Cable system operators charge monthly fees for various services. Cable systems can be implemented using analog and/or digital networks. The analog cable networks typically offer limited services such as basic channels and premium channels. In addition to basic services, the digital cable networks offer expanded services including one or more of the following: electronic program guides (EPGs), premium channels, impulse pay-per-view (IPPV), video-on-demand (VOD), interactive sports, game shows, web access and features such as e-mail, chat, and instant messaging, interactive games, and/or services such as shopping (television commerce, or “T-Commerce”), home banking, and personal video recorders (PVR).
Some customers may attempt to fraudulently obtain one or more of the cable services. To maintain revenues, service providers must be able to reduce fraudulent access. The ability to cut off and/or to identify the location of customers who have fraudulently obtained the cable services would help to reduce fraudulent access.
Service providers must also be able to provide service provisioning in a cost effective manner. In analog cable networks, service provisioning is an expensive process. Referring now to FIG. 1, an analog cable network 10 includes a cable service provider 14 that generates cable signals over cable 18. Cable drops 22-1, 22-2, . . . , and 22-n provide the cable signals to cable boxes 26-1, 26-2, . . . , and 26-n at customer locations. One or more analog filters 30 are added to each of the cable drops 22 at the customer locations to disable or filter out one or more premium channels if the customer is not a subscriber. When a subscription change is requested, the cable service provider 14 must dispatch a crew to the customer location. The crew adds or removes the filters 30, which remove or add, respectively, a premium channel. The cost of dispatching the crew must be included in the price of the premium channel, which increases the cost to the consumer.
OpenCable™ is a standard that has been defined by cable operators to provide digital cable-ready devices using a common platform. Referring now to FIG. 2, the OpenCable™ standard defines a host 50, which is typically a set top box 50-1 or an integrated television 50-2. The set top box 50-1 is typically connected to a television or monitor 54. A POD module 58, which is removable from the host 50, provides security and user authentication. The POD module 58 contains functionality that is associated with a proprietary conditional access system of a local cable provider or multiple system operator (MSO) 60. The POD module 58 is provided by the MSO 60 and is typically implemented using a PCMCIA or PC card. The POD module 58 may communicate with the MSO 60 using an in-band channel 64-1 and/or an out of band (OOB) channel 64-2 over the cable 64.
One goal of OpenCable™ is to provide portability. A consumer who purchases the host 50 for one cable system can relocate to another cable system and use the same host 50. OpenCable™ also seeks to lower the cost of service provisioning and to reduce fraudulent access. The OpenCable™ Applications Platform (OCAP™) specifications (OC-SP-OCAP1.0-I04-021028 and OC-SP-OCAP2.0-I01-020419) which are hereby incorporated by reference in their entirety, provides an open interface between the manufacturer's operating system (OS) and the various applications that will run within the host 50. Currently, developers of interactive television (iTV) applications must rewrite their programs for each proprietary platform. OCAP™ provides a standard application programming interface (API) to allow applications to be deployed on all hosts 50.
To allow portability, encryption and security are separated from the host 50 and are located in the POD module 58. When inserted into the host 50, the POD module 58 decodes encrypted content from the cable provider 60.
OpenCable™ provides channel-based service provisioning. When the consumer requests a premium channel or other resource, the POD module 58 sends a message to the cable provider 60. If the consumer subscribes to the premium channel or other resource, the cable provider 60 sends an entitlement message (EMM) back to the POD module 58. If the EMM is received, the host 50 is granted access. For premium channels, the granularity of control provided by OpenCable™ is at the level of a physical channel. In other words, the premium channel is either enabled or disabled.
OCAP™ also specifies a mechanism for platform validation, which detects fraudulent and/or compromised receivers in hosts. As used herein, platform validation and fraudulent access prevention are used interchangeably. A certificate, a signature file and hash files are embedded in the receiver of the host. The hash file enumerates a list of hash values for memory blocks in the receiver. A monitor application (MA) reads the blocks of data over a data bus and computes the hash value. The MA compares the computed hash value to the hash value specified in an encrypted file. The MA takes appropriate action such as terminating service and sending notification to the MSO when a mismatch occurs.
There are several disadvantages with the foregoing mechanism for preventing fraudulent receivers. First, the hash file is embedded in the receiver. The contents of the hash file cannot be easily changed without reprogramming the receiver. Secondly, the MA computes the same hash value every time. Hackers can monitor the host data bus for hash calculations. Over time, hackers will figure out the hash function since the computation would be very predictable. In addition, the API for the OCAP™ specification has been published, which includes API's for reading the contents of the flash memory. In summary, the entire firmware is exposed using this approach and the likelihood of fraudulent access is significantly increased.
Additionally, the OpenCable™ standards define a resource manager (RM) that manages system resources such as tuning, audio/video decodings, graphics plane and background devices. Once programmed, the RM manages resource contention based on predefined default rules that cannot be changed without reprogramming the host.