CRYPTOLOGY FOR DIGITAL TV BROADCASTING

Transcription

1 CRYPTOLOGY FOR DIGITAL TV BROADCASTING B. M. Macq and J.-J. Quisquater Proceedings of the IEEE, Volume 83, No. 6, June

2 INTRODUCTION Cryptography for TV broadcasting is an old issue. Cryptography aims to prevent unauthorized receivers from decoding the programs by scrambling them. Cryptography and cryptanalysis are the two complementary approaches of cryptology. TV programs are very different from military secrets or banking information. The information rate is very much higher. The information value is very much lower. This paper is devoted to three issues: Conditional aces for pay TV Watermarking of images for copyright protection Image signature for authentication 2

3 SCRAMBLING DIGITAL TV Notation Message M (plaintext) Invertible transformation E K1 Encrypted message C=E K1 (M) (cipher text) The cipher text is transmitted over a public channel. An authorized receiver decodes the message by the transformation D k2 := E K1. D K2 (C) = E K1 [E K1 (M)] = M. K1: encryption key K2: decryption key Two kinds of encryption algorithms: Block encryption: The plaintext is segmented into blocks of fixed size. Each block is encrypted independently from the other blocks. If a block is sent on a noisy channel, errors propagate on the whole block. Stream encryption Each plaintext word is EXORed with a key k i generated by a PRN generator. Such schemes are more resistant to channel errors. 3

4 CONDITIONAL ACCESS FOR PAY-TV Entitlement An entitlement is a customized authorization The validity of an entitlement should always be limited in time. If the user stops fulfilling the access conditions, he/she cannot receive his/her new entitlement. The entitlements of each user can be granted, renewed or modified. Specifications Some specific requirements of a CA system Control Word Minimizing the constraints imposed on the user Minimization of the management cost Minimization of the theft of services The control word should have a sufficient length and a sufficiently short lifetime. The control word will only be passed to the unscrambling system in the decoders of users if the users have the relevant entitlements. In general, an access control system (ACS) may include a security processor that can be removed. 4

5 CONDITIONAL ACCESS FOR PAY-TV Access Control The user of an access control system will be provided with a decoder. The main function of the decoder is to contain the user s access rights (i.e., the description of the programs to which he/she is entitled). The program provider embeds in his broadcast an entitlement control message (ECM). An ECM will contain the enciphered control word as well as a description of the program (identifier, data, time, level, class, etc.). Confidentiality problems Eavesdropping the transmitted signal: To thwart this attack, the design of the system has an encryption technique. Reading sensible information stored in the decoder: This threat is circumvented by using a security processor. Commercial confidentiality Personal privacy Integrity problems Introduction of altered information in the decoder (e.g., an extension of the validity period of some entitlement. Authentication problems The security processor will behave as the authorized representative of the program provider. 5

6 CONDITIONAL ACCESS FOR PAY-TV Access Control Messages Two types of messages: ECMs and EMMs. The entitlement control message (ECM) An enciphered form of the control words The access parameters: an identification of the program and of the conditions required for accessing this program. Program number Program cost per view Program cost per unit of time Program theme/level and date Maturity rating These messages are routed to the security processor (implemented as a smart card). The security processor will decipher the control word and send it to the unscrambling circuit if one of the entitlements it contains covers the access parameters appearing in the ECM. The entitlement management message (EMM) New entitlements to the end user (new subscriptions, new program numbers) Information about the consumption The EMMs can be routed either on the signal transmission channel or on a distinct channel. 6

7 MPEG 2 FRAMES The picture frames are divided into 3 classes: I frames are coded without reference to preceding or upcoming frames in the sequence. P frames are coded with respect to the temporally closest preceding I frame or P frame in the sequence. B frames are interspersed between the I frames and P frames in the sequence. Renewability of content protection systems MPEG 2 is based on the Discrete Cosine Transform (DCT). Each frame (I, P, and B) goes through the following steps: DCT Quantization Entropy coding 7

8 AN I FRAME 8

9 A CASE STUDY: AN 8X8 BLOCK

10 A CASE STUDY: LEVEL SHIFTING The quantity 2 n is subtracted from each pixel value n=8 => 2 n =

11 11 A CASE STUDY: APPLICATION OF DCT

12 12 A CASE STUDY: NORMALIZATION MATRIX ), ( v u Z

13 DCT coefficients are quantized using the below formula = ), ( ), ( ), ˆ( v u Z v u T round v u T 38 consecutive zeros! A CASE STUDY: QUANTIZATION

14 A CASE STUDY: ZIGZAG REORDERING [ EOB] a special EOB Huffman code word indicates that the remainder of the coefficients are zeros. 14

15 A CASE STUDY: ZIGZAG REORDERING Entropy coding is lossless. DC and AC coefficients are treated differently. Differential Pulse Code Modulation (DPCM) on DC coefficients Each DPCM-coded DC coefficient is represented by a pair of symbols: (CATEGORY, AMPLITUDE) CATEGORY: indicates the # of bits needed to represent the coefficient. AMPLITUDE: contains the actual bits. The 1 s complement notation is used for negative numbers. Run-length coding (RLC) on AC coefficients RLC replaces each AC coefficient by a pair (RUNLENGTH, VALUE) RUNLENGTH: indicates the # of zeros in the run. VALUE: the next nonzero coefficient. The special pair (,) indicates the EOB after the last nonzero AC coefficient. 15

16 A CASE STUDY: COMPLETELY CODED ARRAY [ EOB] # of bits needed to store the 8x8 block = 64x8 = 512 # of bits after JPEG compression = 92 Compression ratio = 512/92 => 5.6:1 16

17 SET-TOP BOX Set-Top Box Broadcast network DVD player PC Switched network DTV Remote control device 17

18 COPYRIGHT PROTECTION BY DIGITAL IMAGES The issue of copyright protection of digital broadcasted sources is being studied. An electronic stamp must be a holographically inlaid over all the picture. The requirements for the electronic stamp: Undeletable by a hacker. Perceptually invisible. Statistically invisible. Fully resistant to any additional noise (compression, transmission, etc.) I: the original image, : the stamp Stamp procedure Q: a procedure which extracts essential characteristics of I. S(Q(I)), where S is a secret algorithm. I : the stamped image C S (Q(I )), stamped by S = YES, where C S is a correlation procedure. 18

19 AUTHENTICATION OF PICTURES A stamp is not a signature. The stamp aims to protect the author while the signature aims to protect the receiver. There are different methods of signature generation: Symmetric Asymmetric Asymmetric methods Diffie-Hellman key agreement RSA signature scheme ElGamal signature scheme Digital Signature Standard (DSS): This standard specifies a Digital Signature Algorithm (DSA). Symmetric methods Diffie-Lamport signature scheme Merkle signature scheme 19