CI Plus Overview. 6th July 2009. CI Plus Limited Liability Partnership (LLP) www.ci-plus.com

CI Plus Overview 6th July 2009 CI Plus Limited Liability Partnership (LLP) www.ci-plus.com

Table of Content Page: One Page Overview of CI Plus 3 History of Common Interface 4 Requirements & Scope with CI Plus 8 CI Plus System Overview 10 CI Plus Specification 11 - SAC (Secure Authenticated Channel) - Authentification - Protection of TS (Transport Stream) with CC (Content Control) - URI (Usage Rules Information) - Revocation, Shunning - Interactivity with MHP CA API CI Plus Administration 19 - CI+ LLP, Certificate Agent & Test Center - CI+ Documentation - Flow Chart of Certification & Licensing Summary 23 PCMCIA CI CA CI-CAM SC CA Conditional Access CAM CA Module CI Common Interface PCMCIA Personal Computer Memory Card International Association SC Smart Card 2/ 24

Issue with and Solution with One page overview 1997-02 Quite old standard EN 50221 with unencrypted CAM output 2006-09 Closed DVB TM-CIT group after missing consensus 2007-07 CI+ Forum founded by 6 companies 2008-01 CI Plus Spec.v1.0 with encrypted output 2008-11 CI+ forum replaced by CI Plus LLP 2009-03 Appointment of Encrypted TV Signal Encrypted Common Interface Module Smartcard 3/ 24 Plasma/LCD IDTV additional Usage Rules for A/D output and storage STB, Recorder,... PCMCIA Interface x x Copy of original digital content is impossible!

History of Common Interface (CI) 1997-02: Standard DVB CI v1 (EN 50221) (with unencrypted output of CAM) 1999-11: Extension ETSI TS 101 699 2002-01: EU directive for CI in IDTV with > 30cm 2006-09: Start of DVB TM-CIT group (to close security gaps with new CI v2...) Closed after missing consensus on technology 2007-07: Founding CI+ Forum by 6 companies 2007-12 CI Plus Specification draft 2008-01 CI Plus Specification v1.0 (with encrypted CAM interface) 2008-11 Disbanding of CI+ Forum & creation of CI Plus LLP (UK Limited Liability Partnership) 2009-02 CI Plus Specification v1.1 2009-02 TC TrustCenter GmbH appointed 2009-03 DTV Labs Ltd. appointed test facility 4/ 24

DVB-CI & CI Plus - Usage for SD/HDTV Set-Top-Box with integrated Decrypton-System SDTV SDTV Smart Card Display or IDTV (Only for few content used or permitted) Smart Card with DVB-CI SDTV Smart Card with CI+ 5/ 24

DVB CI - Current Standard v1 CI-Module used with smartcard containing key-informationen CI-Module remove the encryption of protected content The output of CI-Module is unencrypted Due to this, most content providers prefer integrated solutions because of higher security Smartcard Encrypted Televion Signal Encrypted Televion Signal CI-module PCMCIA Interface Copy of original digital content is possible No Encryption Plasma / LCD IDTV 6/ 24

CI Plus - Protection of Content Based on existing DVB-CI Standard Main requirement: achieving the same level of security as embedded solutions CI Plus Module and Receiver - Calculation & Usage of a secure key for content protection - Secure, authentificated channel for critical system messages The output of module is encrypted Only certified devices are supported Smartcard Encrypted Television Signal Encrypted Television Signal CI Plus Module PCMCIA Interface Plasma / LCD IDTV Local Encryption Copy of original digital content is not possible! 7/ 24

CI Plus - Scope of Protection CA Conditional Access CC Content Control 8/ 24

CI Plus - Scope of Compatibility Host CA Module (CAM) DVB CI CI Plus Host & Module DVB-CI mode Module in DVB-CI mode* Host in DVB-CI mode Host & Module CI Plus mode * DVB-CI mode operation defined by network operator 9/ 24

CI Plus - System Overview CA Conditional Access CC Content Control CI Common Interface CAM Conditional Access Module 10 / 24

CI Plus - Specification v1.2 Chapter: Pages: 1-3 Scope, References, Definitions,... 17 4 System Overview 4 5 Theory of Operation 31 6 Authentication Mechanisms 16 7 Secure Authenticated Channel 12 8 Content Key Calculations 4 9 Public Key Infrastr. & Certificate Details 9 10 Host Service Shunning 4 11 Command Interface 13 12 CI Plus Application Level MMI 10 13 CI Plus MMI Resource 2 14 Other CI Extensions 14 15 PVR Resource 8 Annex A...N 99 Total: 243 file: ci_plus_specification_v1.2.pdf date: 2009-04-25 11 / 24

CI Plus - Protocols 1. Compare CI+ versions supported by IDTV and CAM. 2. If both sides have the same auth key, they have performed a successful authentication with each other. 3. CI+ CAM and IDTV authenticate each other to make sure the opposite device is a valid CI+ device. 4. The Secure Authenticated Channel (SAC) is used for transmission of security-related messages between CAM and IDTV. 1. 2. 3. 4. 5. Host Capability Evaluation Auth Key Verification Authentication SAC Key Calculation URI Version Negotiation 6. URI Acknowledgement 5. Usage Rules Information (URI) version negotiation to find a URI version that is supported on both sides. 7. CC Key Calculation 6. URI transmission and acknowledgement used by CAM to send a set of usage rules information to the IDTV. 8. SRM Acknowledgement 7. Content Control (CC) key calculation used by both sides to calculate keys for scrambling /descrambling of transport stream (TS). 8. System Renewability Message (SRM) transmission and acknowledgement is used from CI+ CAM to transfer SRM for HDCP and DTCP-IP to the IDTV. 12 / 24

CI Plus - Transport Stream Output Protection Host and CICAM Capabilities: DES-56-ECB Data Encryption Standard, 56-bit key, Electronic Code Book (USA 1999-10, Federal Information Processing Standards, FIPS 46-3) AES-128-CBC Advanced Encryption Standard, 128-bit key, Cipher Block Chaining (USA 2000-10, National Institute of Standards and Technology, NIST, FIPS 197) 13 / 24

CI Plus - Authentication Supported Authentication Phases per Service Mode: Basic Service Mode Registered Service Mode example: - Requires upstream communication to HE (Head End) DH = Diffie-Hellman key exchange 14 / 24

CI Plus - Devices & external Interfaces CI Plus IDTV Signals / Interfaces Devices STB/PVR time shifted recording (optional) Analogue PAL / NTSC / SECAM RGB / YUV / S-Video Display Encrypted Content, paired to receiver: the content cannot be copied without authorization.. Digital HDMI / HDCP DTCP-IP 15 / 24

CI Plus - Usage Rules Information (URI) URI initial default value for host, e.g. after channel change: protocol version = 0x01 emi_copy_control_info = 0b11 (Encryption Mode Indicator) aps_copy_control_info = 0b00 (Analog copy Protection System) ict_copy_control_info = 0b0 (Image Constraint Trigger/Token) rct_copy_control_info = 0b0 (Redistribution Control Trigger) rl_copy_control_info = 0b000000 (Retention Limit, default 90 min) reserved bits = 0b0 Analog Digital Digital Storage URI Mapping Table: Analog Output (MV, APS, CGMS, ICT) Digital Output (HDCP, DTCP, SPDIF) Digital Storage (AACS, CPRM, VCPS) URI see e.g. Digital Transmission Content Protection (DTCP), www.dtcp.com Specification 2007-10, rev 1.51 16 / 24

CI Plus - Mechanisms of Revocation Host Service Shunning Host shunning state determined from Service Descriptor Table (SDT) Shunning active: Service can only be descrambled by CI+ Module Shunning non active: Service can be descrambled by DVB-CI or CI+ Module Host Revocation Certificate Revocation List (CRL) transmitted to CICAM black-lists a host Certificate White List (CWL) can revert a previous revocation of a host Level of revocation granularity: 1. Unique host 2. Range of hosts 3. Certain model 4. Certain brand Revocation by CAS Possible, but out of CI Plus specification scope 17 / 24

CI Plus - Additional Interactivity with Consumer CI Plus Browser Enables to CI Plus modules to display graphics with menues, pictures, logos,... in a common method on all CI Plus receivers/displays Allows easy interaction with default remote control Support of MHP CA API Enables to the broadcasted MHP applikation to communicate with a CA Smartcard inside the CI Plus module Country- and Language Support Enables CI Plus modules to use the same language in menues, which is already defined by user in the receiver setting. 18 / 24

CI Plus - LLP, Certificate Agent & Test Center CI Plus LLP contact details: CI Plus LLP, www.ci-plus.com The Billings, Guildford, Surrey GU1 4YD, UK Tel/Fax: +44.1483. 302264/-302254 CI Plus LLP authorized Certificate Agent: TC TrustCenter GmbH, www.trustcenter.de Sonninstrasse 24-28, 20097 Hamburg, Germany Tel/Fax: +49.40.808026-0/-126 Mail: ciplus@trustcenter.de CI Plus LLP approved Test Center: Digital TV Labs Ltd., www.digitaltv-labs.com Venturers House, King Street, Bristol, BS1 4PB, UK Tel/Fax: +44.117.915-4018/-4088 Mail: info@digitaltv-labs.com 19 / 24

CI Plus - Documentation Documents on www.ci-plus.com: CI Plus Device Interim License Agreement - Compliance and Robustness Rule... CI Plus Specification v1.2 - Detailed Specification for Receiver and Module with change notices 001 and 002 Supplementary Specification v1.2 - Requirements for host revocation/shunning Test Specification v1.0 - Definition of test- and registration process Registration Application - Application for test and registration of a device last update: 2009-04-25 Documents on www.trustcenter.de: On-Boarding Guideline, CI Plus Specification Interim License Agreement (ILA) Certificate Supply Agreement (CSA) Forms: Identification, Administrator Authorization Brand On-Boarding, Registration Application Robustness Certification Checklist 20 / 24.../solutions/consumer_electronics.htm

CI Plus - License Agreement with Exhibits A-L A: Device Type B: Robustness Rules C: Compliance Rules for Host Device D: Compliance Rules for CICAM Device E: URI Mapping Table G: Robustness Rules Checklist H: Confidentiality Agreement I: Fee schedule J: Registration Procedure Host Device Robustness Rules CICAM Device Compliance Rules K: Change Procedure L: Revocation Procedure Confidentiality Agreement 21 / 24

CI Plus - Implementation... At Website Public Specification, License Agreement (incl. Compliance and Robustness) CI Plus LLP (Limited Liability Partnership) Trust Authority (TA) Sign License Agreement 15,000 registration/yearly Receive License specs and Test technology Device Testing Result Robustness Checklist 5,000/device type Device Registration Production Credentials Device Manufacturer of CI Plus Module / Host New device Robustness Checklist Test Partner Test of Device or Self-Test-Registration (after registration of 2 different device types) Device Testing Result Certification Authority (CA) TC Trust Center Order Certificates (keys) 500/10.000 devices Deliver Certificates (keys) 22 / 24

CI Plus - Summary CI Plus is based on DVB-CI standard and is downward compatible Encrypted communication over the CI/CI+ interface - Secure & authenticated channel for critical system messages - Encrypted transmission of digital content from CI+ module towards the host device Implementation - Licensing & administration of Certificates managed by independant Trust-Center - Certification of end user devices & CI+ modules in a digital TV laboratory Future proof with URI (Usage Rules Information) for UPnP, CPCM, CSA3, DTCP, DLNA,... Internet LAN PVR STB 23 / 24

Thank you for your interest CI Plus LLP www.ci-plus.com www.ci-plus.com/forum TC TrustCenter GmbH www.trustcenter.de Digital TV Labs Ltd www.digitaltv-labs.com CI Plus Limited Liability Partnership (LLP) www.ci-plus.com