Digital Video Broadcasting Conditional Access Architecture



Similar documents
Monitoring Conditional Access Systems

3GPP TSG SA WG3 Security S3#29 S July 2003 San Francisco, USA. Key distribution and billing in PayTV model. Abstract

Enforcing Regional DRM for Multimedia Broadcasts with and without Trusted Computing

- Open Architecture/Interoperability Issues

DVCrypt Conditional Access System

A STUDY ON DIGITAL VIDEO BROADCASTING TO A HANDHELD DEVICE (DVB-H), OPERATING IN UHF BAND

ITC Specification of Digital Cable Television Transmissions in the United Kingdom. July 2002

How Pay-TV becomes E-Commerce

PowerKey Conditional Access System Phase 1.0. System Overview. Revision 1.0

Attacks on Pay-TV Access Control Systems. Markus G. Kuhn Computer Laboratory

DIRECT TO HOME TELEVISION (DTH)

Introduction to Security and PIX Firewall

Cable TV Headend Solutions

SOFTWARE USER S GUIDE. DemuxToy Lite TS Anayser v1.1.0

HIPAA Security Considerations for Broadband Fixed Wireless Access Systems White Paper

Digital Content Manager (DCM) DCM Supercrypt

How To Build A Cloud Based Data Hub For A Networked Network (Networking) System (Network)

SMALL SYSTEM ARCHITECTURE FOR DIGITAL CABLE Christopher Poli, PE and Michael Hicks Motorola Broadband Communications Sector

Applications that Benefit from IPv6

MPEG-2 Transport vs. Program Stream

EU policy and regulation of technical platform services to digital television. Agenda. 1. From analogue to digital television

Chapter 6: Broadcast Systems. Mobile Communications. Unidirectional distribution systems DVB DAB. High-speed Internet. architecture Container

CI Plus 1.3 Specification Operator Benefits

Ajay Gummalla-July 2001

BENEFITS OF USING MULTIPLE PLP IN DVB-T2

Satellite TV Technology How it works and what you can do with different dishes. OldSkoolS

SMiT Professional CAM User Guide

Countermeasures for Attacks on Satellite TV Cards using Open Receivers

Measurements on MPEG2 and DVB-T signals (1)

IPTV and Internet Television

An architecture for the delivery. of DVB services over IP networks Rennes, January 2007 INTRODUCTION DIGITAL VIDEO TRANSPORT

EV-8000S. Features & Technical Specifications. EV-8000S Major Features & Specifications 1

DIRECTV Set Top Box and Content Protection Description

The Parts of the System

Smart LNB. White Paper. May 2014

Thwarting Selective Insider Jamming Attacks in Wireless Network by Delaying Real Time Packet Classification

Secure Streaming Media and Digital Rights Management

ENERGY STAR Technical Specifications for Cable, Satellite, and Telecom Service Providers. Table of Contents

Computer Network. Interconnected collection of autonomous computers that are able to exchange information

HbbTV Forum Nederland Specification for use of HbbTV in the Netherlands

Network Security Course Specifications

Pro:Idiom System Description

Spirent Abacus. SIP over TLS Test 编 号 版 本 修 改 时 间 说 明

ADVANTAGES OF AV OVER IP. EMCORE Corporation

Key Hopping A Security Enhancement Scheme for IEEE WEP Standards

MXMedia CipherStream. Preliminary Assessment. Copyright 2012 Farncombe 1.0. Author: T F

How To Set Up & Manage an IPTV System WHITE PAPER

ADVANCED IC REVERSE ENGINEERING TECHNIQUES: IN DEPTH ANALYSIS OF A MODERN SMART CARD. Olivier THOMAS Blackhat USA 2015

Multi-Stream CableCARD Software Release Notes

An affordable all-digital solution for cable systems of every size

Solutions to enhance the performance & security of your networks & applications.

How To Test Video Quality With Real Time Monitor

Model 8710 x Home Communications Terminal

Chapter 6 CDMA/802.11i

Cleaning Encrypted Traffic

Fujitsu Gigabit Ethernet VOD Solutions

Network Access Security. Lesson 10

Advanced DOCSIS Set-Top Gateway Implementation Design Guide for System Release 5.0

Protocols and Architecture. Protocol Architecture.

Setting up Digital Cable on an S1Digital Media Center

White Paper BLU-RAY DISC NEXT-GENERATION OPTICAL STORAGE: PROTECTING CONTENT ON THE BD-ROM. t TM

Cable Modems. Definition. Overview. Topics. 1. How Cable Modems Work

Digital Cable Tuner Setup for Windows Media Center in Windows Vista. A Step-by-Step Guide for Professional Technicians

Understanding the Impact of Encryption on Certified Wireless USB Testing. Introduction. Association vs. Security

Recommended Wireless Local Area Network Architecture

Network Authentication X Secure the Edge of the Network - Technical White Paper

IRD GUIDELINES FOR THE DVB-T (S) PLATFORM AUSTRIA. Profile. Zapping. Released. Version 1.0 Zapping IRD_Guidelines_Zapping_V10.

IPTV and its transportation...

Technical Specification Digital Video Broadcasting (DVB); Content Scrambling Algorithms for DVB-IPTV Services using MPEG2 Transport Streams

R&S AVG050 DVB Satellite Receiver Compact DVB-S and DVB-S2 satellite demodulator

Network Security Technology Network Management

1 Overview of Digital TV

Wireless Encryption Protection

DVB-S2 and DVB-RCS for VSAT and Direct Satellite TV Broadcasting

SECURE IMPLEMENTATIONS OF CONTENT PROTECTION (DRM) SCHEMES ON CONSUMER ELECTRONIC DEVICES

Contents. Connection Guide. What is Dante? Connections Network Set Up System Examples Copyright 2015 ROLAND CORPORATION

Broadband & HDTV solutions for hospitality sector. High-speed internet, Cable TV, IPTV & OTT delivery using the existing coax infrastructure

reach a younger audience and to attract the next-generation PEG broadcasters.

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

Cisco D9865 Satellite Receiver

WHITE PAPER. Ad Insertion within a statistical multiplexing pool: Monetizing your content with no compromise on picture quality

Sample Project List. Software Reverse Engineering

Quality of Service Analysis of site to site for IPSec VPNs for realtime multimedia traffic.

From Digital Television to Internet? A general technical overview of the- DVB- Multimedia Home Platform Specifications

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Traffic load and cost analysis for different IPTV architectures

Efficient Certificate Management in VANET

Local and Ultra Local Content in Broadcast Mobile TV

Content Protection in Silverlight. Microsoft Corporation

DIGITAL RIGHTS MANAGEMENT SYSTEM FOR MULTIMEDIA FILES

Cisco ROSA Video Service Manager (VSM) Version 05.03

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Security features include Authentication and encryption to protect data and prevent eavesdropping.

Internet Protocol Television (IPTV)

Hardware Security Modules for Protecting Embedded Systems

MyM 3T. User Manual. English

5.1 audio. How to get on-air with. Broadcasting in stereo. the Dolby "5.1 Cookbook" for broadcasters. Tony Spath Dolby Laboratories, Inc.

Fragmented MPEG-4 Technology Overview

Over the Top (OTT) Content Delivery

Security vulnerabilities in the Internet and possible solutions

Transcription:

Digital Video Broadcasting Conditional Access Architecture Introduction Digital Video Broadcasting (DVB) is a standard defining a one-to-many unidirectional data network for sending digital TV programs over satellite, cable, and other topologies. The standard enables the broadcasting industry to offer hundreds of pay-tv channels to consumers. The expanded capacities make the broadcast signals more valuable and attractive to signal thefts [1]. To protect a DVB data-network, the DVB standard integrates into its broadcasting infrastructure an access control mechanism, commonly known as Conditional Access, or CA for short [3]. This report is an overview of the DVB-CA architecture. The approach is to provide a full picture of a typical DVB-CA deployment in operation. First, each of the major components is individually described. Then, an operational walk-through is given to show how the different components work together. Throughout the report, the architecture s enabling technologies are mentioned. However, the technical details are not elaborated but instead deferred to references. Functional Partitions The DVB-CA architecture manages end-users access to protected contents with three elements: data scrambling, a subscriber authorization system (SAS), and a subscriber management system (SMS) [5]. Together, they form three layers around the protected contents: Subscriber Management Subscriber Authorization Data-Scrambling Mpeg2 Digital TV Data scrambling encrypts the digital-tv contents at the center. The subscriber authorization system controls the data-scrambling element by handling the secured distribution of descrambling keys to authorized subscribers. Knowing which subscribers entitle to what contents, the subscriber management system delivers access permissions to the SAS for enforcement. The protection scope of the DVB-CA architecture ends at the boundary where protected contents are legitimately descrambled. Thus, DVB-CA offers no protection when a legitimate subscriber wires up a receiver to tap out the descrambled contents. Data-Scrambling The data-scrambling element is the encryption of TV contents. To avoid confusion, the DVB-CA specification uses the terms scrambling and descrambling to mean the encrypting and decrypting of TV contents, differentiating other uses of cryptography in the broader DVB infrastructure [4] [7]. The broadcast center does the scrambling, and receivers perform the descrambling.

Subscriber Authorization System The SAS element implements the access-control protocol. It enforces end-users access rights by allowing only authorized subscribers to descramble the contents [5]. SAS uses cryptography extensively, and the system is designed to be renewable inexpensively as a strategy to contain damage from being compromised. Subscriber Management System The SMS element grants access rights. Operating from the business operation center, the SMS maintains a database of subscribers. For each subscriber, the SMS database records subscription level, payment standing, and a unique ID inside the subscriber s smart card. The SMS uses the information to decide which TV channels a subscriber is entitled to view, and the access permissions are given to the subscriber authorization system for enforcement [6]. System Architecture The next picture depicts the major components of the DVB-CA architecture and their relations [9]: receiver smartcard SMS ca host ca client ca module user rights channel acl emm ecm ca descriptors mpeg2 a/v controlwords scrambler DVB data network controlwords descrambler mpeg2 a/v The scrambler and descrambler implement the data-scrambling element, and control words are the cipher keys. CA-Host, CA-Client, and CA-Module are the three distributed components of the SAS element, and they use CA descriptors and CA messages (EMM and ECM) for communication. Scrambler and Descrambler The data-scrambling cipher is called DVB Common Scrambling Algorithm (DVB-CSA) [4]. The algorithm is a combination of 64-bit block cipher followed by a stream cipher, with a key-size of 64 bits [7]. However, the detail is kept secret and disclosed to equipment manufacturers under nondisclosure agreement. For performance and obscurity, the algorithm is implemented in hardware. At the broadcast center, the scrambler generates control words to scramble the contents, and it passes the control words to the CA-Host for secured distribution to descramblers via ECM CA messages [3]. Control words change about every ten seconds, and the scrambler synchronizes the descrambler to key switching using a specific bit in data-packet headers [4]. As a defense strategy, different TV channels are scrambled with different stream of control words. 2

CA Messages CA messages are encrypted command-and-control communications from CA-Host to CA-Modules. The DVB-CA architecture categorizes CA messages into Entitlement Control Messages (ECM) and Entitlement Management Messages (EMM) [4]. ECMs carry channel-specific access-control list and control words. EMMs deliver subscriber-specific entitlement parameters [8]. As a strategy of defense in depth, a secret cipher different from data scrambling is used, and the details on the message formats are closely guarded secrets. CA Descriptor CA descriptors are data records associating a protected channel to its ECMs [4]. Since different stream of control words are used to scramble different channels, there is no need to keep the relations secret. Thus, the CA descriptors are sent in clear via the electronic channel guide, which is transmitted continuously in the broadcast traffic. CA-Host The CA-Host is the control center of the access protection [9]. It is responsible for encrypting all CA messages to CA-Modules and securely distributing CA messages' cipher keys to CA-Modules. CA-Client A CA-Client is the access-control coordinator at a receiver [9]. It passes CA messages from the CA-Host to its CA-Module. It delivers the control words from the CA-Module to the descrambler. When the viewer selects a channel, the CA-Client uses the channel s CA descriptor to filter the associated ECMs and passes them to the CA-Module. If the channel is a pay-per-view, the CA-Client also walks the viewer through GUI dialogs to confirm purchases. CA-Module A CA-Module (CAM) is the access-control guard at a receiver [9]. Each CA-Module has a unique CAM-ID for identifying the subscriber [2]. The CA-Module authenticates and decrypts EMMs to establish a subscriber s entitlement parameters, which are stored in the CAM s non-volatile and secured memory and never leave the CAM. The CA-Module also authenticates and decrypts ECMs to receive a channel s control words and access parameters from the CA-Host. If the access parameter in an ECM is consistent with the entitlement parameters stored in the CA-Module, the CA-Module returns the control word to the CA-Client for setting up the descrambler. Since it is important for CA-Modules to be temper-resistant and easily replaced when damaged or compromised, they are often implemented as smart cards [2]. Subscriber Management System The SMS is the business manager determining each subscriber s rights of channel access [5]. It uses CAM-IDs to link subscribers to the subscriber authorization system. As a subscriber s 3

subscription level and payment standing change, the SMS modifies the access rights by instructing the CA-Host to send new EMMs to the CA-Module having the subscriber s CAM-ID [9]. Network Integration The next picture shows where the components of the DVB-CA architecture are integrated into a DVB data network: ca descriptors channel guide mpeg2 a/v mpeg2 decoder mpeg2 a/v 1 mpeg2 a/v 2 mpeg2 a/v N ca messages ca host scrambler subscriber management multiplexing control words data transmitter data receiver packet filter channel guide ca messages descrambler GUI ca client control words TV output TV ca module (smartcard) To illustrate the interaction between the components in the DVB-CA architecture, a walk-through of the operations behind the following access scenario is presented next. A subscriber is currently entitled to only basic services, without access to premium sports channels. In an evening, the subscriber browses through the on-screen channel guide and decides to watch a boxing event. Tuning to the channel, the subscriber is presented an on-screen message instructing the viewer to call the customer service center to upgrade subscription level. After going through the conversation of service upgrade, the customer representative confirms the subscriber s request to upgrade. Within a few seconds, the on-screen message is replaced by the boxing show. Behind the scene, the CA-Client receives the channel-tuning request from the GUI. From the channel number of the boxing event, the CA-Client looks up the parameters from the channel-guide to set up the data receiver and packet filter for receiving the show s digital audio and video streams. More importantly, the CA-Client looks up the CA descriptor and extracts parameters to set up the packet filter for receiving ECM packets associated with the channel. When the ECMs arrive, the CA-Client passes them to the CA-Module and waits for response. When the CA-Module receives an ECM, it authenticates and decrypts the ECM to extract the control word and access parameter of the tuned channel. Comparing the access parameter to the stored entitlement parameter, CA-Module finds that the service belongs to a subscription level higher than that of the subscriber. Thus, the CA-Module returns a status code of below service level to the CA-Client. The CA-Module continues to return the same status code for every ECM passed from the CA-Client since the subscriber s entitlement remains unchanged. Receiving a response status of below service level, the CA-Client displays a message on the TV screen, asking the subscriber to call the customer service center for service upgrade. The message 4

remains on screen for as long as the CA-Module returns the same response to all ECMs passed from the CA-Client. As instructed by the on-screen message, the subscriber calls the customer service center to request service upgrade. After confirming the request and obtaining online credit approval, the customer representative enters the new subscription level to the SMS. Upon receiving the upgrade, the SMS provides the new subscription level and the subscriber s CAM-ID to the CA-Host. The CA-Host encapsulates the new subscription level into an EMM, tags it with the subscriber s CAM-ID, signs and encrypts it, and inserts the EMM into the broadcast traffic. Back at the receiver site, the CA-Client receives the EMM tagged with the subscriber s CAM-ID and passes it to the CA-Module. After authenticating and decrypting the EMM, the CA-Module stores the new subscription level into its internal secured storage. When a subsequent ECM from the boxing channel comes along, the CA-Module finds that the subscriber is entitled to the channel. Consequently, CA-Module returns the control word. Receiving a valid control word from the CA-Module, the CA-Client sets up the descrambler, and the digital audio and video data are descrambled, decoded, and shown on the TV set. Seeing the boxing event, the subscriber is happy and ends the conversation with the customer representative. From this point on, the CA-Client continuously feeds the channel s ECMs to the CA-Module, which returns new control words as they change. Summary The DVB conditional access architecture manages end-users rights to access contents of a DVB digital TV network. The architecture separates functions into subscriber management, subscriber authorization, and data scrambling. The same broadcast network is used for content delivery and access control. To defend against attacks, the architecture relies on secret designs, cryptography, and temper-resistant hardware to achieve its objectives. Furthermore, system components are carefully partitioned for damage management, where critical parts can be inexpensively replaced when security is compromised. The architecture is adopted by many broadcasting networks around the world and serves as a reference model for many other deployments of digital TV broadcasting. 5

References [1] M Carter, "Pay TV Piracy: Lessons Learned," in Digital Rights Management Workshop (2000), at http://www.eurubits.de/drm/drm_2000/slides/carter.pdf. [2] Donvito.dk, "Sat-Lexicon," at http://www.donvito.dk/sat-lexicon.htm. [3] P Delogne, "CONCERTATION MEETING No 44," meeting report; at http://media.it.kth.se/sonah/analysys/race/pl4/concert/meet_rep/rcm44.htm. [4] ETSI, "Digital Video Broadcasting (DVB); Support for Use of Scrambling and Conditional Access (CA) within Digital Broadcasting Systems," ETR 289 (1996). [5] EUTELSAT, "Technical Guide: Annex B - Overview of DVB," at http://www.eutelsat.com/satellites/pdf/tvservices/annex_b_dvb.pdf. [6] EUTELSAT, "Technical Guide: Annex C - Guide to Further Information," at http://www.eutelsat.com/satellites/pdf/tvservices/annex_c_dvb.pdf. [7] MG Kuhn, "The New European Digital Video Broadcast (DVB) Standard," at http://www.cl.cam.ac.uk/~mgk25/dvb.txt. [8] J Ribés, "Glossary of Terms," at http://www.tele.ucl.ac.be/cas/glossary/main_f_js.html. [9] BJ Rijinsoever, JP Linnartz, "Interoperable Content Protection for Digital TV," in IEEE International Conference on Multimedia & Expo (2000), at http://buffy.eecs.berkeley.edu/~linnartz/articles/opima.pdf. 6

Digital Video Broadcasting Conditional Access Architecture A Report Prepared for CS265-Section 2, Fall 2002 Prof. Stamp By Tong Ho

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information