KR102190886B1 - Protection of Control Words in Conditional Access System - Google Patents

Abstract

The present invention relates to control word protection in conditional access systems. According to an aspect of the present embodiment, a method for safely obtaining a control word for descrambled content transmitted from a content delivery network in a chipset of a receiver is provided.

Description

Protection of Control Words in Conditional Access System

The present invention relates to a conditional access system.

The content described in this section merely provides background information on the present embodiment and does not constitute the prior art.

Conditional access systems are widely used in connection with various types of content delivery services. Such a system provides secure transmission of a content stream to, for example, a digital receiving device included in a mobile terminal or a set-top box supporting a content delivery service. In order to protect the content from unauthorized viewing, the data packets of the stream are scrambled (encrypted) with randomly generated encryption keys, typically referred to as control words. To enhance the security of the stream, the control word is periodically changed.

In order to de-scramble the scrambled data packet in the transport stream, the receiver must be informed of the current value of the control word. For the secure transmission of control words, the control words are transmitted to the receiver in encrypted form using so-called entitlement control messages (ECMs). To process ECMs, Entitlement Management Messages (EMMs) transmit and manage keys required for decryption of ECMs. The ECM and EMM information streams are transmitted to the receiver, and the receiver decodes the EMM and ECM, and descrambles the content to a qualified subscriber.

Content providers encrypt their digital content and use a content protection system to protect the content from unauthorized access. To this end, the content receiver includes a chipset that implements one or more content decoding operations. Cryptographic key establishment protocol is used to securely transmit content decryption keys from a content protection system to a chipset included in a content receiver. Some of the steps of the encryption key establishment protocol implemented within the content receiver's chipset are commonly referred to as "key ladder". In this regard, ETSI (European Telecommunications Standards Institute) is discussing the standardization of "Embedded Common Interface for exchangeable CA/DRM solutions (ECI)" as a group standard.

The main object of the present embodiment is to provide a protocol or method for protecting a control word in a conditional access system.

According to an aspect of the present embodiment, a method for safely acquiring a control word (CW) for descrambled content transmitted from a content delivery network in a chipset of a receiver is provided.

The method includes receiving a secure version of a link key (LK) from the processor 210 of the receiver communicatively connected to the chipset. The secure version of the link key is encrypted with a public key (CPK) associated with the chipset to protect the confidentiality of the link key, and a signature key associated with the sender is used to protect the authenticity of the link key. And signed.

The method is a process of using a secret key (CSK) associated with the chipset and a signature verification key (SPK) corresponding to the signing key (SSK) to obtain the link key (LK) from the secure version of the link key. And, receiving a secure version of provisioning data from the processor 210. The provisioning data includes a bit string (CW-URI) defining usage rule information (URI) for the control word CW. The security version of the provisioning data is a message authentication code (MAC) added using the link key (LK) or a key derived from the link key to protect the authenticity of the provisioning data, or the sender and It is signed using the associated signing key (SSK).

The method includes a process of using a signature verification key (SPK) corresponding to the link key (LK) or the signing key (SSK), and receiving a secure version of a virtual control word (r) from the processor 210. The process further includes a process of using the obtained link key LK to obtain a virtual control word r from the secure version of the virtual control word r. The method further includes using, from an input, a cryptographic function (h) to generate the control word (CW). Here, the input includes the virtual control word (r), the signature verification key (SPK), and the provisioning data.

Embodiments of the method may further include one or more of the following features.

In some embodiments, the provisioning data further includes a bit string τ _b representing the presence or absence of associated data and a bit string AD representing application data.

In some embodiments, the provisioning data includes at least one of i) a bit string (CW-URI) defining usage rule information for the control word (CW), and ii) a bit string (AD) representing application data. It is configured to include "optionally", and the provisioning data further includes a bit string (flag _b ) defining whether each bit string is included.

In some embodiments, the secure version of the link key LK includes: i) a unique chipset-ID associated with the chipset, and ii) a link encrypted using a public key (CPK) associated with the chipset. A key LK and iii) a signature generated from the chipset ID and the encrypted link key LK using the signature key associated with the sender.

In some embodiments, the process of obtaining the link key LK includes: i) verifying the signature using a signature verification key (SPK) corresponding to the signature key (SSK), and ii) the chipset and It includes a process of decrypting the encrypted link key LK by using the related secret key CSK.

In some embodiments, the method includes a process of receiving a plurality of signature verification keys from the processor 210 and a signature included in the secure version of the link key LK by using one of the received signature verification keys. It further includes a verification process. Here, each signature verification key is associated with a corresponding conditional access/digital rights management system.

In some embodiments, the method comprises the chipset for use in decrypting the secure version of the virtual control word r received by the chipset and to verify the authenticity of the secure version of the provisioning data. The process of storing the link key LK obtained from the obtained link key LK is further included.

In some embodiments, the method further includes determining whether a message authentication code matches a message authentication code added to the secure version of the provisioning data using the stored link key LK. If it is determined that the message authentication code does not match the message authentication code added to the secure version of the provisioning data using the stored link key LK, the chipset is the secure version of the virtual control word r. The link key LK is not used to obtain the virtual control word r from.

In some embodiments, the provisioning data includes: i) a bit string (CW-URI) defining usage rule information for the control word (CW), and ii) a bit string (AD) representing application data. The secure version of the provisioning data includes a first message to which the message authentication code is added to a bit string (CW-URI) defining usage rule information for the control word CW, and a bit string representing the application data ( AD) includes a second message to which the message authentication code is added. Alternatively, in the secure version of the provisioning data, a signature using a signature key (SSK) associated with the sender is added to a bit string (CW-URI) defining usage rule information for the control word (CW). One message includes a second message to which a signature using a signature key (SSK) associated with the sender is added to the bit string AD indicating the application data.

In some embodiments, the method includes a process of receiving a plurality of signature verification keys from the processor 210, and among the received signature verification keys, a signature used to verify the authenticity of the secure version of the link key LK. And providing a verification key as an input of the encryption function h. Here, each signature verification key is associated with a corresponding conditional access/digital rights management system.

The method can be implemented as a computer-readable code stored in a computer-readable recording medium.

As described above, according to this embodiment, it is possible for the chipset of the receiver of the conditional access system to safely receive control words from the headend system in the content delivery network.

1 is a schematic diagram of an exemplary system according to an embodiment of the present invention.
2 is a diagram schematically showing a method of establishing a decryption key performed in a chipset of a content receiver according to an embodiment of the present invention.
3 is a diagram schematically showing a MAC algorithm implemented in a key ladder block according to an embodiment of the present invention.
4A to 4D are diagrams schematically showing other embodiments of a method for establishing a decryption key performed in a chipset of a content receiver according to the present invention.
5 is a flowchart illustrating a method of establishing a decryption key performed in a chipset of a content receiver according to an embodiment of the present invention.

Hereinafter, some embodiments of the present invention will be described in detail through exemplary drawings. In adding reference numerals to elements of each drawing, it should be noted that the same elements are assigned the same numerals as possible even if they are indicated on different drawings. In addition, in describing the present invention, if it is determined that a detailed description of a related known configuration or function may obscure the subject matter of the present invention, a detailed description thereof will be omitted.

In addition, in describing the constituent elements of the present invention, terms such as first, second, A, B, (a), (b) may be used. These terms are only used to distinguish the component from other components, and the nature, order, or order of the component is not limited by the term. Throughout the specification, when a part'includes' or'includes' a certain element, it means that other elements may be further included rather than excluding other elements unless otherwise stated. . In addition, the'... Terms such as'sub' and'module' mean a unit that processes at least one function or operation, which may be implemented by hardware or software or a combination of hardware and software.

1 is a schematic diagram of an exemplary system according to an embodiment of the present invention. The system 7 comprises a head-end system 4 arranged to communicate with one or more content receivers 2 via a distribution network 6.

Content providers encrypt their digital content and use the head-end system 4 to protect the content from unauthorized access. The head-end system 4 transmits the scrambled content stream (ie, {content} _CW ) to the content receiver 2 through the distribution network 6 using one or more control words ( _CW ). The head-end system 4 transmits and manages encrypted control words through the distribution network 6 and keys required for decryption of the control word (hereinafter referred to as'descrambling information'). The distribution network 6 may be any network that delivers or broadcasts the descrambling information and the scrambled content stream to the content receiver 2. For example, the distribution network 6 may include a cable network, a satellite communication network, a terrestrial broadcasting network, and the Internet.

The scrambled content stream may include any kind of video data, audio data, image data, text data, application/software data, program guide data, and the like.

The content receiver 2 may be any client device that receives descrambling information and a scrambled content stream. For example, the content receiver 2 may be a set-top box, a receiver integrated in a content output device (eg, TV, radio), a mobile terminal supporting a broadcast service, a personal computer, or the like. The content receiver 2 may include or be communicatively connected to a device (eg, a screen, a speaker, etc.) for outputting or playing descrambled and decoded content to a user.

The content receiver 2 includes a chip set 1 that implements one or more content decoding operations. Cryptographic key establishment protocol is used to securely transmit content decryption keys from the head-end system 4 to the chipset 1 included in the content receiver 2. The content receiver 2 uses the method described in connection with FIGS. 2 and 3.

2 is a diagram schematically showing a method of establishing a decryption key performed in a chipset of a content receiver according to an embodiment of the present invention. The method shown in FIG. 2 is some steps of an encryption key establishment protocol implemented in a chipset of a content receiver, and is commonly referred to as a "key ladder".

A block implementing a key ladder in a chipset is referred to as a'key ladder block' 210. The chipset is personalized with a unique Chipset-ID (221) and a Chipset Secret/private Key (CSK) 223). The chipset-ID and CSK can be stored in memory devices within the chipset.

One of the outputs of the key ladder block 220 is a control word marked CW. The control word is used for one of content decryption and content encryption. The second output of the key ladder block 220 is a bit string marked CW-URI. CW-URI defines Usage Rules Information (URI) for CW. CW and CW-URI are input to a content descrambler (not shown). The CW-URI has a predefined length (eg, 64 bits), and each bit is numbered from left to right (from 0 to 63). The value of CW-URI defines the allowed usage for CW, as in the table of FIG. 6. If the value of the bit is 1, the defined use is allowed, and if it is 0, it is not. The content descrambler is implemented to use the CW according to the usage defined by the received CW-URI.

The key ladder block 220 interfaces with the processor 210 of the content receiver. For example, the processor 210 may be a security processor or a CPU of a content receiving device. As shown in FIG. 2, the processor 210 has read-access to the chipset-ID 221. This enables a content provider to identify a chipset and obtain a public key certificate including a Chipset Public Key (CPK) from an authentication authority. As described below, the value of CPK must be known to the key ladder in order to calculate one of the input messages.

The key pair (CSK, CPK) is associated with a public key encryption scheme. The corresponding encryption and decryption operations are denoted by E and D 224, respectively. E and D each have two inputs, a key input and a message input. In this specification, it is assumed that the first input of these operations is a key. For example, encryption of the message M using the chipset public key (CPK) is denoted as E(CPK, M).

The key ladder also uses an electronic signature method. S and V 222 represent a signature generation operation and a signature verification operation, respectively. The key pair of the electronic signature scheme is associated with the sender and consists of the sender's secret/private key (SSK) and the sender's public key (SPK). In this specification, it is assumed that the sender is a content protection system. As shown in FIG. 2, a plurality of different SPKs denoted as SPK ₁ , SPK ₂ , ..., SPK _M (m ≥ 1) are input to the key ladder block 220. Each key pair (SSK _i , SPK _i ) will typically be associated with one content protection system, but one key pair may be shared among multiple systems.

SPK-URI is associated with SPK ₁ , SPK ₂ , ..., SPK _M. The SPK-URI input to the key ladder block 220 defines usage rules information (URI) for SPK ₁ , SPK ₂ , ..., SPK _M. As shown in Fig. 2, one of the SPKs and the verification operation V are input messages (chipset-ID || E(CPK, LK) || S(SSK _i , chipset-ID || E(CPK, LK))). ) Is used to verify the signature. In FIG. 2, it is assumed that'i = 2, and SPK-URI and usage rules allow that SPK ₂ is used for signature verification'.

The key ladder also implements a symmetric encryption scheme. Encryption and decryption operations of this method are denoted by e and d (225), respectively. The key ladder uses a link key (LK) as the key in this method, and a random number r as a message. The random number r is expressed as a bit string, and its length is a predefined size (eg, 128 bits). In this specification, the random number r will be referred to as a'virtual control word'.

Key ladder implements the Message Authentication Code (MAC) algorithm. The key ladder uses the link key (LK) or a key derived from the link key as a key in this manner, and uses CW-URI, and AD as input messages. The output of mac is a tag T of a preset length. The key ladder guarantees the integrity and authenticity of some of the inputs (CW-URI, and AD) for the key ladder block by using the MAC algorithm. In FIG. 2, the MAC operation marked as'MAC' 226 is used to verify the tag (T) of the message (CW-URI || AD || T) input to the key ladder block. A detailed description of the MAC operation 226 implemented in the key ladder block will be described later with reference to FIG. 3. In this specification, some of the inputs to the key ladder block (CW-URI, and AD) will be referred to as'provisioning data'.

The length of the application data (AD) is defined in advance (eg, 256 bits). Detailed specifications of AD are outside the scope of this specification, and in this specification, it is assumed that the key ladder block does not process AD except for providing AD as an input of h. The key ladder block can deliver AD or part of AD, along with CW-URI and CW, to the content descrambler.

Key ladder blocks have different inputs τ _b whose length is predefined (eg, 8 bits). The value of the bit string τ _b indicates the presence or absence of associated data. The sender can, optionally, send e(LK _t , r) as well as related data to the key ladder. When τ, which is an integer expression of τ _b , is 0, related data does not exist.

Finally, the key ladder block implements the function h(227). This function is based on a cryptographic hash function. The input of h(227) in the key ladder is CW-URI, τb, AD, SPK-URI, SPK ₁ , SPK ₂ , ..., SPK _m and r. If the above inputs are not received by the key ladder block 220, or the length of the input is not equal to a predefined size, the key ladder block 220 stops the operation. Otherwise, the function h 227 first applies an I2BSP data conversion primitive to each of the SPK inputs. Here, the I2BSP data conversion primitive is a primitive that converts an integer into a bit string. For example, the function I2BSP(x) inputs x, which is an integer of 2048 bits, and outputs a bit string having a length of 2048. Next, the function h concatenates the bit strings representing its inputs as follows to obtain the message M.

M = r || CW-URI || τ _b || AD || SPK-URI || I2BSP(SPK ₁ ) || I2BSP(SPK ₂ ) || ... || I2BSP(SPK _m )

Each of the above inputs has a predefined length. The function h 227 performs a predefined hash operation (eg, SHA-256(M)) and delivers a truncated message digest (eg, 256 bits) to the content descrambler. If the length of the CW is N bits, the content descrambler reduces the output of h (227) to N bits.

3 is a diagram schematically showing a MAC algorithm implemented in a key ladder block according to an embodiment of the present invention.

The block 266 implementing the MAC algorithm receives the link key LK, and "CW-URI || AD || T'", and outputs CW-URI and AD. The MAC key MK' is generated by encrypting a 128-bit bit string using the link key LK. This encryption operation is denoted by e (311) in FIG. 3. The 128-bit bit string illustrated in FIG. 3 is composed of 127 '0' bits and one '1' bit (rightmost bit). In FIG. 3, a MAC operation denoted by v 312 uses a key (MK') derived from a link key as a MAC key, and uses "CW-URI || AD || T'" as an input message. If the verification of the tag T'is successful, v 312 outputs CW-URI and AD. More specific details about the MAC algorithm are described in, for example, ISO/IEC 9797-1: 2011: "Information technology-Security techniques-Message Authentication Codes (MACs)-Part 1: Mechanisms using a block cipher".

In the following, key ladder operations will be described.

The sender associated with a key pair goes through the following steps, a signed first input message, i.e. (chipset-ID || E(CPK, LK) || S(SSK _i , chipset-ID || E(CPK , LK))) can be created.

■ Sender side calculation

1. Generate link key LK

2. Calculate the ciphertext E (CPK, LK)

3. Connect chipset-ID and E(CPK, LK); The concatenated bit string is denoted as (chipset-ID || E (CPK, LK)).

4. Sign the bit string (chipset-ID || E(CPK, LK)) using SSKi. The signature is denoted as S(SSK _i , chipset-ID || E(CPK, LK))).

5. Add the above signature to the bit string (chipset-ID || E(CPK, LK))

After receiving the signed first input message and the sender's public key SPK _i , the key ladder block performs the following process to generate LK. The calculated link key LK may be stored in a memory device in the chipset.

■ Key ladder block side calculation

1. Verify that the received chipset-ID is the same as the stored chipset-ID. If these two values are not the same, the key ladder block stops the operation.

2. Confirm that the SPK-URI and usage rules'allow V to use SPK _i to verify signature'. If not allowed, the key ladder block stops the operation.

3. Use the received'Signed First Input Message' and SPK _i to verify the signature. If the signature is invalid, the key ladder block stops the operation.

4. Calculate LK = D(CSK, E (CPK, LK))

Next, the key ladder block uses LK to process the input message e(LK, r). The sender generates the message e(LK, r) using the following steps.

■ Sender side calculation

1. Generate random bit string r

2. Calculate e(LK, r)

After receiving e(LK, r) and calculating LK, the key ladder block calculates r using the following steps.

■ Key ladder block side calculation

1.r = D(LK, e(LK, r))

Next, the key ladder block uses the link key (LK) or a key derived from the link key as the MAC key (MK') to verify the integrity of provisioning data to which the MAC-tag T'is connected. The following illustrated operation assumes that a key derived from the link key LK is used. The sender uses the following steps to create an input message concatenated with tag T', that is, CW-URI || AD || Create T'.

■ Sender side calculation

1.Calculate MK' = e(LK, 0000...1)

2. Calculate T'= mac(MK',　CW-URI || AD)

3. The calculated tag T'is a bit string CW-URI || Connected to AD

After receiving the message "CW-URI || AD || T'", the key ladder block is CW-URI || Verifies the authenticity of AD.

■ Key ladder block side calculation

1.Calculate MK' = e(LK, 0000...1)

2. Calculate T'= mac(MK',　CW-URI || AD)

3. Verify that the received T'and the calculated T'are the same. If these two values are not the same, the key ladder block stops calculating.

4. If verification passes, CW-URI and AD are retrieved from the received message and delivered to h.

Next, the key ladder block uses the function h to calculate the control word CW. As shown in FIG. 2, the inputs of h are CW-URI, τ _b , AD, SPK-URI, SPK ₁ , SPK ₂ , ..., SPK _m , and r. The implementation of the key ladder must ensure that the public key used to verify the authenticity of the signed input message is provided to h as one of the SPKs when CW is derived from r.

Next, the key ladder block delivers CW-URI and CW to the content descrambler.

As described above, the key ladder block has various types of inputs such as CW-URI, AD, τ _b , SPK-URL, SPKs, LK, Chipset-ID, and the like. Here, some inputs such as LK and Chipset-ID are transmitted from the sender to the key ladder block with encryption and electronic signature techniques applied. Also, some other inputs to the key ladder block (CW-URI, and AD) are transmitted from the sender to the key ladder block with the MAC tag attached. On the other hand, SPKs and SPK-URLs can be transferred from the sender to the key ladder block without involving any cryptographic schemes, considering their intrinsic characteristics. If tampering occurs in unprotected SPKs or SPK-URL, the control word (CW) is not generated. Therefore, the ultimate content protection system to protect the content from unauthorized viewing by the use of SPKs and SPK-URL itself. It is worth noting that the phosphorus purpose can be achieved. Similarly, since τ _b can also be verified using a verification routine of associated data, no authentication technique may be added to τ _b .

4A to 4D are diagrams schematically showing other embodiments of a method for establishing a decryption key performed in a chipset of a content receiver according to the present invention.

In the key ladder described with reference to FIG. 2, it has been described on the premise that provisioning data includes CW-URI and AD. Alternatively, at least one of the CW-URI and AD may be selectively included in provisioning data. In addition, in the embodiment of Fig. 2, the authenticity of the CW-URI and AD is guaranteed by the MAC tag. In contrast, the authenticity of the CW-URI and AD can be protected in a manner similar to the link key LK (ie, digital signature using SSK). These modified examples will be described with reference to FIGS. 4A to 4D.

Referring to FIG. 4A, in some exemplary embodiments, provisioning data selectively includes the two factors (CW-URI, and AD), and further includes a flag flag _b indicating whether these factors are included. In this case, the MAC operation marked as'MAC' 226 in FIG. 2 is a tag (T') included in a message in the form of "flag _b || CW-URI (optional) || AD (optional) || T'" Is used to verify. flag _b is a bit string (eg, 8 bits) whose length is defined in advance. For example, the rightmost two bit values of flag _b may be designated to indicate the presence or absence of CW-URI and AD, respectively. If the flag _b value is '0000 011', the provisioning data consists of a flag _b , a CW-URI, and a bit string to which AD is concatenated (eg, "flag _b || CW-URI || AD"). If the flag _b value is '0000 010', the provisioning data is composed of a bit string (eg, "flag _b || CW-URI") to which the flag _b and CW-URI are concatenated.

In another embodiment, the CW-URI and AD may each be delivered in separate secured messages. Referring to FIG. 4B, the security version of CW-URI and the security version of AD are input to the key ladder block. The security version of CW-URI is a form in which a MAC tag (T') of a preset length is added to the bit string CW-URI. The security version of AD is a form in which a MAC tag (T') of a preset length is added to the bit string AD. The security version of the CW-URI and the security version of the AD are each verified with a tag T'by the MAC operation illustrated in FIG. 3.

In another embodiment, the provisioning data is transferred from the sender to the key ladder block in the form of appending a signature using SSK _i . Referring to FIG. 4C, provisioning data is configured in the form of "flag _b || CW-URI (optional) || AD (optional)" (this is the same as in FIG. 4A). This provisioning data is delivered to the key ladder block from the sender in the form of S(SSk _i , flag _b || CW-URI || AD) appended to the signature using SSK _i . In the key ladder block 220, an input message (flag _b || CW-URI || AD || S(SSk _i , flag _b || CW-URI || AD) is performed using one of the SPKs and the verification operation V. ))'S signature is verified.

In another embodiment, the CW-URI and AD may each be delivered in separate secured messages. Referring to FIG. 4D, the security version of CW-URI and the security version of AD are input into the key ladder block. The security version of CW-URI is a form in which a signature using SSK _i is added to the bit string CW-URI. The security version of AD is also in the form of adding a signature using SSK _i to the bit string AD. In the key ladder block 220, the signature contained in these secure versions is verified using one of the SPKs and the verification operation V. If the verification is successful, CW-URI and AD will be entered into function h to calculate the control word CW.

5 is a flowchart illustrating a method of establishing a decryption key performed in a chipset of a content receiver according to an embodiment of the present invention.

The chipset of the receiver receives a secured version of a link key (LK) from the processor 210 of the receiver communicatively connected to the chipset (S510). The secure version of the link key is encrypted with a public key (CPK) associated with the chipset to protect the confidentiality of the link key, and is signed using a signing key associated with the sender to protect the authenticity of the link key. will be. In order to obtain the link key (LK) from the secure version of the link key, the chipset includes a stored chipset ID (chipset-ID), a signature verification key (SPK) corresponding to the signing key (SSK), and a secret key (CSK) associated with the chipset. ) Is used (S520). If signature verification fails, the process stops.

The chipset receives the secure version of the provisioning data from the processor 210 (S530). The provisioning data includes a bit string (CW-URI) defining usage rules information (URI) for the control word (CW). In addition, the provisioning data may (optionally) further include a bit string AD indicating application data. The secure version of the provisioning data may include a link key LK itself or a message authentication code (MAC) using a key derived from the link key to protect the authenticity of the provisioning data. The chipset uses the link key LK obtained in step S520 to verify the authenticity of the secure version of the provisioning data (S540). If verification fails, the process is aborted.

The chipset receives the secure version of the virtual control word r from the processor (S550), and the link key obtained in the process S520 to obtain the virtual control word r from the secure version of the virtual control word r LK) is used (S560). The secure version of the virtual control word r is that the virtual control word r is encrypted with the link key LK.

The chipset uses a cryptographic function h to generate the control word CW from an input (S570). Here, the input includes the virtual control word (r), the signature verification key (SPK), and the provisioning data. The input may further include a bit string τ _b representing the presence or absence of associated data and a bit string AD representing the application data. If the above inputs are not received by the key ladder block, or the length of the input is not the same as the predefined size, the key ladder block stops the operation.

In FIG. 5, it is described that processes S510 to S570 are sequentially executed, but those of ordinary skill in the art to which an embodiment of the present invention pertains to FIG. 5 without departing from the essential characteristics of an embodiment of the present invention. 3 is not limited to a time-series order because it may be applied by changing the order described in or executing one or more of the processes S510 to S570 in parallel.

Meanwhile, the processes shown in FIG. 5 can be implemented as computer-readable codes on a computer-readable recording medium. The computer-readable recording medium includes all types of recording devices that store data that can be read by a computer system. That is, the computer-readable recording medium is a magnetic storage medium (e.g., ROM, floppy disk, hard disk, etc.), optical reading medium (e.g., CD-ROM, DVD, etc.), and carrier wave (e.g., Internet And storage media such as transmission through

The above description is merely illustrative of the technical idea of the present embodiment, and those of ordinary skill in the technical field to which the present embodiment belongs will be able to make various modifications and variations without departing from the essential characteristics of the present embodiment. Accordingly, the present exemplary embodiments are not intended to limit the technical idea of the present exemplary embodiment, but are illustrative, and the scope of the technical idea of the present exemplary embodiment is not limited by these exemplary embodiments. The scope of protection of this embodiment should be interpreted by the following claims, and all technical ideas within the scope equivalent thereto should be construed as being included in the scope of the present embodiment.

Claims (11)

In a method for safely obtaining a control word (CW),
Receiving a secure version of a link key (LK) from a processor of the receiver;
Using a signature verification key (SPK) and a secret key (CSK) corresponding to the signing key (SSK) to obtain the link key (LK) from the secure version of the link key;
Receiving a secure version of provisioning data from the processor;
Using the obtained link key (LK) or a signature verification key (SPK) corresponding to the signing key (SSK) to verify the authenticity of the secure version of the provisioning data;
Receiving a secure version of a virtual control word (r) from the processor;
Using the obtained link key LK to obtain a virtual control word r from the secure version of the virtual control word r; And
From an input, the process of using a cryptographic function (h) to generate the control word (CW), wherein the input is the virtual control word (r), the signature verification key (SPK), and the provisioning Contains data;
A method for safely obtaining a control word comprising a. The method of claim 1,
The secure version of the link key LK,
It is encrypted with a public key (CPK) to protect the confidentiality of the link key, and is obtained by being signed using the signing key (SSK) associated with the sender to protect the authenticity of the link key,
The secure version of the link key LK,
Ⅰ) a unique chipset ID (chipset-ID) related to the chipset of the receiver, ii) a link key (LK) encrypted using a public key (CPK) related to the chipset, and iii) a signature key related to the sender Including the signature generated from the chipset ID and the encrypted link key (LK) using,
The process of obtaining the link key LK,
I) the process of verifying the signature using a signature verification key (SPK) corresponding to the signature key (SSK), and ii) the encrypted link key (LK) using a secret key (CSK) associated with the chipset A method for safely acquiring a control word, characterized in that it comprises a process of decrypting a. The method of claim 2,
Receiving a plurality of signature verification keys from the processor, each signature verification key related to a corresponding conditional access/digital rights management system; And
And verifying a signature included in the secure version of the link key (LK) by using one of the received signature verification keys. The method of claim 2,
For use in decrypting the secure version of the virtual control word r received by the chipset and to verify the authenticity of the secure version of the provisioning data, the chipset is obtained from the encrypted link key LK A method for securely obtaining a control word, characterized in that it further comprises the process of storing one link key (LK). The method of claim 4,
Further comprising a process of determining whether a message authentication code matches a message authentication code added to the secure version of the provisioning data using the stored link key LK,
When it is determined that the message authentication code does not match the message authentication code added to the secure version of the provisioning data using the stored link key LK, virtual control from the secure version of the virtual control word r Method for securely obtaining a control word, characterized in that the link key (LK) is not used to obtain the word (r). The method of claim 1,
Receiving a plurality of signature verification keys from the processor, each signature verification key related to a corresponding conditional access/digital rights management system; And
A control word comprising the process of providing a signature verification key used to verify authenticity of the secure version of the link key LK from among the received signature verification keys as an input of the encryption function h How to securely acquire The method of claim 1,
The secure version of the provisioning data,
In order to protect the authenticity of the provisioning data, a message authentication code (MAC) using the link key (LK) or a key derived from the link key is added or signed using the signing key (SSK). A method for safely obtaining a control word, characterized in that it is obtained. The method of claim 7,
The security version of the provisioning data includes a first message to which the message authentication code is added to a bit string (CW-URI) defining usage rule information for the control word (CW), and a bit string indicating application data (AD ), the second message to which the message authentication code is added. The method of claim 7,
The security version of the provisioning data is a first message in which a signature using a signature key (SSK) associated with the sender is added to a bit string (CW-URI) defining usage rule information for the control word (CW), A method for securely obtaining a control word, comprising a second message to which a signature using a signature key (SSK) associated with the sender is added to a bit string (AD) representing data. The method of claim 1,
The provisioning data is configured to selectively include at least one of i) a bit string (CW-URI) defining usage rule information for the control word (CW), and ii) a bit string (AD) representing application data. And
The provisioning data further comprises a bit string (flag _b ) defining whether each bit string is included or not. A computer-readable recording medium containing computer program instructions for execution on a chipset of a receiver,
The computer program instructions are
Including an instruction to perform a method for safely obtaining a control word (CW) for descrambled scrambled content transmitted from the content delivery network,
A method for safely obtaining the control word (CW),
Receiving a secure version of a link key (LK) from a processor of the receiver;
Using a signature verification key (SPK) and a secret key (CSK) corresponding to the signing key (SSK) to obtain the link key (LK) from the secure version of the link key;
Receiving a secure version of provisioning data from the processor;
Using the obtained link key (LK) or a signature verification key (SPK) corresponding to the signing key (SSK) to verify the authenticity of the secure version of the provisioning data;
Receiving a secure version of a virtual control word (r) from the processor;
Using the obtained link key LK to obtain a virtual control word r from the secure version of the virtual control word r; And
From an input, the process of using a cryptographic function (h) to generate the control word (CW), wherein the input is the virtual control word (r), the signature verification key (SPK), and the provisioning Contains data;
Containing, a computer-readable recording medium.

Images