The invention pertains to descrambling and decryption systems used in communications networks in which individual descramblers may be selectively authorized for access to the services provided by the network.
All such systems require the secure delivery of authorization data to the descrambler. Security of the signal carrying the services is obtained by a technique of ensuring that any tampering of the messages delivering the authorization data causes a violation of the authorization conditions required by the descrambler for providing successful access to the network. Examples of such technique are described below.
A classical "signature verification" technique, which is described by D. E. R. Denning "Cryptography and Data Security", Addison-Wesley, 1983, as applied to this type of communications system, requires the authorization message delivered to the descrambler to contain a data block which contains a known value of sufficient size encrypted under a key shared between the descrambler and the originator of the message. If the descrambler obtains the known value after decryption, then it accepts the message as describing the legitimate conditions for authorization.
A "data comparison" technique described in "Specification for Conditional Access Receivers", Draft NR-MSK Specification Vedlegg 4, Oct. 1987), requires an unknown value of a sufficiently large number of bits to be repeated twice in the encrypted portion of the authorization message. If the descrambler finds, after decryption, that the two blocks match then it accepts the message as describing the legitimate conditions for authorization.
A "selective delivery" technique described in U.S. Pat. No. 4,613,901 to Klein S. Gilhousen, Charles F. Newby, Jr. and Karl E. Moerder, utilizes a hierarchy of secret keys to provide access control. Each level of the hierarchy is associated with an address. If the descrambler does not possess one of the appropriate addresses, it does not receive the message destined for the address containing the secret key for that level of the hierarchy. Since the secret key at each level of the hierarchy is encrypted under the secret key of the next level, an attacker cannot substitute a message intended for a different address.
A "key modification" technique described in U.S. Pat. No. 4,712,238 to Klein S. Gilhousen, Jerrold A. Heller, Michael V. Harding and Robert D. Blakeney, is similar to the "selective delivery" technique, but delivers authorization data along with the secret keys. The authorization data is in the clear, but is used to alter the secret keys in such a way that any attempt to modify the clear data causes incorrect generation of the secret keys when the descrambler performs the decryption operation. Since the descrambler then possess the incorrect keys, it will not correctly decrypt the signal.
All these systems protect the authorization data against tampering based on modification to the authorization messages, where such modification is based solely on knowledge of the contents of the message and on the operation of the system. However, if an attacker is able to gain additional information about the keys in use by the descrambler, e.g. through theft of key lists, then the services are open to attacks known as "spoofing". In these attacks, the attacker intercepts the authorization message, decrypts certain portions of it, substitutes data desired by the attacker, and reencrypts the substituted message under the key known to be held by the descrambler. The resultant message is delivered to the descrambler, causing the descrambler to authorize incorrectly.
An object of the present invention is to render such attacks null and void, either immediately, or upon replacement of the compromised keys by the message originator. As a result of this, an attacker is forced either to compromise the descrambler hardware or to obtain the most basic keys, which cannot be changed because they are fixed inside the descrambler hardware.