WO2004019614A1 - Carte a puce comprenant une ligne de retard nrss destinee a l'alignement de donnees - Google Patents

Carte a puce comprenant une ligne de retard nrss destinee a l'alignement de donnees Download PDF

Info

Publication number
WO2004019614A1
WO2004019614A1 PCT/US2003/025763 US0325763W WO2004019614A1 WO 2004019614 A1 WO2004019614 A1 WO 2004019614A1 US 0325763 W US0325763 W US 0325763W WO 2004019614 A1 WO2004019614 A1 WO 2004019614A1
Authority
WO
WIPO (PCT)
Prior art keywords
information
decryptor
arrangement
smart card
byte
Prior art date
Application number
PCT/US2003/025763
Other languages
English (en)
Inventor
Mark Alan Schultz
Dinakaran Chidambaram
Original Assignee
Thomson Licensing S.A.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Thomson Licensing S.A. filed Critical Thomson Licensing S.A.
Priority to AU2003258277A priority Critical patent/AU2003258277A1/en
Publication of WO2004019614A1 publication Critical patent/WO2004019614A1/fr

Links

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/10Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
    • G07F7/1008Active credit-cards provided with means to personalise their use, e.g. with PIN-introduction/comparison system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/34Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
    • G06Q20/341Active cards, i.e. cards including their own processing means, e.g. including an IC or chip
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/409Device specific authentication in transaction processing
    • G06Q20/4097Device specific authentication in transaction processing using mutual authentication between devices and transaction partners
    • G06Q20/40975Device specific authentication in transaction processing using mutual authentication between devices and transaction partners using encryption therefor
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/41Structure of client; Structure of client peripherals
    • H04N21/418External card to be used in combination with the client device, e.g. for conditional access
    • H04N21/4181External card to be used in combination with the client device, e.g. for conditional access for conditional access
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/43Processing of content or additional data, e.g. demultiplexing additional data from a digital video stream; Elementary client operations, e.g. monitoring of home network or synchronising decoder's clock; Client middleware
    • H04N21/44Processing of video elementary streams, e.g. splicing a video clip retrieved from local storage with an incoming video stream or rendering scenes according to encoded video stream scene graphs
    • H04N21/4405Processing of video elementary streams, e.g. splicing a video clip retrieved from local storage with an incoming video stream or rendering scenes according to encoded video stream scene graphs involving video stream decryption
    • H04N21/44055Processing of video elementary streams, e.g. splicing a video clip retrieved from local storage with an incoming video stream or rendering scenes according to encoded video stream scene graphs involving video stream decryption by partially decrypting, e.g. decrypting a video stream that has been partially encrypted
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N7/00Television systems
    • H04N7/16Analogue secrecy systems; Analogue subscription systems
    • H04N7/162Authorising the user terminal, e.g. by paying; Registering the use of a subscription channel, e.g. billing
    • H04N7/163Authorising the user terminal, e.g. by paying; Registering the use of a subscription channel, e.g. billing by receiver means only
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N7/00Television systems
    • H04N7/16Analogue secrecy systems; Analogue subscription systems
    • H04N7/167Systems rendering the television signal unintelligible and subsequently intelligible
    • H04N7/1675Providing digital key or authorisation information for generation or regeneration of the scrambling sequence

Definitions

  • This invention relates to smart cards for data decryption, and more particularly to arrangements for aligning processed and unprocessed data.
  • the decryptor on the smart card requires a proper key.
  • the necessary decryption keys accompany the video stream, and can be extracted therefrom.
  • These decryption keys are transmitted relatively infrequently, say every half-second or so. Thus, under least-optimum timing conditions, decryption might not start for one-half second after the key became available to the smart card.
  • the key may be changed at the source every few seconds for improved security. There may be different keys for various different ones of the available video streams, andor for different ones of the smart-card/delivery-device pairs.
  • the smart card In order to obtain the decryption key from the delivered encrypted information stream, the smart card must correctly decode the set of bytes containing the key information from the smart card must correctly decode the set of bytes containing the key information from among the bytes of each packet of information.
  • a serial bit stream of MPEG transport stream video might be made up of successive packets of information, where each packet of information consists of 188 bytes, each of 8 bits. Within each 188-byte packet, the first 8-bit byte is a synchronization byte having a value of forty-seven (47).
  • PID packet identification
  • These packet identification bytes carry information relating to the type of information in the packet, the type of coding, error detection and correction (ED AC) and the like. Since each packet contains
  • FIGURE 1 is a simplified block diagram of a smart card 10.
  • a source of digital data is illustrated as a block 12, and includes a data clock (DCLK) source 13 and an associated data (DLN) source 15.
  • the data may from time to time include an encoded MPEG transport stream.
  • the MPEG transport stream is strongly encoded to prevent compromise during transport to the smart card.
  • the data clock information from block 13 is applied to a Clock/Scan interface logic illustrated as a block 17 for testability using scan path vectors.
  • the input data from source 15 is applied to an 8-bit delay line or chain 210 , each individual register of which is made available by way of a data path 212 to a state controller illustrated as a block 14.
  • State controller or synchronizer 14 is illustrated in more detail in FIGURE 2.
  • State controller 14 is a synchronizer that synchronizes the 8-bit bytes with packet header information, so that an eight-byte first-in, first-out (FIFO) or delay line 20 of FIGURE 1 can feed 8 bytes at a time to a decryption portion 26 of a triple DES engine 25.
  • Path 51 feeds the 8-byte information from block 20 to state controller 14 so that the headers of the data can be examined to determine the type of packet and therefore, by implication, what should be done with the packet, such as decrypt or pass through.
  • the decrypted data from decryption portion 26 is re-encrypted with a singe DES encryption in an encryption portion of DES engine 25 using local key instead of the TDES keys found at the data transmitter, so that the output of the smart card is at least somewhat protected against compromise on its way to the display device.
  • the re-encrypted output of DES engine 25 is applied over a path designated 36 to an 8-byte FIFO 40 to re-convert to serial bit format.
  • the output of FIFO 40 is applied through a serial shift register 42 to a digital data output port (DOUT) 44.
  • a microprocessor ( ⁇ P) 48 includes ⁇ P ( ⁇ ) clock, address, interrupts, data, and control ports, which are coupled to a register interface illustrated as a block 46.
  • Register interface 46 interfaces with state controller 14, and with an Entitlement Control
  • ECM Entitlement Management Message
  • Smart card 10 of FIGURE 1 also includes clock and input/output ports 56 and 58, respectively, which are coupled to a universal asynchronous transmitter (UART) 54.
  • a reset port 60 allows resetting of ( ⁇ P) 48 and ancillary devices.
  • Power is coupled to smart card 10 by way of power electrodes or ports NCC 62 and G ⁇ D 64.
  • the applied data is coupled through a path including delay line 210, FIFO 20, DES engine 25, FIFO 40, and shift register 42, being synchronized, decrypted and reencrypted, and reconverted to serial bit form on its way.
  • a smart card comprises a first input coupled to a decryptor arrangement for receiving input data stream information which includes an identification header, and which may include data gaps which are not byte aligned, and processing the information including delaying, byte-aligning and decrypting the data stream information, to produce an output data sequence on an output line of the decryptor arrangement.
  • a delay line has a first port coupled to the first input for receiving the input data stream information, and a second port for providing a delayed sequence of the input data stream information. The delayed sequence stream is delayed by an amount corresponding to the delay in processing the input data stream through the decryptor arrangement.
  • a controllable switch selectively couples to one of a) the second port of the delay line and b) the output line of the decryptor arrangement, for passing to an output port selected bits of the delayed sequence stream and the output data sequence according to information in the input data stream.
  • the decryptor arrangement of the smart card decrypts the information to clear information, and further comprises an encryptor arrangement coupled to the decryptor arrangement for re-encrypting the clear information to form re-encrypted information.
  • a method for enabling use of encrypted and unencrypted data stream information in a smart card having a decryptor arrangement which receives at an input thereof each packet in the data stream, regardless of whether the packet requires decryption, and which produces, at an output thereof, an output data stream.
  • the method comprises providing a communication path having an input coupled to the input of the decryptor arrangement, and delaying the data stream carried in said communication path by an amount corresponding to the processing delay in the decryptor arrangement to produce a delayed data stream having bypassed the decryptor arrangement.
  • One or more bits of the output data stream output from the decryptor arrangement and one or more bits of the delayed data stream are selectively coupled to an output of the smart card according to information in the input data stream.
  • a smart card is for receiving encrypted MPEG transport stream information, where the information includes an identification header, and which may include data gaps which are not byte aligned.
  • the smart card controllably decrypts the information to produce decrypted information, or information encrypted at a lower level.
  • the smart card comprises a decryptor arrangement including a serial output register.
  • the decryptor arrangement has a processing delay.
  • the smart card also includes a first delay line for delaying the information for a duration equal to a number of bits corresponding to the processing delay of the decryptor arrangement, to thereby generate bit- delayed information.
  • a byte aligner is provided for byte aligning each incoming packet of the information to produce byte-aligned information.
  • a controller receives the byte-aligned data and examines the identification header of each packet for determining if the packet information is to be decrypted, and if so for obtaining a key and enabling the decryptor arrangement. Means are provided for, prior to a time when the bit-delayed information comprises the identification header, loading the serial output register with a substitute header. Controllable multiplexing means is (or are) coupled to the first delay line and to the serial output register of the decryptor arrangement, for coupling the bit-delayed information to an output port prior to arrival of the identification header at the multiplexing means, and thereafter coupling to the output port the substitute header followed by information which has been decrypted.
  • the decryptor arrangement of the smart card decrypts the information to clear information, and further comprises an encryptor arrangement coupled to the decryptor arrangement for re-encrypting the clear information to form re-encrypted information, and for coupling the re-encrypted information to the serial output register.
  • a method is for, by use of a smart card, enabling use of encrypted and unencrypted MPEG transport stream information, where the information includes an identification header associated with each packet of information, and which may include data gaps which are not byte aligned.
  • the method comprises the step of, within the smart card, byte aligning packets of the information to thereby produce byte- aligned packets of information, and, also within the smart card, examining an identification header of each byte-aligned packet of information, to determine whether the associated packet should or should not be decrypted.
  • the byte-aligned packets of information are applied to an input port of a decryptor arrangement having fixed bit delay, and concurrently with the coupling of the byte-aligned packets of information to the decryptor arrangement, the byte- aligned packets of information are coupled to an input of a delay line located in the smart card, which delay line has a bit delay equal to the bit delay of the decryptor arrangement.
  • an output of the delay line is coupled to a serial output port of the smart card, and if a packet of information is to be decrypted, a key is obtained, and the decryptor arrangement is enabled, for at least decrypting the byte-aligned packets of information, for thereby producing encryption processed information.
  • a substitute header is loaded into an output register of the decryptor arrangement, and, immediately following the coupling of a prior packet to the output port of the smart card, the substitute header is coupled to the output port of the smart card, and immediately following the coupling of the substitute header to the output port of the smart card (10), the encryption processed information is coupled to the output port of the smart card.
  • the step of obtaining a key and enabling the decryptor arrangement includes the steps of (a) decrypting the information to produce decrypted information, and (b) re-encrypting the decrypted information.
  • FIGURE 1 is a simplified diagram of a smart card, illustrating a state controller and the path for data signals requiring decryption;
  • FIGURE 2 is a more detailed block diagram of a portion of a controller for the smart card of FIGURE 1 in accordance with a copending patent application;
  • FIGURE 3 is a simplified block diagram of a smart card according to an aspect of the invention, including a delay line bypassing the decryptor.
  • FIGURE 2 is a simplified block diagram of a state controller portion of the smart card of FIGURE 1 generally according to copending patent application serial number PU020387, filed 15 August 2003 in the name of the inventors herein and copending patent application PU020256 filed 9 May 2003 in the name of David J. Duffield et al.
  • the smart card In order to obtain the decryption key for the decryption portion 26 of DES engine 25 from the delivered encrypted information stream, the smart card must correctly decode the set of bytes containing the key information from among the bytes of each packet of information.
  • a serial bit stream of MPEG transport stream video might be made up of successive packets of information, where each packet of information consists of 188 bytes, each of 8 bits. Within each 188-byte packet, the first 8-bit byte is a synchronization byte having a value of forty- seven (47).
  • PID packet identification
  • These packet identification bytes carry information relating to the type of information in the packet, the type of coding, error detection and correction (ED AC) and the like. Since each packet contains 188 bytes, there are 187 bytes between successive synchronization bytes, and 183 bytes between the end of the packet identification bytes and the next following synchronization byte.
  • encrypted serial information is applied from an input port 15 to a port 210i of an 8-bit delay line 210 controlled by state controller or synchronizer 14.
  • the encrypted serial information is in the form of packets of 188 bytes, where each byte is of eight bits. Within each packet, the first byte is a synchronization byte, which has a particular value. In the case of a MPEG transport stream, the particular value of the synchronization byte is forty-seven (47). In this transport stream, four packet identification (PID) bytes immediately follow the synchronization byte.
  • PID packet identification
  • State controller or synchronizer 14 of FIGURE 2 generates a byte clock on an output signal path 16, which is used to clock serial-to-parallel FIFO converter block 20.
  • Encrypted serial information delayed relative to the encrypted serial information applied to input port 2l0i of delay line 210, is produced on an output signal path 16 of synchronizer 14, and is applied to serial-to-parallel converter 20.
  • Serial-to-parallel converter 20 produces on a signal path 24 a stream of eight-parallel-bit bytes in response to the byte clock generated on path 16.
  • a packet synchronization or reset signal generated on an output path 22 of synchronizer 14 is used for a timing reference in the triple DES decryption portion of DES engine 25.
  • the National Renewable Security Standards (NRSS) Committee system delay through the smart card 10 is a constant clock delay even though there may be gaps between the 188-byte packets.
  • NRSS National Renewable Security Standards
  • the reset or sync signal of the next packet helps to establish if a gap exists or no gap is found between packets, which adjusts the processing for terminating the present or current packet and the beginning of processing of the incoming packet.
  • the encrypted stream of parallel-bit bytes produced by serial-to-parallel converter 20 of FIGURE 2 is applied to a key extraction arrangement illustrated as a block 30.
  • the key information is transmitted in a number of bytes found in the serial bit stream entering port 12 of smart card 10, on an infrequent basis, such as every half-second.
  • Block 30 monitors the parallel-bit byte stream and, when key information is available, extracts the key, and processes it, if necessary, as by decrypting, and applies the resulting decrypted key to a memory or register illustrated as a block 28.
  • decryptor portion 26 of DES engine 25 receives the encrypted parallel-bit bytes from converter 20, and decrypts the information using the key which is available in register 28.
  • Decryptor portion 26 produces decrypted video information.
  • the video may again be encrypted in a block illustrated as 34 with an encryption code which a utilization or display apparatus can decode.
  • the re-encrypted video is produced on path 36 of FIGURE 1 and, after further processing, becomes available at smart card 10 output port or path 44.
  • the encrypted serial information is applied to the input port 210i of an eight-bit delay line or serial register 210.
  • Delay line 210 makes each of the stored eight bits available on a set 212 of output lines 212a, 212b, . . . 212g, 212h.
  • the eight-bit-period delayed encrypted serial information is output from block 210 at an output port 210o, and is applied by way of signal path 18 to serial-to-parallel converter 20.
  • an AND gate 214 includes eight input ports 1, 2, . . ., 7, 8, each of which is connected to one of the eight bit lines of set 212. More particularly, input ports 1 and 2 of AND gate 2 * 14 are connected to bit lines 212g and 212h, respectively, and input ports 7 and 8 of AND gate 214 are connected to bit lines 212a and 212b, respectively.
  • AND gate 214 includes a further input port designated EN9. This further input port is used as an enable (EN) input port, enabling the remaining input ports in response to a selected logic level applied over a bit line 216, and disabling the gate in response to the other logic level.
  • EN enable
  • AND gate 214 of FIGURE 2 monitors the value of the bits traversing 8-bit delay line 210.
  • AND gate 214 is configured to, when enabled, respond to the value of a synchronizing byte, which in one version has a bit value of forty-seven (47).
  • a packet synchronizing (sync) or reset signal on signal path 22 when the total value of the bits traversing delay line 210 equals 47 and AND gate 214 is enabled, AND gate 214 responds by producing a packet synchronizing (sync) or reset signal on signal path 22.
  • the sync signal on signal path 22 is applied to a three (3)-bit counter illustrated as a block 218, which resets to zero (or to full count, as desired) and then counts eight clock cycles. Since a byte corresponds to eight bits or clock cycles, the full count of counter 218 occurs once per byte, and may be considered to be a byte clock.
  • the byte clock signal produced by counter 218 is applied by way of path 16 to serial-to-parallel converter 20, to aid in producing the parallel-bit bytes.
  • converter 20 accepts eight bits, and produces one byte every eight bit clock cycles.
  • the sync or reset pulse produced on path 22 by AND gate 214 of FIGURE 2 is also applied to a reset input port 228r of a counter 228, together with the byte clock from counter 218.
  • Counter 228 counts a number of bytes corresponding to the number of bytes between successive packet synchronizing pulses. More particularly, in an exemplary arrangement in which there are 188 bytes in each packet, one of which is the synchronization byte, there are 187 byte intervals between two successive synchronization bytes.
  • counter 228 At full count, counter 228 generates a logic high or logic 1 at its output port 228o, which is applied by way of an OR gate 310 to the enable input port EN9 of AND gate 214, to thereby enable AND gate 214 to detect the next synchronization byte.
  • output port 228o of counter 228 produces a logic low or 0 signal, which disables AND gate 214. Disabling the AND gate for all periods other than the expected arrival time of the synchronization byte tends to reduce the incidence of response of AND gate 214 to occasional byte values of 47, which may occur during operation.
  • OR gate 310 of FIGURE 2 is connected in signal path 216 between output port 228o of counter 228 and the enable input port EN9 of AND gate 214. More particularly, port 228o of counter 228 is connected to an input port 310i of OR gate 310, and the output port 3 lOo of OR gate 310 is connected to port EN9 of AND gate 214.
  • OR gate 310 has no effect on the enabling and disabling of AND gate 214 by counter 228, so that when counter 228 reaches a full count of 187 byte intervals, it produces an enable signal which enables AND gate 214 for the next following byte, and maintains AND gate 214 disabled otherwise.
  • OR gate 310 of FIGURE 2 has its second input port 310 2 connected to the output port 312o of an AND gate 312.
  • AND gate 312 effectively provides a second input port, designated 312ii, by which AND gate 214 can be enabled. More particularly, if the output port 312o of AND gate 312 is logic high, that logic high level will be coupled through OR gate 310 to the enable input port EN9 of AND gate 214 regardless of the state of output port 228o of counter 228.
  • a block illustrated as 314 in FIGURE 3 stores the bit patterns of the packet identification (PID) bytes which are of interest to the smart card 10 of FIGURE 1, and makes the patterns available to a comparator arrangement illustrated as a block 316.
  • PID packet identification
  • Comparator 316 is enabled for comparison of the stream of data bytes arriving by way of path 24 with at least one, and preferably a set of two or more, of the PID bytes within the data stream. Comparator 316 is enabled by an enable (EN) signal applied from the output port
  • Window generator 320 responds to at least the second count of the counter 228 following the sync or reset signal, and preferably to the second, third, fourth, and fifth counts, to enable comparison block 316 during the first, or preferably the first through fourth counter-228 counts following the sync bit which resets counter 228.
  • comparison block 316 compares the stream of parallel-bit bytes applied from path 24 with the PID byte(s). If a match is found, the output port 316o of comparator
  • comparison block 316 at an active logic state.
  • comparison block 316 fails to match any one of the PID bytes, synchronization is deemed to not be achieved, and AND gate 214 is re-enabled to search for another sync byte.
  • the DES engine runs continuously, and consumes power even when decryption and re-encryption is not desired. This tends to cause excess power consumption during such times, and contributes to heating of the smart card.
  • operation of the decryptor/encryptor in a manner which allows the signal to be passed without processing adds complication to the smart card. If the DES engine were to be run continuously, even when decryption was not needed, security could be compromised by repeatedly passing data having specific patterns through the DES engine, with the engine told to decrypt during one pass and to not decrypt during the next following pass, in an effort to discover the encryption keys.
  • FIGURE 3 illustrates a smart card according to an aspect of the invention.
  • the single-encrypted output from DES engine 25 is applied by way of FIFO 40 and serial shift register 42 to a first input port 312il of a multiplexer (MUX)
  • MUX multiplexer
  • multiplexer 312 when multiplexer 312 is in a state which couples first input port 312.il to output port 312o, the operation of the system of FIGURE 3 is identically as described in conjunction with FIGURE
  • the digital input data or signals are applied both to input port 210i of delay line 210 and additionally to the input port 310i of a further delay line or register 310.
  • the delayed output signals from delay line 310 appear at an output port 3 lOo, and are applied to a second input port 312i2 of multiplexer 312.
  • the delayed data from delay line 310 is applied to "open" or non-connected second input port 312 ⁇ 2 of multiplexer 312, and goes no further.
  • control of the state of multiplexer 312 allows selection of either the decrypted/encrypted (and delayed) data or unencrypted data to be coupled through the smart card.
  • State controller 14 allows DES engine 25 to change the headers of the packets of data passing therethrough to correspond to the encryption state, and multiplexer 312 switches in specific bits that are being changed.
  • Delay line 310 of FIGURE 3 allows unencrypted data to bypass the DES engine 25, and it may be turned off or deenergized to save power. In the event that the incoming data packets exceed 188 bytes in length, the data can be bypassed around the DES processing and some synchronization problems can be avoided, and thus allows continued flow of uninterrupted data.
  • the delay line 310 provides access to the data after the DES engine has started to perform processing.
  • the delay line also allows bit-wise substitution of headers and non-DES encrypted portions of the packet with minimized control circuits in the DES processing; all data exiting the DES engine is byte-aligned, while the path through delay line 310 is not necessarily byte-aligned because of the possibility of gaps between packets.
  • An additional advantage of the incorporation of delay line 310 into the smart card 10 is that, in the case of a non- authorized card, or a card in which authorization has lapsed, the DES circuits can be bypassed, and those portions of the data service which are unencrypted can pass unchanged through the smart card, to keep unencrypted services flowing. This helps to limit the microprocessor activity on a non-activated card, or on a card that the microprocessor has determined is in the process of being hacked so that the microprocessor shuts it down.
  • the length of delay line 310 is selected to equal the normal constant-delay requirements of the smart card, which in one embodiment corresponds to the delay of 140 flip-flops.
  • a constant delay device such as a smart card may not need to have a specific number of delays for all devices. For any given application, a smart card may require only that the delay be constant, with different delays for different applications being provided by different smart cards suited to those different applications.
  • a smart card (10) comprises a first input
  • a delay line (310) has a first port (310i) coupled to the first input (2101) for receiving the input data stream information, and a second port (310o) for providing a delayed sequence of the input data stream information.
  • the delayed sequence stream is delayed by an amount corresponding to the delay in processing the input data stream through the decryptor arrangement.
  • a controllable switch (312) selectively couples to one of a) the second port of the delay line and b) the output line of the decryptor arrangement, for passing to an output port (312o, 44) selected bits of the delayed sequence stream and the output data sequence according to information in the input data stream.
  • the decryptor arrangement of the smart card (10) decrypts the information to clear information, and further comprises an encryptor arrangement (34) coupled to the decryptor arrangement (25) for re-encrypting the clear information to form re-encrypted information.
  • an encryptor arrangement (34) coupled to the decryptor arrangement (25) for re-encrypting the clear information to form re-encrypted information.
  • a method is disclosed for enabling use of encrypted and unencrypted data stream information in a smart card having a decryptor arrangement which receives at an input thereof each packet in the data stream, regardless of whether the packet requires decryption, and which produces, at an output thereof, an output data stream.
  • the method comprises providing a communication path having an input coupled to the input of the decryptor arrangement, and delaying the data stream carried in said communication path by an amount corresponding to the processing delay in the decryptor arrangement to produce a delayed data stream having bypassed the decryptor arrangement.
  • One or more bits of the output data stream output from the decryptor arrangement and one or more bits of the delayed data stream are selectively coupled to an output of the smart card according to information in the input data stream.

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Multimedia (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Accounting & Taxation (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Strategic Management (AREA)
  • General Business, Economics & Management (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Microelectronics & Electronic Packaging (AREA)
  • Finance (AREA)
  • Two-Way Televisions, Distribution Of Moving Picture Or The Like (AREA)

Abstract

L'invention concerne une carte à puce comprenant un déchiffreur DES permettant de déchiffrer des données chiffrées. Quand des données non chiffrées sont appliquées sur la carte, une ligne de retard possédant un délai égal à celui du déchiffreur court-circuite celui-ci. Un multiplexeur commandable effectue une sélection entre des données non modifiées retardées et des données déchiffrées. Un registre à décalage couplé au déchiffreur permet de modifier des informations d'en-tête de paquet de données et permet également d'obtenir un flux de données non interrompu pour des paquets de données non normalisés.
PCT/US2003/025763 2002-08-22 2003-08-15 Carte a puce comprenant une ligne de retard nrss destinee a l'alignement de donnees WO2004019614A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2003258277A AU2003258277A1 (en) 2002-08-22 2003-08-15 Smart card with nrss delay line for data alignment

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US40520502P 2002-08-22 2002-08-22
US60/405,205 2002-08-22

Publications (1)

Publication Number Publication Date
WO2004019614A1 true WO2004019614A1 (fr) 2004-03-04

Family

ID=31946825

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2003/025763 WO2004019614A1 (fr) 2002-08-22 2003-08-15 Carte a puce comprenant une ligne de retard nrss destinee a l'alignement de donnees

Country Status (2)

Country Link
AU (1) AU2003258277A1 (fr)
WO (1) WO2004019614A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2109314A1 (fr) * 2008-04-11 2009-10-14 Gemalto SA Procédé de protection des clés échangées entre une carte intelligente et un terminal
US7636857B2 (en) * 2004-05-24 2009-12-22 Interdigital Technology Corporation Data-mover controller with plural registers for supporting ciphering operations

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0714204A2 (fr) * 1994-11-26 1996-05-29 Lg Electronics Inc. Méthode de protection contre l'exposé illégal et la copie dans un système vidéo nummérique et méthode de commande à cet effet
WO1999030498A1 (fr) * 1997-12-10 1999-06-17 Thomson Licensing S.A. Systeme d'acces conditionnel pour recepteurs numeriques
US20020108040A1 (en) * 2000-11-13 2002-08-08 Eskicioglu Ahmet M. Threshold cryptography scheme for conditional access systems

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0714204A2 (fr) * 1994-11-26 1996-05-29 Lg Electronics Inc. Méthode de protection contre l'exposé illégal et la copie dans un système vidéo nummérique et méthode de commande à cet effet
WO1999030498A1 (fr) * 1997-12-10 1999-06-17 Thomson Licensing S.A. Systeme d'acces conditionnel pour recepteurs numeriques
US20020108040A1 (en) * 2000-11-13 2002-08-08 Eskicioglu Ahmet M. Threshold cryptography scheme for conditional access systems

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"FUNCTIONAL MODEL OF A CONDITIONAL ACCESS SYSTEM", EBU REVIEW- TECHNICAL, EUROPEAN BROADCASTING UNION. BRUSSELS, BE, no. 266, 21 December 1995 (1995-12-21), pages 64 - 77, XP000559450, ISSN: 0251-0936 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7636857B2 (en) * 2004-05-24 2009-12-22 Interdigital Technology Corporation Data-mover controller with plural registers for supporting ciphering operations
US8112635B2 (en) 2004-05-24 2012-02-07 Interdigital Technology Corporation Data-mover controller with plural registers for supporting ciphering operations
EP2109314A1 (fr) * 2008-04-11 2009-10-14 Gemalto SA Procédé de protection des clés échangées entre une carte intelligente et un terminal
WO2009124889A1 (fr) * 2008-04-11 2009-10-15 Gemalto Sa Procédé de protection de clés échangées entre une carte à puce et un terminal

Also Published As

Publication number Publication date
AU2003258277A1 (en) 2004-03-11

Similar Documents

Publication Publication Date Title
RU2184392C2 (ru) Интеллектуальная карта на основе системы управления доступом с усовершенствованной защитой
US6781601B2 (en) Transport processor
US5602920A (en) Combined DCAM and transport demultiplexer
KR100666438B1 (ko) 디지털 전송 시스템을 위한 스크램블링 유닛
US5852290A (en) Smart-card based access control system with improved security
EP1110399B1 (fr) Systeme et procede de protection d'une information transmise contre la copie
JP2003517218A (ja) Nrssインタフェースを通るオーディオ/ビジュアル・データを保護する方法
US20090187937A1 (en) Device and method for controlling digital bidirectional communication
JP2007135230A (ja) 取外し可能な条件付きアクセスモジュールの縦続方法と、その方法を実行する所定のシーケンスの挿入回路及び検出回路
US7469420B2 (en) Key transport tamper protection
US20050058293A1 (en) Information transmission system
WO2004019614A1 (fr) Carte a puce comprenant une ligne de retard nrss destinee a l'alignement de donnees
WO2001037562A1 (fr) Mecanisme de cryptage adaptatif pour systeme de transport de donnees multiple de television numerique
KR20030056306A (ko) 전송 스트림 데이터의 디스크램블 처리 장치 및 그 방법
Jung et al. Design and implementation of a multi-stream cableCARD with a high-speed DVB-common descrambler
KR100986236B1 (ko) 키 전송 탬퍼 보호
WO2004019547A1 (fr) Synchronisation rapides dans des carte a puce intelligentes
KR100216538B1 (ko) Mpeg-2 트랜스포트-스트림의 dvb-스크램블링 장치
JPH08331119A (ja) データ伝送装置および方法並びにデータ受信装置および方法
WO2002078341A2 (fr) Systeme de protection d'interface destine a proteger des communications entre circuits integres
JPH0923415A (ja) デスクランブラ装置
KR100655027B1 (ko) 디지털 쌍방향통신 제어장치 및 그 방법
JP2002281476A (ja) デジタル放送限定受信装置
JP2003124929A (ja) 暗号復号装置

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP