Conditional access/digital rights management (CA/DRM) systems for digital video broadcast (DVB) transmissions are well known and widely used in conjunction with pay television (TV) services. Such systems provide secure transmission of a broadcast stream comprising one or more services to a digital receiver contained for example in a set-top box or a mobile terminal supporting broadcast services. To protect the broadcast services from unauthorized viewing, the data packets are scrambled (encrypted) at the transmitter side with an encryption key commonly referred to as a control word. A CA/DRM system implements the selective distribution of the control words to authorized receivers only. Further security is provided by periodically changing the control words so they are only valid for a certain period. Typically control words are transmitted in encrypted form to the receiver using so-called entitlement control messages (ECMs).
In the receiver an ECM is filtered out of a transport stream and sent to a secure computing environment, referred to as a CA/DRM client (e.g., a CA/DRM client can be a smart card with embedded software or it can be an obfuscated software module executed inside the receiver). The CA/DRM client subsequently decrypts the ECM using a higher-level key, which is common to all CA/DRM clients that are authorized to access the TV channels associated with the control words included in the ECM. The control word is returned to the receiver, which loads the control word into the descrambler for descrambling data.
Control word piracy is a significant problem in digital video broadcasting (DVB) systems. A common attack uses the fact that a control word is a shared key that unlocks content on all receivers. An adversary can break part of the key delivery infrastructure to obtain control words and re-distribute the control words to unauthorized receivers. For instance, sometimes adversaries are able to intercept a control word that is transmitted from the CA/DRM client to the receiver and re-distribute it over local networks or over the Internet. The re-distributed control word is then used to descramble the scrambled services without a legitimate authorized CA/DRM client. A security requirement is therefore that the confidentiality and the authenticity of a control word should be protected.
In some cases, a chip set supports a key hierarchy to secure the control word delivery based on secret keys installed during the manufacturing process. FIG. 1 of the accompanying drawings shows a prior art example of chip set 102 of a receiver to load keys to descramble content. Decryption modules 114, 116 and 118 use encrypted input data and an input key to obtain decrypted output data. The chip manufacturer personalizes the chip set with a pseudo-random secret value for the symmetric chip set unique key CSUK and assigns a non-secret chip set serial number CSSN to the chip set for future identification. Elements 104 and 106 are read-only memory locations, for storing CSSN and CSUK, respectively. Elements 108 and 110 are read-and-write memory locations for temporary storing decrypted output data. As shown, content decoder 112 decodes the descrambled content. Dataflows between elements are indicated by arrows. Labels along the arrows identify the dataflows.
As shown in FIG. 1, a content stream scrambled with control word CW, denoted by {Content}CW, is received in the chip set 102. To provide the control word needed to descramble the content, chip set 102 supports secure loading of the associated CW using input {CW}CSLK, which denotes the CW encrypted with a symmetric chip set load key CSLK. Said CSLK is received at chip set 102 encrypted with the symmetric chip set unique key CSUK, which is denoted by input {CSLK}CSUK. To decrypt {CSLK}CSUK, CSUK is needed. The CSUK and the chip set serial number CSSN associated with the particular chip set are typically pre-installed in memory locations on the chip set (element 104 and element 106, respectively) and cannot be altered. In operation, CSUK is retrieved from secured storage (i.e., element 106) in chip set 102 and is used to decrypt the CSLK from {CSLK}CSUK using decryption module 114. Once decrypted, CSLK is stored in memory (i.e., element 108), and can be used to decrypt {CW}CSLK using decryption module 116. Lastly, the clear control word stored in memory (i.e., element 110) is used by decryption module 118 to descramble incoming scrambled content {Content}CW, such that the content may be decoded by the chip set using content decoder 112. Content decoder 112 can be external to the chip set 102 and is typically a part of the receiver.
Typically, for vertical market receivers, a chip manufacturer supplies a list of (CSSN, CSUK) pairs to a CA/DRM supplier, enabling the loading of a value for the chip set load key CSLK into a chip set, using the method depicted in FIG. 1. Known conditional access systems use a key loading mechanism, such as shown in FIG. 1, by sending an entitlement management message (EMM) and an ECM from a head-end system to the CA/DRM client. For the example in FIG. 1, the EMM includes the CSLK (intended for the CA/DRM client, and protected using the confidential and authentic channel offered by the CA/DRM system) and its encrypted version {CSLK}CSUK (intended for the chip set 102). The ECM includes an encrypted CW. The CA/DRM client provides {CSLK}CSUK to the chip set and may use the CSLK as a key for loading a sequence of control words. That is, the CA/DRM client may use CSLK to re-encrypt a CW included in an ECM, resulting in a message {CW}CSLK that is sent to the chip set 102. Typically, CSLK is unique to a particular combination of CA/DRM client and chip set, and consequently, only that chip set can decrypt {CW}CSLK received from the CA/DRM client (so sharing a CW loading message {CW}CSLK is not possible).
For horizontal market receivers, a CA/DRM system operator shall be able to swap a CA/DRM system. In the solution described above for vertical market receivers, the secret master key associated with the receiver (that is, the key CSUK) is known to a CA/DRM supplier. From a security perspective, this property is undesirable for horizontal market receivers. A reason for this is that the current CA/DRM supplier may publish the secret master key CSUK after the CA/DRM system has been swapped, compromising the security of the receiver. A security requirement for horizontal receivers is therefore that the scheme shall not require that any of the receiver's secrets known to a CA/DRM supplier need to be known to any other CA/DRM supplier. This requirement is not satisfied in the scheme described above.
While the example in FIG. 1 depicts a method that uses symmetric cryptographic algorithms, it is also possible to use asymmetric, or public-key, cryptography as shown in FIG. 2 of the accompanying drawings.
FIG. 2 shows a typical chip set implementing the loading of a control word using an asymmetric cryptographic algorithm to protect the confidentiality of the control word. Chip set 202, associated with chip set serial number CSSN includes element 204 (read-only memory storage location), element 208 and element 210 for storing a key pair (read-and-write memory storage locations), and element 212 for temporarily storing a clear control word (read-and-write memory location). To protect the authenticity of the key pair, preferably element 208 and element 210 are write-once memory locations.
Instead of loading a pair (CSSN, CSUK) during manufacturing and sending the pairs to the CA/DRM suppliers and their operators (as performed in the example shown in FIG. 1), the chip manufacturer of chip set 202 shown in FIG. 2 personalizes chip set 202 by activating key pair personalization module 206 that generates a random key pair consisting of a chip set public key CSPK and a chip set secret key CSSK. The CSPK and CSSK are stored in elements 208 and 210, respectively. Alternatively, the key pair personalization module 206 may be implemented outside the chip set 202 (e.g., in a chip set personalization system available to the chip set manufacturer), and the manufacturer may load CSSK into the chip set 202 during its personalization. After this, the manufacturer can delete CSSK from its system(s).
The manufacturer maintains pairs of numbers, each pair comprising of a chip set serial number CSSN and its associated chip set public key CSPK. The list of (CSSN, CSPK) pairs can be made available to all CA/DRM suppliers. Notice that only the authenticity of these pairs needs to be protected, as the numbers CSSN and CSPK are not secret. The CSPK is used to encrypt a CW that only the receiver with the corresponding CSSK can decrypt (using decryption module 216). That is, the encrypted control word {CW}CSPK is a unique data pattern as no other receiver will generate the same random key pair (CSPK, CSSK), so sharing a CW loading message {CW}CSPK is not possible. The decrypted CW, stored temporarily in element 212 is then used to decrypt {Content}CW by decryption module 218 to produce the descrambled content. The descrambled content is then subsequently decoded using content decoder 214.
The benefit of the public-key solution depicted as in FIG. 2 is that the chip set secret key CSSK does not need to be known to any CA/DRM supplier. However, as CSPK is a public key, it is also available to an adversary. In particular, an adversary can use a CSPK to distribute a given control word CW to the receiver associated with that CSPK, e.g., after CW is compromised from another receiver. That is, this method does not protect the authenticity of a CW loading message.
A second, independent mechanism for protecting the authenticity of a CW loading message may be added to the public-key solution depicted in FIG. 2. For instance, a message authentication code (MAC) can be used to protect the authenticity of a CW loading message {CW}CSPK. A MAC is a symmetric cryptographic technique, based on a secret key KMAC shared between the CA/DRM client and the chip set. In particular, the CA/DRM client uses KMAC as a key to generate a MAC value of a CW loading message {CW}CSPK. The computed MAC value can be appended to the message. After receiving the message and the MAC value, the chip set uses KMAC to verify the MAC value. Alternatively, a method based on public-key cryptography (i.e., an asymmetric digital signature) can be used for protecting the authenticity of a CW loading message {CW}CSPK. In such a solution, the manufacturer loads a public key associated with a digital signature scheme into the receiver during the personalization phase. This public key can be used as a root key of an authenticity mechanism. The receiver can use the authenticity mechanism to verify the authenticity of a CW loading message {CW}CSPK.
However, for both authenticity schemes (symmetric and asymmetric), the master key used for signing a message is a secret key. This implies that the requirement that the scheme shall not require that any of the receiver's secrets known to a CA/DRM supplier need to be known to any other CA/DRM supplier is not satisfied if this master key is distributed to a CA/DRM supplier.
To fulfil this requirement and to protect the confidentiality and authenticity of a control word, the role of the chip manufacturer as a trusted party can be extended (or an additional trusted party can be used). For example, an additional key layer can be introduced in both schemes, and the trusted party can manage the root keys of such a scheme. However, this implies that the trusted party needs to manage (at least) one secret associated with a receiver after its personalization is completed. For liability reasons, this role of the trusted party is not desirable for chip set manufacturers. This implies that an additional trusted party would be needed.
There is a need for an improved solution for loading control words onto chip sets that solves the problems described above. That is, there is a need for a scheme with the following properties: (i) the confidentiality and the authenticity of a CW are protected (ii) CA/DRM systems can use the scheme independently without the need to share a secret key, and (iii) after the personalization of a receiver, the trusted party no longer needs to manage any secret keys associated with the receiver (chip set).