KR100950422B1 - A source authentification method for ip tv system - Google Patents

Abstract

A source authentication method for an IP TV system according to the present invention is an IP TV source authentication method for verifying the validity of an ECM by sending an ECM signed by a service provider to a CAS module and verifying the signature of the ECM. An ECM Payload, a hash value H (root) for the root, and a signature, wherein the H (root) is calculated using a Merkle Tree (MT); The IP TV source authentication method, wherein the service provider generates an MT using a hash value of a TS (content) to be transmitted between the ECM and the ECM as an end node; The service provider signs the ECM Payload (ECM Payload), which is the main data of the ECM, and the hash value (H (root)) for the root value (root) of the MT; The service provider sends to the CAS module 1 a modified ECM consisting of an ECM Payload, a hash value H (root) for the root value (root), and a signature; Sending sibling nodes with the TS while transmitting the TS configured the MT; The recipient of the transmitted ECM confirms the source authentication of the ECM to confirm that the values included in the ECM are from a normal service provider; The receiver recovers the route of MT by using the received TS and sibling node, calculates a hash value, and verifies the TS by comparing the hash value of the route transmitted through the ECM; When the verification of the TS is completed, it is characterized in that the content is obtained by decoding the TS using the CW obtained from the ECM.

Description

A SOURCE AUTHENTIFICATION METHOD FOR IP TV SYSTEM}

The present invention relates to a security vulnerability of an IP-TV system, and more particularly, to a source authentication method for an IP TV system that provides source authentication for a data stream transmitted by a service provider of an IP-TV service.

Current CAS supports content access control through subscriber authentication, but does not provide any authentication for data provided by service providers. Thus, an attacker can tamper with data, which exposes the IP-TV system to serious security threats.

1 is a general configuration of a receiver access control technology of an IP-TV system using a CAS, and the security module of the IP-TV system implements receiver access control of an IP-TV system using a CAS.

The CAS (Conditional Access System) protects the data stream through scrambling and descrambling to control access to the user's content, so that only valid subscribers can use the content. The CAS is composed of an encryption technique for protecting a service from an unauthorized receiver and a scrambling technique for preventing an illegal user.

In general, the service provider performs content scrambling to modify the original signal so that the subscriber receives the content from the content provider and uses the data stream, that is, the TS (Transport Stream). Receiving subscriber generates the original signal from the received scrambled TS. This process is called descrambling. In addition, a random value called CW (Control Word) is used for scrambling and descrambling. This value is updated at a very fast cycle because security is provided through CW.

Referring to FIG. 1, the CW of the message unit 4 is used for scrambling and descrambling of the data stream transmitted from the service provider 2 in FIG. 1, that is, to prevent an illegal user from obtaining a CW. In the encryption unit 4-1, the CW value is encrypted by the AK (Authorization Key), which is an encryption key, and a signature is signed for an Entitlement Control Message (ECM) including the encrypted CW value, and the signed ECM is encrypted. It is sent to the ECM authentication unit 1-1 of the CAS module 1 with the CW value.

The AK is encrypted by an AK encryption unit 4-2 of the message unit 4 by a master private key (MPK), which is an encryption key, and a signature is signed for an EMM (Entitlement Management Message) including the encrypted AK value. The signed EMM is sent to the EMM authentication unit 1-2 of the CAS module 1 together with the encrypted AK value and delivered to the subscriber.

Subsequently, the first decryption unit 1-3 of the CAS module 1 completes the MPK from the smart card manager 3-2 of the set-top box 3 and the EMM authentication from the EMM authentication unit 1-2. The MPK encrypted AK signal E _MPK (AK) is received and decrypted, and then AK is sent to the second decryption unit 1-4. Then, the second decryption unit 1-4 of the CAS module 1 includes the E _AK (CW) encrypted with ECM-certified AK from the ECM authentication unit 1-1, and the first decryption unit 1-3. AK from) is validated and decrypted to verify the validity of CW.

The value of the EMM is sent to the subscriber in a relatively long period. The service provider 2 generates a corresponding MPK for the subscriber and stores this value in the smart card 3-1 of the subscriber set-top box 3. ECM is inserted between actual data streams. In general, ECM and EMM are important messages for service security, so the service provider digitally signs and sends them together, and the subscriber verifies the validity of the ECM and EMM by verifying the signature.

As such, the current IP-TV system only verifies and verifies CW through scrambling and descrambling of the data stream, and does not provide source authentication for the transmitted stream. Even though the service provider has sent normal data, even if the receiver has been harmed by the manipulated data, there is no evidence that such manipulated data has been transmitted from the service provider.

The present invention has been invented in view of the above, and in order to solve the security vulnerability of the IP-TV system, to provide a source authentication for the data stream transmitted by the service provider of the IP-TV service for the IP TV system The purpose is to provide a source authentication method.

The source authentication method for the IP TV system according to the present invention for achieving the above object is an IP TV source authentication method for verifying the validity of the ECM by sending the ECM signed by the service provider to the CAS module to verify the signature of the ECM The ECM comprises an ECM Payload, a hash value H (root) for the root, and a signature, and the H (root) represents an MT (Merkle Tree). Calculated using; The IP TV source authentication method, wherein the service provider generates an MT using a hash value of a TS (content) to be transmitted between the ECM and the ECM as an end node; The service provider signs the ECM Payload (ECM Payload), which is the main data of the ECM, and the hash value (H (root)) for the root value (root) of the MT; The service provider sends to the CAS module 1 a modified ECM consisting of an ECM Payload, a hash value H (root) for the root value (root), and a signature; Sending sibling nodes with the TS while transmitting the TS configured the MT; The recipient of the transmitted ECM confirms the source authentication of the ECM to confirm that the values included in the ECM are from a normal service provider; The receiver recovers the route of MT by using the received TS and sibling node, calculates a hash value, and verifies the TS by comparing the hash value of the route transmitted through the ECM; When the verification of the TS is completed, it is characterized in that the content is obtained by decoding the TS using the CW obtained from the ECM.

The most reliable source authentication method is to sign every packet forwarded, but this is not suitable for real-time services. Therefore, since the source authentication method according to the present invention uses the ECM of the existing CAS as it is, it additionally minimizes the resources required for signing and minimizes the overhead for authenticating the packet using a hash function. Done. In addition, by attaching sibling nodes to each packet, it is possible to perform authentication of the remaining packets even if a part of the packet stream is lost.

In addition, since the source authentication method according to the present invention receives the hash value for the root of the tree together with the ECM, it is possible to authenticate the source after a few operations on the packet received by the subscriber. Thus, no buffering is required, and DoS attacks can be prevented.

On the other hand, when applying the TESLA protocol to IP-TV, time synchronization is essential, but due to the nature of the IP-TV system, due to the fast changing subscribers, time synchronization must be continuously updated, and TESLA is in the middle of transmitting data streams. It's not easy to keep time synchronization in order. However, the source authentication method according to the present invention does not require time synchronization at all, and is scalable because source authentication can be provided regardless of the rapidly changing number of subscribers, which is good as the demand for IP-TV increases. This is a big advantage of the proposed source authentication method.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings.

In the present invention, the ECM payload shown in FIG. 3 instead of the ECM in the general CAS configuration shown in FIG. The ECM ₁ is used, and the H (root) is calculated using a MT (Merkle Tree).

2 is a view illustrating a source authentication method proposed for a broadcast or multicast environment as a structure of a merkle tree (MT) according to the present invention.

In general, for source authentication, a symmetric key shared by the sender and the receiver or an electronic signature method using an asymmetric key is used. However, for source authentication in group communication, n PSKs must be shared between one sender and the remaining n group members. This method has a problem in that it cannot be applied when sending a message through broadcasting. Thus, digital signatures are generally used for source authentication for broadcast messages.

However, because the digital signature method requires a lot of calculations for both the signer and the verifier, there is a large delay in verifying the data stream. Therefore, in the case of real-time broadcasting such as IP-TV, such a delay results in a deterioration of service quality, and thus an efficient source authentication method is required.

To this end, the minimum number of digital signatures must be used to provide real-time services by minimizing the number of signature verifications. In addition, packet authentication should be provided regardless of packet loss, and in case of dispute after data transmission, a non-repudiation service for non-repudiation of data transmission should be provided.

Accordingly, the present invention provides source authentication for a data stream supplied from a service provider using a Merkle Tree (MT) to satisfy the above requirement.

That is, IP TV uses CAS for receiver control, the biggest function of CAS is to encrypt content. Therefore, only an authorized user can obtain this encryption key, and the service can be normally used by decrypting the content using this key.

To provide this functionality, a control message called ECM is used, which is periodically transmitted between the data (TS) to be transmitted.

In addition, because the ECM contains the content encryption key, the message cannot be used by the recipient if the message is tampered with by an attacker. This is because if you get an invalid key and decrypt it, you get an incorrect value. Therefore, the ECM is signed by the sender (service provider). In other words, the present invention provides a source authentication for the content transmitted by the sender by using this feature since the ECM is periodically transmitted and the ECM is signed by the sender.

The MT shown in FIG. 2 is a binary tree that provides authentication for end nodes, and uses a hash function and concatenation to form a tree.

First, the hash values H1, H2, ----, H7, and H8 of each packet P1, P2, P7 and P8 are obtained, and this value (H1, H2, ----, H7). , H8) are configured as end nodes of the tree. After connecting each pair of end nodes, hash values (H1, 2, H3, 4, H5, 6, H7, 8) are obtained again. This value (H1,2, H3,4, H5,6, H7,8) becomes the parent node of the pair of end nodes and iteratively applies this method to calculate the root of the tree. The message sender (service provider) signs this root value and passes the root value and signature to the receiver. The sender sends sibling nodes to the route along with the packet, and the receiver uses these packets and sibling nodes to restore the MT's route. This value is then compared with the route value received from the sender to verify the source of the packet. Since MT uses a fast hash function, MT can minimize the time required to authenticate a packet, and even if there is a packet loss, the remaining packet can be authenticated.

3 is a diagram illustrating a stream transmission method of a source authentication method proposed in accordance with the present invention, wherein a sender configures an MT for a packet group to be transmitted, and a hash value (H (root) for a root value (root) of the MT. )) Is transmitted along with the ECM payload and signature.

For example, when the sender configures the MT as shown in FIG. 2 and transmits the packet TS ₁ (packet P1 in FIG. 2), TS ₁ , which is an actual data packet, and H2, H3, 4, H5, which are sibling nodes to the root path, Send 8 together.

Specifically, the sender (service provider) first generates an MT using TSs (contents) between ECMs, and then ECM payload and ECM payload, which are the main data of ECM ₁ , and the root of the MT. The signed ECM is signed for the hash value (H (root)), followed by the ECM payload, the hash value (H) for the root value (root), and the signature. Send ₁ Subsequently, the TS configuring the MT is transmitted. At this time, sibling nodes (eg, H2, H3, 4, H5, and 8) are transmitted together with the TS.

Here, the ECM and the EMM are signed by the service provider. Also, since the period of the ECM is much shorter than that of the EMM, it is more suitable to authenticate the data stream using the ECM. To this end, the MT is configured with the hash value of the TS to be transmitted between the ECM and the ECM as an end node as described above, and the hash value (H (root)) of the root value (root) of the ECM is used to authenticate the root of the MT. It is sent with the packet, and by signing these values, you can get the signed effect for every packet between the ECM and the ECM. The service provider attaches sibling nodes to the root path so that the root can be restored to the data stream between the ECMs, that is, the TS.

Next, the receiver restores the route by using the transmitted TS and sibling nodes. First, the receiver compares the route with the received ECM and authenticates the source. That is, the receiver receives the ECM and checks whether the ECM is from a normal sender. If the receiver is from a normal sender, all data in the ECM is verified. Subsequently, the TS transmitted after the ECM is verified. The verification method restores the route of the MT using the TS and the sibling node, and compares the route with the route transmitted with the ECM. If it is different, it checks the data from the attacker and discards the TS.

That is, each subscriber who has received the TS and its sibling nodes restores the route again using the TS and its sibling nodes received, calculates the hash value, and compares it with the hash value of the route passed through the ECM. You can check whether the data stream came from an authorized service provider. If it is not the same, the TS is discarded without buffering.

Finally, when the verification of the TS is completed, the content can be used by decoding the TS using the CW obtained from the ECM.

In Figure 3, H (root) is the hash value for the root, Signature is the ECM and the signature for H (root), and W _n is the value of sibling nodes for the n th TS. With this minimum signature, the entire packet can be signed, and source authentication can be performed for all received packets, regardless of whether they are lost. In addition, since there is no need for buffering for authentication, DoS (Denial of Service) attacks can be prevented.

4 is a diagram schematically illustrating a flow of a proposed source authentication method according to the present invention.

The service provider configures the MT for TS (m ₁ packet) between ECM intervals (period ECM) to provide source authentication service for the provided data stream, and then signs the MT with the ECM root value. (tree (m ₁ ) + sign), which sends a new ECM (ie ECM payload, root value, and signature). Thereafter, the service provider transmits the transmitting TS together with sibling nodes for the TS. The recipient can verify the source and integrity of the ECM through signature verification. This process ensures the source and integrity of all values in the ECM (ECM payload, root value). In addition, by regenerating a root value using a sibling node for the TS transmitted later, it is possible to confirm the source and integrity of the transmitted TS by comparing the root value of which the source is authenticated.

1 is a general configuration of a receiver access control technology of an IP-TV system using a CAS, a method of implementing a source authentication method of an IP-TV system using a security module of an IP-TV system using a CAS;

2 is a diagram illustrating a source authentication method proposed for a broadcast or multicast environment as a structure of a merkle tree (MT) according to the present invention;

3 is a diagram illustrating a stream transmission method of a proposed source authentication method according to the present invention;

4 is a diagram schematically illustrating a flow of a proposed source authentication method according to the present invention.

Claims (1)

In the IP TV source authentication method for verifying the validity of the ECM by sending the ECM signed by the service provider to the CAS module to verify the signature of the ECM, The ECM consists of an ECM Payload, a hash value H (root) and a signature for the root, and the H (root) uses a Merkle Tree (MT). Is calculated; The IP TV source authentication method, The service provider generates an MT using a hash value of a TS (content) to be transmitted between the ECM and the ECM as an end node; The service provider signs the ECM Payload (ECM Payload), which is the main data of the ECM, and the hash value (H (root)) for the root value (root) of the MT; The service provider sends to the CAS module 1 a modified ECM consisting of an ECM Payload, a hash value H (root) for the root value (root), and a signature; Sending sibling nodes with the TS while transmitting the TS configured the MT; The recipient of the transmitted ECM confirms the source authentication of the ECM to confirm that the values included in the ECM are from a normal service provider; The receiver recovers the route of MT by using the received TS and sibling node, calculates a hash value, and verifies the TS by comparing the hash value of the route transmitted through the ECM; When the verification of the TS is completed, the source authentication method for the IP TV system, characterized in that the content is obtained by decrypting the TS using the CW obtained from the ECM.

Images