TWI523474B - Protection method for security data transmitted by a transmitter device to a receiver device - Google Patents

Description

Protection method for security data transmitted from the transmitter to the receiver Field of invention

The present invention relates to the field of telecommunications, and in particular to a method of protecting a security data transmitted from a transmitter device to a receiver device.

The present invention is also directed to a transmitter terminal device located at an operator network head end and configured to transmit a work message to a receiver terminal device.

The invention further relates to a computer program stored on a carrier and designed to operate within the transmitter terminal device and to implement the method according to the invention at the transmitting end.

The present invention also relates to a receiver terminal device configured to receive a message transmitted from the transmitter terminal device, and a computer program stored on the carrier and designed to be executed on the receiver terminal device to implement the method according to the present invention .

More precisely, the present invention relates to improving the protection of EMM messages transmitted from the head end of the operating element network to the receiving system of the customer. More generally, it is applied to the protection of the entire transmission of information between entities connected by a communication network, regardless of the nature and characteristics of the entity and the network.

Background of the invention

With the proliferation of content distributed through communication networks, the risk of content being shackled becomes a major concern between providers and recipients of such content.

The result is to protect the content of the distribution from the original source, to avoid the risk that the access rights associated with such content are spoofed and re-routed, and also to prevent such rights from being forged by the user.

Indeed, in a CAS-type access control system, the distributed content is usually encoded, and its decoding is performed by a logical authorization (the user can access the content for a predetermined period of time) to combine the keys, which are referred to as operating keys to specify conditions. The latter allows the authorization to access the content to other messages that are decoded. The logical authorization and operation key is usually sent to the receiver terminal device by EMM (Entitlement Management Message) and ECM (Entitlement Control Message) special access control message (the message itself must be protected).

For a more specific terminology in the art, reference may be made to the following document: "Functional Model of Conditional Access System", European Broadcasting Union EBU Technical Review, Brussels, Belgium, Issue 266, December 21, 1995.

One shortcoming of the prior art stems from the fact that such messages may be intercepted and analyzed to determine the access conditions and keys needed to decode the content.

In some cases, the operator may wish to remove or restrict access rights in certain communications. In this case, the EMM message and ECM message contain information to achieve this project.

Another type of scam mode involves filtering such messages sent by the operator to prevent the message from being used by the processor of the receiver terminal device.

In addition, a hacker wishing to reply to an EMM message may send the EMM message to a receiver system ready for testing to experimentally determine its effectiveness.

In addition, the operator operates the access control system to import EMM messages that are added, modified, or deleted on a specific month date. This may be due to the results of computer batch processing, which may help the hacker to distinguish the new ones from this process. EMM messages and allow hackers to design filtering policies.

When password authentication is used for authentication of access control messages, this method is invalid in the following cases:

- If the hacker successfully obtains the key, or if the hacker successfully obtains the correct password redundancy. This is especially the case if the password redundancy is symmetrical.

- If the hacker successfully causes the message to be received by the security processor with the correct password redundancy and the authentication is true. This is especially true when the computing environment of the security processor of the receiving system responsible for verifying authenticity is physically destroyed. Such damage, for example, includes temperature ramps, power supply signals, or changes in the clock, exposing the assembly to laser pulses, electromagnetic emissions, or radioactive particle radiation.

In the case where the message is transmitted to the receiver terminal device in a combination of positive sequence and negative sequence, the method is only interesting when the hacker may fail. In particular, some attacks include weighting to the official security processor (called MOSC, modified official wafer card). In this case, the hacker may fail if the operator changes the operation key to filter the message.

Preferably, these keys are not transmitted in a multiplexed manner to avoid unnecessarily exposing the keys.

Therefore, it is clear that the Access Control System (CAS) is not a regular attack against hackers, especially against the deletion of undesired messages that should not be sent to the security processor or the insertion of messages.

It is an object of the present invention to overcome the shortcomings of the prior art access control systems described above.

Summary of invention

The present invention is based on the idea that the normal message flow is maintained between the transmitter and the receiver, so that even if the operator does not make any request, the message is still transmitted.

The present invention proposes a method comprising a method of protecting a security data transmitted by a transmitter to a receiver, comprising periodically transmitting neutral data to the receiver alternately with the security data, the neutral data It is designed to prevent the filtering of the preservation data.

This regularity allows communication between the transmitter and the receiver to be confusing to outside observers, making it difficult to perform scam filtering of the security message. The receiver is further allowed to detect possible filtering of such messages.

The nature of the secondary message in accordance with an embodiment of the invention and the sequence is followed by a detection operation or a counter operation. Different types of detection can be used, such as the memory of the log file or the increment of the detection counter. The countermeasures include, for example, temporarily invalidating or destroying a card containing a security processor.

According to another feature of the invention, the transmission of the neutral data is triggered after a predetermined time after the last transmission of the data by the transmitter to the receiver.

Preferably, the neutral data presents a structure similar to the security data structure.

In a variation method, the method according to the invention comprises the following steps:

Defining the duration DR separated by the receiver for receiving two consecutive receptions of data transmitted from the transmitter, and

- measuring the time interval TR that the receiver has received the data transmitted from the transmitter at a given instant t,

- If the time interval TR is greater than the duration DR, an alarm signal is transmitted to the countermeasure management unit.

In the variation method, the method further includes a step of counting the number N of alarm signals sent from the receiver to the countermeasure management unit; storing the number N in the countermeasure management unit; defining one of the triggering sanctions The number of alarm signals SA of the threshold value; the number SA is compared with the number N stored in the countermeasure management unit; and if the number N is greater than the number SA, the countermeasure program is performed.

The countermeasure can be actuated locally by the receiver or by the transmitter at the far end and includes the operation of temporarily or permanently suspending the receiver.

In a particular application of the method according to the invention designed to enhance the preservation of a CAS-type access control system, the security data and the central data are sent to the receiver via the EMM message.

The preservation information and neutral information can be coded to enhance preservation. But it can be sent in encoded form.

The preservation data and the neutral data may further be sent to the receiver in the data stream of the encoded audio visual program. In this case, the temporary suspension or permanent suspension of the operation includes no longer processing the EMM message when reading the multimedia content.

The method according to the present invention can be implemented by a plurality of terminal devices coupled to the operator network, located at the head end of the operator network and configured to transmit a work message to a transmitter terminal device of a receiver terminal device.

The terminal device includes a storage device that stores the maximum duration D of the time between consecutive transmissions of the message in the stream; the measuring device that measures the time T elapsed since the last message was sent; and if the message is sent from the last time the message is sent When the time T is greater than or equal to the duration D, a neutral message is inserted into the insertion device of the stream.

The method according to the invention is implemented on the head end side of the network by a computer program stored on a carrier and designed to run on the transmitter terminal device for storage in the stream twice in succession. The maximum duration D of the time between sending the message, used to measure the time T elapsed since the last message was sent, and when the time interval T passed by the last message is greater than or equal to the duration D, Insert a central message into the stream.

The receiver terminal device according to the present invention includes storage means for storing a duration D of a maximum duration DR being greater than or equal to a time of two consecutively received messages in the stream; for measuring the elapsed time from the last reception of the message The measuring device of the interval TR; and the time interval TR elapsed from the last reception of the message is greater than or equal to the duration DR, and is used to notify the notification device that the countermeasure action unit has exceeded the time.

At the receiver end, the method according to the invention is implemented by a computer program stored on a carrier and arranged to run on the receiver terminal device for storing greater than or equal to two consecutive receptions in the stream. The maximum duration DR of the duration D of the message; used to measure the time interval TR from which the message was last received; and if the time TR passed by the last message received is greater than or equal to the duration DR; This time exceeds the countermeasure action unit.

Simple illustration

Other features and advantages of the present invention will become more apparent from the following description, taken in the <

Fig. 2 is a diagram showing a flow chart showing the filtering of a message detected by a terminal device according to the present invention.

Detailed description of the preferred embodiment

The following description is directed to an embodiment for a particular application in accordance with the method of the present invention wherein a transmitter terminal device located at the head end of an operator network transmits a digital content to a receiver coupled to the operator network. The digital content is first encoded by the control character code sent to the receiver terminal device in the EMM message.

The operator can use different channels to broadcast the EMM message and use different addressing modes to send messages to different listeners. In this way, the EMM-GA is designed for all users (GA-Global Listeners), EMM-S is designed for a group of users (S-Share) and EMM-U is designed for a single user (U- user). A channel is typically used to broadcast EMM messages to each of these addressing modes.

Different EMM channels can be used even in the case of a single address mode. For example, in a mobile phone, some messages can be sent as if they were multiplexed with video, while other messages can be sent at SMS. It is also possible that several users will receive the message. In the context of the present invention, each EMM-U sent to a user must be considered an EMM channel.

In order to maintain regular information traffic on each EMM channel that is open between the transmitter terminal device and each of the receiver terminal devices, the method according to the present invention applies to all types of EMM channels regardless of the type of message supported by the channel.

As with the standard CAS system, the operator requests to send a message to the CAS system. In the remainder of this manual, such information will be referred to as "work."

If no message is associated with any EMM channel, the EMM channel remains active: in this way, a "functional neutral" message will be inserted into the channel by the CAS system. The function message is a message that has a valid grammar design for analysis by the respondent's terminal device, but the message does not contain any information from the operator and is not specifically included in any action request processed by the terminal device.

The flow of information leaving the CAS system is a stream of messages consisting of work messages or neutral messages.

Figure 1 illustrates an example in which the individual EMM channel has its own "constant content" context for the stream in the case of a separate EMM channel transmission, in accordance with the main steps of the method of the present invention.

Step 2 is the phase previously configured by the operator of the transmitter and receiver terminal devices. This phase is included in the case of a personal stream, the maximum duration for which a given stream is defined for a given stream and for a given user. Set a value for this duration.

It is important to note that the operator can modify the maximum duration of the authorization inactivity for a given stream. For example, in the case of doubts about the integrity of the user, the operator can force a request to receive the current day message on the EMM channel-U.

The receiver terminal device is then configured to accept a certain time between the plurality of messages for each of the channels addressed to the terminal device.

During operation, a computer program is executed at the head end of the network at the transmitter terminal device, and the test of step 4 is performed to determine whether the operator desires to send a work message to the receiver terminal device.

If confirmed, a work message is defined in step 6, and in step 8 the work message is sent to the receiver terminal device. The process is then repeated by step 4.

If not confirmed, a test is made to determine if the message has been sent to the receiver after a shorter time than the duration D defined in step 2.

If confirmed, the processing is repeated by step 4.

If not confirmed, a neutral message transmission (step 8) is defined in step 12 to the receiver terminal device.

Figure 2 illustrates the steps of a job message detection fraud filtering that allows for transmission from a transmitter terminal device to a receiver terminal device. It is found that the operator can activate or deactivate the detection of possible filtering of the work message by transmitting the specific command to the designated receiver by the receiver terminal device.

Note that in implementing this test procedure, the operator defines the receiver to receive the separate duration DR of the data transmitted from the transmitter twice, and at a given instant t, the software measurement installed at the receiver terminal device is received from the receiver. The time interval TR elapsed since the data sent by the device, if the time interval TR is greater than or equal to the duration DR, sends an alarm signal to the countermeasure management unit.

In this example, the countermeasure management unit is embedded in the receiver terminal device, so the terminal device does not send any information to the network headend.

In step 20, the operator sends an instruction to the receiver to actuate the detection of fraud filtering.

In step 22, the software installed in the receiver terminal device measures the time between two consecutive messages transmitted through the channel, and in step 24 compares the time measured in the duration DR.

If the time interval TR is greater than the duration DR, the receiver terminal considers attempting fraud filtering, and transmits the alert to the countermeasure management unit (step 26), and the countermeasure management unit applies the sanction (step 30).

The sanction includes not processing the ECM message when reading a multi-body content, such that the multimedia content cannot be decoded.

Another sanction includes the deletion of all operational keys and all entitlements in the security processor of the receiver terminal device.

In the first variation method, the countermeasure management unit applies the sanction procedure after transmitting the predetermined number N to the countermeasure management unit of the alarm signal from the receiver.

In the second variation method, the countermeasure management unit progressively selects the countermeasure program to be applied based on the number of recorded alarm signals. The countermeasure is included, for example, after the two alarm signals are received, and the ECM is no longer processed, or even after ten alarm signals, the rights and operation keys of the security processor are deleted.

If the time interval TR is shorter than the duration DR, in step 28, the software installed in the receiver terminal device will execute the command sent in the work message.

Note that the processing performed by the receiver terminal device is performed according to the following steps:

- the terminal device waits for an EMM message when it is switched to on or when it is started in a standby state for a period of time,

- When an EMM message is received, it is also handled as in the prior art, regardless of whether the EMM message is a work message or a function neutral message.

In the case where the scam filter detection of the message is activated, the process is modified so that when the EMM message is received, the date (transmission or reception) of the EMM message is memorized, or the maximum date of the next transmission or reception of the EMM message is expected to be calculated. As the sum of the previous date and the maximum duration of inactivity, and then remember; and when receiving the EMM message, if the calculated date is greater than the previous memory used to send or receive the EMM message, the date exceeds the maximum duration of the inactive state. The time, or if the date is greater than the maximum expected date of the next memory to transmit or receive the EMM message, the terminal device memorizes the detection of the message filtering.

It should be noted that the processing time of the work message and the neutral message does not allow the message type to be defective.

In the third variation of the present invention, the countermeasure management unit is installed at the head end of the network and is controlled by an operator. In this case, the countermeasure program includes configuring the transmitter terminal device to transmit the sanction EMM message to the receiver terminal device. This EMM sanction message is processed by the receiver terminal device to indicate which countermeasure should be applied when there are several countermeasures.

The invention is particularly selectively implemented in conjunction with EMM channel functions or all channels or selectively implemented on the essential functions of the work message to be broadcast.

2-12. . . step

20-30. . . step

Figure 1 shows a general flow chart showing the main steps of the method according to the invention.

Fig. 2 is a diagram showing a flow chart showing the filtering of a message detected by a terminal device according to the present invention.

2-12. . . step

Claims (16)

A method of protecting a stream of security data transmitted from a transmitter to a receiver, characterized in that it comprises inserting neutral data into the stream and alternately with the security data, periodically transmitting the neutral Information is provided to the receiver to prevent filtering of the preservation data, the method further comprising the steps of: - defining a duration (DR) of the separation between two consecutive receptions of the data transmitted by the transmitter received by the receiver, and - measuring the time interval (TR) elapsed since the receiver received the data transmitted by the transmitter at a given instant (t), - if the time interval (TR) is greater than the duration (DR), Then send an alarm signal to a countermeasure management unit. The method of claim 1, wherein the transmission of the neutral data is triggered after a predetermined time from the last transmission of the data by the transmitter to the receiver. The method of claim 1, wherein the neutral material has a structure similar to the structure of the security data. The method of claim 1, further comprising the steps of: counting the number of alarm signals (N) sent by the receiver to the countermeasure management unit, and storing the number (N) in the countermeasure management unit . The method of claim 4, further comprising the steps of: - defining a number of warning signals (SA) indicating a threshold for triggering the sanctions; - comparing the number (SA) with the number (N) stored in the countermeasure management unit; and - if the number (N) is greater than the number (SA), performing a countermeasure procedure. The method of claim 5, wherein the countermeasure program is locally activated by the receiver. The method of claim 5, wherein the countermeasure program is activated remotely by a transmitter. The method of claim 6 or 7, wherein the countermeasure program comprises an operation of suspending the receiver briefly or permanently. The method of any one of claims 1 to 7, wherein the security information and the neutral data are sent to the receiver in an EMM (Entitlement Management Message) message. The method of claim 9, wherein the preservation information and the neutral data are encoded. The method of any one of claims 1 to 7, wherein the security information and the neutral data are transmitted to the receiver in a stream of data further comprising one of the encoded audio and video programs. The method of claim 9, wherein the transient or permanent suspension of the operation comprises no longer processing the ECM (Entitlement Control Message) message when reading a multimedia content. A transmitter terminal device installed at a head end of an operator network and configured to transmit a stream of work messages to a receiver terminal device according to the method of claim 12, characterized in that it is included for performing The device of the column action: a) the maximum duration (D) of the time between consecutive transmissions of the message stored in the stream, b) the time elapsed since the last message was sent (T), c) if sent from the last time When the time interval (T) elapsed by the message is greater than (or equal to) the duration (D), neutral data is inserted into the stream and sent to the receiver. A computer program stored on a carrier, designed to be executed on a transmitter terminal device according to claim 13 of the patent application, to perform the following actions: a) the maximum time between consecutive transmissions of the message stored in the stream Duration (D), b) measure the time elapsed since the last message was sent (T), c) if the time interval (T) elapsed since the last message was sent is greater than (or equal to) the duration (D), then Neutral data is inserted into the stream and the neutral data is sent to the receiver. A receiver terminal device configured to receive a message transmitted by a transmitter terminal device according to claim 14 of the patent application, characterized in that it comprises means for performing the following actions: a) storing the message continuously in the stream The maximum duration (D) of the time between receptions, b) the time elapsed since the last message was received (T), c) if the time interval (TR) elapsed since the last transmission of the message is greater than or equal to the duration (DR), notify the timeout to a countermeasure management form yuan. A computer program stored on a carrier, designed to be executed on a receiver terminal device according to claim 15 of the patent application, to perform the following actions: a) the maximum time between two consecutive receptions of the message stored in the stream Duration (DR) or equal to the duration (D), b) measure the time interval (TR) after the last message is received, c) if the time interval (TR) elapsed since the last message was received is greater than or equal to the duration Time (DR), the timeout is notified to the countermeasure action unit.