1. Technical Field
The invention relates to security in conditional access systems. More particularly the invention relates to a conditional access system that includes a multi-layer cryptographic security architecture for prevention of replay attacks.
2. Technical Background
In conditional access systems, such as cable television networks, audio, video, data and other forms of content in electronic form may be broadcast as digital transport streams. The transport stream originates at the system headend and is transmitted to and received by receiver units that display or make use of the transport stream. In order to prevent unauthorized use or viewing of the transport stream, the stream may be encrypted. In such systems, the receiver is capable of decrypting the transport stream prior to viewing or using it.
Typically, the algorithm used to encrypt the transport stream is controlled by an encryption key. When decrypting the transport stream at the receiver end, the receiver must have the key. As a security measure, the key is periodically changed. Because the key is changed on a regular basis, there can be multiple keys required to decrypt the transport stream. The keys are then encrypted and broadcast within the transport stream.
Generally, within the receiver unit of a conditional access system, a transport reception module (TRM) is operative to receive the transport stream transmitted from the headend. Furthermore, a conditional access module (CAM) decides whether or not to decrypt the stream, based on services purchased by the user, If the CAM allows the user to view or otherwise use the transport stream, it decrypts the keys and provides them to the transport decryption module (TDM) for use in decrypting the transport stream. Thus, the TDM is operative to decrypt the transport stream, using the decrypted keys supplied by the CAM. Following decryption, the decrypted stream is displayed to the user on a display module.
Often, encrypted transport streams are recorded by the receiver and stored for future use. Furthermore, current conditional access systems are subject to replay attacks, particularly key replay attacks, in which unencrypted decryption information is intercepted and recorded as it is being passed to a TDM. Subsequently, the recorded decryption information may then be used at a later time to gain unauthorized access to the encrypted transport streams. For example, User A and User B both record a transport stream containing a particular audio/video stream, such as a movie. User A purchases the service; therefore the CAM in A's receiver will provide keys to use in decrypting the transport stream. User A can record the keys provided by the CAM as they are being passed to the TDM, and send them to User B. Thus, User B is able to decrypt the stream using the keys provided by A, viewing or using the stream without purchasing it.
A. Wasilewski, H. Pinder, G. Akins, M. Palgon, Conditional access system, U.S. Pat. No. 6,157,719 (Dec. 5, 2000) and R. Banker, G. Akins, Preventing replay attacks on digital information distributed by network service providers, U.S. Pat. No. 6,005,938 (Dec. 21, 1999) provide techniques for preventing replay attacks on digital information distributed by network services. At the beginning of a subscription period for a service, a network service provider sends entitlement messages to the subscriber that provide the subscriber with a session key and authorization information, specifying a service and a period of time. When an encrypted service instance is distributed, it is accompanied by entitled control messages. The subscriber equipment that decrypts the service instance does so only if the time specifier in the entitlement control message specifies a time period specified by the authorization information. While the disclosed technique certainly complicates replay attacks by introducing a time element absent in conventional methods, it does not prevent them. In particular, it does not prevent recording and replaying of generated control words or instance keys.
S. Ooi, Decryptor, U.S. Pat. No. 5,790,666 (Aug. 4, 1998) describes a decryptor within a receiver unit of a conditional access system that includes a descrambler for descrambling signals scrambled at the headend using a pseudo-random noise generator. At the receiver, a pseudo-random noise generator is induced to change its state, through the provision of a scramble key, so that it generates pseudo-random noise signals that descramble the scrambled signal. The encrypted scramble key is transmitted from the headend and decrypted at the receiver after a cascade of conditions is satisfied. The decryptor, as described, provides a robust, multi-layer security apparatus for a conditional access system. Nevertheless, it suffers a vulnerability to replay attacks common to many conditional access systems. The scramble key, when it has been decrypted, may be intercepted and recorded as it is passed to the descrambler. Subsequently, the recorded key may be replayed, either on the same receiver, or different receivers, creating the possibility of pirating and unauthorized use of the signal.
Accordingly, there exists a need for a way of preventing replay attacks in conditional access systems. It would be desirable to provide protection in multiple layers, so that if one layer is compromised, the other layers remain intact.