrated by Fig. 2. According to this process, when the security module receives an Entitlement control message ECM, it first decrypts it in a conventional way, in particular by using the o Q transmission key. If the ECM contains two control words, they are used as usual to enable displaying a content on a screen for example. As this is well known from the man skilled in the art, this part is not described with further details.

If the ECM contains a command Cmd, this command is executed. It should be 5 noted that an Entitlement control message could contain two control words and a command, depending on the size of the ECM, the size of the control words and the size of the command. The execution of the command has the effect of retrieving at least a part or one of the identifier UA of the security module and of applying a one way function f on this identifier. In this context, a one way function applied on an input value is a function which does not enable retrieving the totality of said input value. Such a one way function can have different forms. According to one embodiment, the one way function can have the effect of extracting a part of the unique identifier. According to another embodiment, the one way function is a conventional hash. According to still another embodiment, the function is a hash with a key. The key can be sent in the entitlement control message ECM or it could be derived from data contained in the ECM or another source. Such data could be a signature, an authentication data, the time stamp or any other suitable data. The key could also be contained in the receiver or user unit, but must be known to the management center. It is possible to use two (or more) different commands, for example one command retrieving a part of the unique identifier and another command retrieving another part of the unique identifier.

Once the command is received and processed, the security module outputs a control word and a data containing the result UA* of said one way function on the identifier UA of the security module. Said result can be a hashed unique identifier, a mix between the processed unique identifier and other data such as a control word, padding, a random number or any other similar data.

The output of the security module is transmitted to the decoder. Although the software of the decoder does not know whether the control word is a true control word or not, the descrambler is able to make a distinction between a control word and other data. If the user fraudulently distributes the control words, the output of the security module wili also be sent to the server.

In Fig. 2, the control word is noted cwj+i and the result of the function applied to the identifier UA is noted UA*. The processed identifier UA* preferably has the same format as a control word or is contained in the space usually used for a control word, so that a fraudulent user will not be able to distinguish a conventional control word cw from the processed identifier UA*.

Before the end of the cryptoperiod, and preferably shortly before, another entitlement control message ECM can be sent, said control message containing two control words, as usual. The first control word corresponds to the first control word of the message containing a command and the second control word corresponds to the control word used for the next cryptoperiod. Thus, access to encrypted content is always possible and the method is transparent for the user. It is also possible that the output of the security module contains a correct control word as well as a part of the unique identifier.

If a fraudulent user distributes the control words using a server S, he will also send the result UA* of the one way function applied on the unique identifier of his security module. As the function is a one way function, it is not possible to retrieve the identifier UA from the result of this function. This guarantees that neither the owner of the security module nor another non authorized third party may detect the identifier UA. The use of a keyed hash moreover prevents a user from forging a fake unique identifier UA and from replacing the correct one.

According to the second phase of the invention, if a control word server is found, the management center or any other entity in charge of detecting fraudulent users can connect to this control word server and read or receive data it contains. The control words or more generally the data of the server are compared to the control words actually used. If a data of the server corresponds to a real control word, it is not further analyzed. On the contrary, if a data of the server does not correspond to a real control word, this piece of data is further investigated.

This further investigation works as follows. At least one identifier UA stored in the management center is processed, using the one way function f, in order to obtain a processed identifier UA*. More generally, the same operations as carried out at the IE1 1 0 5 0 8 user unit's side are carried out at the management center's side. The processed identifier UA* is compared to the piece of data of the server which do not correspond to a real control word. If both values are identical, the security module having the identifier which leaded to the identity is considered as responsible for the fraud. If this identifier does not give an identity, the identifier of another security module is used. This continues until an identifier corresponds or until all the identifiers are tested. Once the security module of the fraudulent user is identified, the management center can decide what to do. In particular, countermeasures can be applied.

The detection of the processed identifier UA* can also be made without comparing the values of the server with known control words. In practice, when an Entitlement Control Message is decrypted by a fraudulent user, the control word is immediately made available on the server in order to enable immediate decryption of the broadcast content. Thus, the processed identifier UA* will be the immediate answer to the Entitlement Control Message containing the command.

It is possible for the management center to apply the one way function once a fraudulent use is detected. It is also possible to apply this function in advance on all or a part of the identifiers and to store the result of this function. Thus, the comparison can be made quicker as the calculation step is already done.

The one way function can be of different types. For example, a conventional hash function may be used. A hash with a key could also be used. In this case, the key may be sent from the management center to the receiver or may depend on values known to the management center and to the receiver, such as a value depending on the time and/or date. Thus, the management center can detect the identifier of a fraudulent user. However, the user cannot imitate another identifier.

Referring now to Fig. 3, a smart card can be seen with a set of eight contacts distributed according to the ISO 7816 Standard.

Fig. 4 shows a smart card with its contacts according to one possible embodiment. The card’s contacts include eight standard contacts corresponding to the eight contacts of the ISO 7816 standard and a plurality of extra contacts not included in IE 1 1 Ο5 Ο 8 the mentioned ISO Standard. The eight contacts corresponding to the eight contacts of the ISO 7816 Standard are shown numbered 1 to 8, while the plurality of extra contacts are shown in positions around the eight standard or primary contacts. These extra contacts allow for an appropriately configured card reader to communicate electrically with the smart card in a manner which is not provided for by the ISO 7816 Standard. Indeed, the extra contacts allow for enhanced communications between the smart card and the reader to be achieved.

The prongs of the card reader, otherwise known as resilient contacts, are generally spring-biased in order for mechanical pressure to be exerted from the prong to the contact, thus ensuring a good circulation of electrons even if the surface of the contacts is not perfectly clean.

One aspect of the enhanced functionality afforded between a card reader and a smart card in which an embodiment is deployed is that the frequency of operation may be significantly higher. The higher frequencies used thereby lead to greater joule-heating during the operation of the card, thus leading to a need to dissipate more heat than in a non-enhanced interface. According to an embodiment, the shape and disposition of the extra contacts are optimised such that the dissipation or evacuation of the extra heat generated is appropriately facilitated, this ensuring a stable temperature in the smart card.

Similarly, in order to optimize the management of the extra heat generated around a smart card and card reader adapted according to an embodiment, the prongs of the card reader are made of a material having higher thermal conductivity than in a standard reader. This may be achieved by using a particularly heat-conductive material for the prong. Similarly, it may be achieved by maximizing the cross sectional dimension of the prong, thus offering a wider path for heat conduction. Further enhancement of heat dissipation properties of the prongs may be achieved through maximization of the extremity of the prong where it forms electrical connectivity with its corresponding contact. Furthermore, since the extra contacts on the smart card do not need to comply with the legacy standard, the extra contact can be suitably dimensioned to maximize its heat dissipation characteristics. This fel 1 0 5 08 can be seen from Fig. 4, where two of the extra contacts are clearly seen to be wider and longer than the primary contacts.

As discussed above, as well as simply providing electrical pathways the prongs and the extra contacts in smart cards and readers in which embodiments are deployed serve as a means for evacuating the extra heat generated on the smart card onto the card reader. The card reader, which has sufficient space, includes further heat removal and dissipation mechanisms including fans, wings, heat pumps and other generally known heat management technologies. This allows coping with the limited dimensions of the card, which would normally only allow limited heat dissipation from the processor on the card. The extra contacts, with their wide dimensions, therefore allow for the evacuation of the extra thermal energy that may otherwise damage the card, said evacuation being made through large prongs thereby ensuring both good electrical contact and good thermal exchange.

As is generally known, higher frequency signals also implies more problems related to parasitic electromagnetic effects. This can lead to electromagnetic interference for example. According to an embodiment, provision is made to minimise such effects by carefully considering how lines carrying such high frequency signals are physically disposed on the card and on the reader. For example, lines which are known to carry signals exhibiting such effects may be placed such that the electromagnetic effects that they generate cancel each other out. This may be done by paying particular attention to their symmetry for example.

With ever increasing complexity of circuitry on the smart cards, particular attention to power-up and power-down sequencing may be of importance. It may be necessary for example for a power supply signal to be properly established before a clock signal or some other signal becomes active in order to ensure reliable functioning of the circuit. Proper consideration of this aspect is taken by providing long contacts for VDD and VSS (power and ground) so that when the smart card is being slid into the reader it is guaranteed that the power and ground supplies are property in place before the other signals become active and during the whole length of time that the smart card is being inserted, thereby guaranteeing proper and reliable operation of susceptible circuits. Similarly, when sliding the smart card ·Ε1 1 0 5 0 8 out of the reader it is ensured that the power and ground supplies are the last signals to remain valid during such sliding. As shown in Fig. 6 for example, by proper design of the extra contacts and by proper connection of the appropriate extra contacts to existing power and ground contacts of the ISO 7816 Standard interface for example, it can be ensured that the proper power-up and power-down sequence Is respected. As shown in Fig. 6, the extra contacts representing the power and ground supply rails are connected to power and ground primary contacts and are extended at least along the entire length of the set of all of the contacts, i.e. the primary contacts and the extra contacts. When the smart card is slid into the card reader the power contacts are first brought into contact with their appropriately powered resilient contacts before the other signals are electrically connected to their respective contacts. Similarly, when the smart card is slid away from the card reader, the power remains connected to the smart card as each of the other contacts are removed from their corresponding resilient contacts.

As is well known, lines which carry higher frequency signals are prone to radiating electromagnetic interference. According to another embodiment, care is taken to minimise the effects of electromagnetic radiation from fines carrying high speed signals. For example, two Sines which are known to carry such high frequency signals may be placed in a manner which allows their electromagnetic fields to cancel each other out.

It is convenient to place the extra contacts close to the primary contacts or at least towards the same end of the smart card as the primary contacts. In this way the smart card need not be fully inserted into the card reader for electrical connectivity with all contacts to be properly assured and indeed part of the card may remain protruding from the reader such that the card may be easily extracted from the reader by pulling on the end of the card which is devoid of contacts.

According to another embodiment, the extra contacts may be shaped in such a way to provide guidance to the user as to the proper sense of insertion of the card into the reader. For example, at least one of the contacts may present an arrow shape showing the direction of travel of the card into the reader. Similarly, the contacts ,Εί ι 0 5 08 may even be disposed in such a way as to provide readable instructions to the user concerning its placement into the reader. See Fig. 5.

In one particular embodiment the extra contacts are positioned as a continuation to the existing primary contacts as shown in Fig. 6. In another embodiment the extra contacts may be positioned in parallel to the primary contacts as shown in Fig. 4.

Smart cards according to embodiments of the present invention, being backward compatible, are usable in legacy 7816-type card readers without any extra prongs, in which case the smart card functions according to the legacy 7816 protocol. If the reader is equipped with the extra prongs, then the smart card with the extra contacts is capable of functioning according to the 7816 protocol or a protocol allowing higher speed communication/operation. Indeed, the smart card may be designed such that it may function in according to either protocol, whereby if the reader detects that the extra contacts are present it may switch to the higher speed operation whereas if the extra contacts are not detected, then the standard 7816 protocol is invoked.

Claims (5)

1. Process for retrieving an identifier UA of a security module intended to control the access to a conditional access content, said content being encrypted by at least one control word, each control word being intended to give access to at 5 least a part of said content, said content being broadcast to a plurality of receivers, each receiver being linked to a security module having at least an identifier UA, said process being characterized in that it comprises the steps of: - receiving at least one entitlement message by the receiver, said entitlement message containing at least one command Cmd; 10 - processing said command, said processing having the effect of retrieving at least a part of the identifier UA of the security module and of applying a one way function on said at least a part of said identifier in order to obtain a processed identifier UA*.

2. Process according to claim 1, characterized in that said entitlement message 15 is en entitlement control message ECM.

3. Process according to claim 1, characterized in that said entitlement message is en entitlement management message EMM.

4. Process according to claim 3, characterized in that said entitlement management message containing said command further contains a transmission 20 key that must be used to access to control words.

5. Process according to claim 1, characterized in that it further comprises a step of transmitting at least a part of the processed identifier UA* to said corresponding receiver.