Embodiments of the present invention relate to the field of program code protection. More particularly, embodiments of the present invention relate to a system, circuit device and method for protecting control words in a secure module for a TV receiver.
Various contents such as movies, music, game software, sport events, and others are offered by service providers through a variety of wired and wireless communication networks. Some of these contents are encrypted so that they can be accessed or viewed by subscribers who are in possession of a corresponding decryption key. It is understandable that service providers will try to protect their software from tampering. Embodiments of the present invention relate to the pamper protection by obfuscating the decryption key and may apply to conditional access systems for digital broadcast television.
There are several well-known digital radio and digital TV broadcast standards. In Europe, the digital radio broadcast is the DAB (Digital Audio Broadcasting) adopted by the ITU-R standardization body and by ETSI. The digital TV standard is DVB (Digital Video Broadcasting) in Europe, ATSC (Advanced Television Systems Committee) in the U.S., and ISDB (Integrated Services Digital Broadcasting) in Japan and South America. In addition to these standards, there are also mobile TV standards which relate to the reception of TV on handheld devices such as mobile phones or the like. Some well-known mobile TV standards are DVB-H (Digital Video Broadcasting-Handheld), CMMB (China), DMB (Digital Multimedia Broadcasting), and Mediaflo.
In most digital TV broadcasting services, the service providers scramble and encrypt the transmitted data streams to protect the broadcasted content and require their customers or users to install “security protection” mechanisms to decrypt and descramble the content. Security protection mechanisms such as digital rights management enable users to store content. Conditional access (CA) systems are other security protection mechanisms that allow users to access and view content but may or may not record the viewed content.
In a typical pay-TV system, the conditional access software runs on a dedicated secure element implementing robust mechanisms so as to prevent a malicious entity (“hacker”) from gaining access to the broadcast system secret to decipher the TV content. The CA instruction code and keys provisioned by the CA provider adapted to ensure security are typically stored in the discrete secure element. The communication link between the discrete secure element and the demodulator, if not protected, presents a vulnerable entry point for hackers to get access to the software or introduces malicious code to the TV system.
FIG. 1 is a block diagram of a conventional TV receiver 100 performing conditional access (CA) functions. Receiver 100 includes a TV demodulator 110 coupled to a suitable antenna 105 for receiving broadcast content. The broadcast content may be encrypted by a control word (CW). Demodulator 110 is connected to a dedicated secure element 120 via a communication link 150. Communication link 150 can be a proprietary interface or a standard interface. Secure element 120 may be provided by the service provider and controls access to a broadcast service by providing one or more control words to the demodulator via the communication link. Secure element 120 may include a CPU coupled to a memory unit which may contain EEPROM and/or ROM. Secure element 120 may also hold service entitlement information controlled by the service provider. The service provider may communicate with the secure element using encrypted messages that carry descrambling keys and other service management information.
Demodulator 110 receives the code word from the secure element and uses the code word to descramble the encrypted content. The clear stream is then provided to a video and audio decoder 130. A display 140 coupled to the video and audio decoder displays the decoded video and audio data streams. In general, secure element 120 may be provided in several forms and in multiple packaging options. For example, the secure element may be a dedicated surface mount device mounted on the receiver, a SIM card (e.g., in the context of a mobile phone), a secure SD card, or a module.
Because the communication link between the secure element and the demodulator is not secure, an additional layer, typically a software layer, is used to encrypt messages between the secure element and the demodulator. However, hackers or attackers may get access to this software layer through the communication link, and with it gain access to the code word. Therefore, the software layer must be made protected.
It can be seen that the conventional secure element has a hardware architecture that is not cost effective because it requires a dedicated module and a hardware connection to the demodulator. Furthermore, conventional techniques do not appear to address the concerns of service providers, CA operators, and content owners, namely, to provide security to the operation of their devices.
There is therefore a need to provide efficient methods and devices to securely protect information from access by unauthorized users or hackers using scanning, probing or any other techniques.