An Efficient Satellite CAS Using Password-Based Protocol

An Efficient Satellite CAS Using Password-Based Protocol Youngsoo Kim+ [email protected]

Joonsuk Yu+

Dongho Won+

[email protected]

[email protected]

+

School of Electrical and Computer Engineering Sungkyunkwan University

300 Chunchun-dong, Suwon, kyunggi-do, 440-746, KOREA

Abstract We shall introduce a new satellite Conditional Access System (CAS) in which a subscriber could use a pay-TV knowing only his or her identity and password, and not carrying a smart card. For this new system, two password-based protocols are presented which not only share a session key and authenticate each other but also download an authorization key. Since this system does not need an expensive Card Adaptive Device (CAD), it can reduce costs. Furthermore, this system provides for descrambler independence allowing it to be used through any TV set-top box that includes a descrambler.

1. Introduction

With the all-ready rapid development of technology in the fields of computers, communication and broadcasting, the movement has now been further accelerated going from an information society to multimedia one. And, in particular, broadcasting technology development is the primary basis of an expansion of the multimedia environment, something easily identified in our everyday experience. Also, in accordance with the ever increasing demands of users and the diversity of broadcasting media, the number of 1

broadcasting channels is increasing along with some specialized broadcasting channels coming into being. In order to broadcast these higher-quality and well-produced programs, subscriber subscription fee system will most likely dominate the specialized broadcasting station. So, to preserve the continued financial stability of the pay-TV system, the Conditional Access System (CAS) has been adopted so that only authorized subscribers are able to watch programs. When the Conditional Access System (CAS) first began to be used, since a TV set-top box contained a decryption algorithm and a secret key, any non-subscriber could watch pay-TV programs with simply the possession of an illegal pirate box. One method of preventing this illegal viewing was to update the decryption algorithm and secret key by changing the TV set-top box periodically. But, it was an untenable situation with the continuous changing of expensive TV set-top boxes. As an alternative plan, most of the present CAS use a smart card that is separate from the TV set-top box and includes a decryption algorithm and a secret key [9]. However, the current CAS has some shortcomings. First, a subscriber has to buy and attach a comparatively expensive Card Adapter Device (CAD) to a TV set-top box in order to have use of the smart card. Additionally, the decryption algorithm and the secret key in the smart card must be periodically updated. Finally, since a descrambler in a TV set-top box is dependent on a smart card, a subscriber cannot watch programs without his or her own descrambler. Therefore, under the present CAS environment, the exchange of ownership of a descrambler would be very difficult and troublesome. Moreover, the owner would have to make available his or her own identity if the selling of the descrambler to another person is desired [10] - a very dangerous idea in the information society.1) In this paper, we propose a new satellite CAS that allows it to be used by the subscriber knowing only the identity and password, and not carrying a smart card. For this new system, two password-based protocols, which would not only share a session key and authenticate each other, but also allow the download of an 1)K.S.Kim et al. proposes a solution to this problem which eliminates a descrambler's dependence by replacing the subject of mutual authentication with the descrambler rather than the smart card [9][10]

2

authorization key, are presented. Since this system does not need an expensive CAD, it can reduce the cost. Furthermore, this system provides the independency of a descrambler enabling its use through any TV settop box possessing a descrambler. As for the rest of the paper, in section 2, we review the current satellite CAS using smart cards. And, in section 3 we briefly examine diverse password-based protocols that have been proposed and present a new satellite CAS and two applicable password-based protocols. Finally, we conclude our findings in section 4.

2. Satellite CAS using smart cards

The present satellite CAS consists of a sender, a satellite network and a receiver. A sender is made up of a broadcasting station and a subscriber management system (SMS). Figure 1 shows its operation modules and notations are as follows:

- CW: control word - AK: authorization Key used for encrypting control word - pwd: subscriber's password - PRNG(CW): pseudo-random number generated by a seed CW - SCR(x): value of scrambling x - SCR-1(y): value of descrambling y - EAK(CW): ciphertext of message CW under encryption key AK - DAK(F): plaintext of ciphertext F under decryption key AK - AV: audio and video signal - SK: session key - h: one way hash function 3

Figure 1. Satellite CAS using a smart card

A broadcasting station makes AV and generates a pseudo-random number I using a CW provided by the SMS. An encrypted CW under AK and a scrambled AV using I are sent to a subscriber's TV set-top box through a satellite network. In order to get the CW that is used for descrambling, a subscriber must have encryption key AK. This key generated by the SMS is encrypted using a subscriber's password stored in a smart card and sent to a subscriber on his first subscription or updating period. When a subscriber's TV settop box gets F & J from a satellite network, it delivers them to its own descrambler. A smart card inserted in its descrambler yields a CW using the password and AK. Finally, a smart card delivers the CW to its descrambler, and that same descrambler retrieves AV using a pseudo-random number I. Figure 2 illustrates the above described operations. In these operations, a smart card and a descrambler authenticate each other using the Fiat-Shamir's zero-knowledge authentication [6].

3. A new satellite CAS 4

Figure 2. Operations of a satellite CAS using a smart card

In this section, we propose a new satellite CAS using a password-based protocol without a smart card. At first, we briefly examine some password-based protocols that have been alluded to previously. Next, we show the structure and modules of the new system, and finally we propose two applicable password-based protocols.

3.1 Password-based protocols

In 1992, Bellovin and Merritt proposed a new protocol known as Encrypted Key Exchange, or EKE [3]. This protocol uses both a symmetric and public key cryptography, and protects dictionary attacks by giving an eavesdropper insufficient information to verify a guessed password. In the most general form of EKE, the two communicating parties encrypt key materials with a symmetric cipher using their shared password as a key. Since its presentation, EKE has been developed into a family of protocols, many of which are stronger than the original or add new desirable properties. For example, DH-EKE [16] and SPEKE [7] add what is known as forward secrecy, which means that revealing the password to an attacker does not help him get the 5

session keys of past sessions. It also means that a stolen session key does not help an attacker carry out a brute-force guessing attack on the password [17]. The EKE's greatest shortcoming is that it has a property of plaintext-equivalence [17], requiring that both the client and the host have access to the same password or hash thereof. There is a variant of EKE, known as Augmented EKE or A-EKE [4], which makes EKE a verifier-based protocol, but the modification also destroys forward secrecy [16]. In 1997, B-SPEKE [8] extended the EKE family of protocols to address the issue of holding plaintextequivalent data in password files. It adds another key exchange round to verify the client's possession of the actual password as opposed to a stolen verifier from the password file. On the other hand, T. Kwon et al. have proposed a scheme that uses a one-time pad and strong hash function in order to reduce running time and computational complexity [11]. They used a one-time pad to encrypt a new session key rather than use a conventional block cipher algorithm. In addition, a strong hash function was employed rather than a conventional cipher algorithm to exchange challenge-response messages for a new session key. SRP [17] is also a verifier-based protocol, so an attacker who captures the password database cannot use it directly to compromise security and gain immediate access to the host. This protocol combines techniques of zeroknowledge proofs with asymmetric key exchange protocols and offers significantly improved performance over comparably strong extended methods that resist stolen-verifier attacks [4] such as A-EKE or B-SPEKE. Recently, T. Kwon et al. suggested an agreement scheme for the Diffie-Hellman exponential [5] gxy as a keying material via password authentication [12]. Compared with related protocols such as A-EKE and BSPEKE, this scheme is more efficient with regard to the number of protocol steps or the total amount of execution time. In the meantime, a new protocol that could download a subscriber's security context by using a password-based protocol has been proposed by perlman & Kaufman [14]. In this scheme, they skip a message of the EKE/SPEKE handshake and add a message to download the security context like private key or certificate, etc. They also suggested some variants that could avoid denial-of-service attacks, allow for salt, 6

and are minimal in computation and number of messages. We adopt two of their variants for a new satellite CAS.

3.2 New proposed satellite CAS

We propose a new satellite CAS that not only shares a session key and authenticates between a subscriber and the SMS but also downloads the AK by using a secure password-based protocol. Compared with current systems, it reduces the amount of computations by eliminating the AK-encryption module and simplifying the receiver’s CW-decryption process. This system consists of a sender, a satellite network and a receiver. A sender is made up of a broadcasting station and SMS. Figure 3 shows the operation modules for the new satellite CAS.

Figure 3. Proposed new satellite CAS

This system would not require a TV set-top box to include an expensive CAD, so it can reduce the cost. Furthermore, since it provides the independence, a subscriber could watch programs through any TV set-top box with a descrambler. Figure 4 represents the operations of this new type of system. 7

Figure 4. Operations of a proposed system

ƒ If someone requests to subscribe, the SMS issues an identity and password. Meanwhile, SMS generates a CW and an AK and sends them to the broadcasting station.

ƒ The broadcasting station generates a pseudo-random number I using the CW. Also, it makes AV and generates J, the value of scrambling AV with I: I = PRNG(CW) J=SCRI([AV])

ƒ The broadcasting station encrypts CW with AK and yields F: F=EAK(CW)

ƒ The broadcasting station broadcasts J and F through a satellite network (F is contained in Entitlement Control Message (ECM)), and the subscriber's TV set-top box receives them.

ƒ When subscribers want to watch programs, they input their own identity and password into the TV settop box by remote controller.

ƒ By using a password-based protocol, a TV set-top box shares session key K with the SMS and 8

downloads the AK using it. (AK being updated periodically)

ƒ The subscriber's TV set-top box decrypts F, which is obtained from the satellite network, with AK and formulates CW: CW=DAK(F)

ƒ The subscriber descrambler generates a pseudo-random number I using the CW and receives an original AV by descrambling J with I: I=PRNG(CW) AV = SCR-1I(J)

In next two sections, two password-based protocols are presented. The first protocol is a 6-message protocol, which uses random numbers (ex. RBS, salt) which are generated by a broadcasting station to progress security. The second protocol is a 2-message protocol, which reduces the running time and computational complexity for more practicality.

3.3 The first password-based protocol applicable to a new satellite CAS

The first protocol is a 6-message protocol that is based on SPEKE [7] and Perlman & Kaufman’s scheme [14]. It uses two random numbers, salt and RBS. This protocol prevents a denial-of-service attack using RBS, which is generated by a broadcasting station and interchanged with the receiver. It was also designed to include salt to W, a hash value of the pwd, in order to protect a dictionary attack. This protocol needs some additional computations and messages to generate and send random numbers.

a. Operation processes

9

If someone requests to subscribe, the SMS of the broadcasting station issues an identity and password and stores them. If a subscriber wants to watch programs, the identity and pwd are inputted into a subscriber’s TV set-top box by remote controller. The subscriber's TV set-top box sends the identity to the broadcasting station. The SMS verifies the identity, generates (salt, RBS) and sends them to the subscriber. The subscriber’s TV set-top box computes W=h(pwd, salt), selects a random number A (1

ú Aú p-2, p is a large

prime) and sends WA mod p to a broadcasting station with RBS. Then, the broadcasting station selects a

ú ú

random number B(1 B p-2) and sends WB mod p to a subscriber. The subscriber’s TV set-top box computes a session key K=WAB mod p and sends h(K), a hash value of K to the broadcasting station. Finally, the broadcasting station computes Y=EW(AK) and sends the encrypted value with K to the receiver. Figure 5 shows above described operations.

Figure 5. First password-based protocol applicable to a new satellite CAS

b. Security of this protocol

This protocol uses random numbers, salt and RBS, to prevent dictionary attacks or denial-of-service

10

attacks. If we do not use salt and compute simply W=h(pwd), anyone who steals the broadcasting station's database can conduct a dictionary attack. Therefore, we have included salt to W in order to make this kind of attack difficult. On the other hand, RBS is a random number the broadcasting station sends and the subscriber returns providing proof that the subscriber is actually receiving at the location where he or she is claiming to be. This is helpful against an attacker who sends numerous requests with forged serial number of a specific descrambler to avoid capture. Besides, this protocol replaces the fourth message of the EKE [3] or SPEKE [7] in which the client authenticates the server with the message of downloading AK encrypted with session key K. Since this protocol does not have a process authenticating the broadcasting station, it is possible that someone who has stolen a subscriber's password into tricking him or her into using the wrong AK. But, given that the password is the only means of authenticating the broadcasting station, this kind of attack is unavoidable. So there is no security disadvantage to eliminating the message a subscriber authenticates the broadcasting station.

3.4 The second password-based protocol applicable to a new satellite CAS

The second protocol is a 2-message protocol that is also based on Perlman and Kaufman’s scheme [14] and reduces running time and computational complexity for practicality. In this case, the broadcasting station stores the subscriber's identity, WB mod p and B. In this scheme, the broadcasting station does not store W to prevent a single password guessing attack (i.e. an attacker obtains a subscriber's password from the broadcasting station's database directly). Moreover, the broadcasting station always would use the same B for a particular subscriber, so reducing some of the computations.

a. Operation processes

11

If someone requests to subscribe, the broadcasting station’s SMS issues an identity and pwd to the subscriber and stores the identity, WB mod p and B(W=h(pwd), B being the subscriber-specific random number selected by the broadcasting station). When the subscriber inputs his or her identity and pwd by remote controller, the subscriber’s TV set-top box selects a random number A (1

ú Aú p-2, p being the large

prime) and sends WA mod p to the broadcasting station with the identity. Then, broadcasting station SMS authenticates the identity and computes the session key K=WAB mod p using the received data WA mod p and B(1

ú Bú p-2)

stored at the beginning. The broadcasting station computes Y=EW(AK) and sends this

encrypted value with K to the subscriber's TV set-top box with WB mod p which would be stored at first registration. Finally, the subscriber’s TV set-top box computes K and gets AK using K and W. Figure 6 illustrates the above listed operations.

Figure 6. Second password-based protocol applicable to a new satellite CAS

b. Security of this protocol

This protocol is an optimized version of the first proposed protocol, which eliminated salt, RBS, and the mutual authentication process between subscriber and SMS. Therefore, it is possible for this protocol to have some security problems that deem consideration. At first, there could be an attacker who impersonating a

C. However without knowing A, he or she cannot obtain the session key K, pwd nor AK, even with knowledge of D. Next, an attacker who impersonates the subscriber gets a single

broadcasting station by getting

12

chance to verify the password guess in an unaudited way. If the wrong password is guessed, he or she will have no information about K, and therefore no information about Y. However, one gets one piece of information on the incorrect guess- that the guess he chose was indeed incorrect. The broadcasting station cannot tell if someone requesting the AK download is legitimate or not. But, it is important that this be only a single on-line password guess. Although a broadcasting station cannot distinguish a legitimate download from a password guess, it should become suspicious if the same subscriber request thousands of password downloads within a short time. Finally, there could exist a situation in which an attacker who wants to compromise files in a broadcasting station. But, even though this attacker gets WB mod p in this way, he or she cannot obtain the password or hash value of the password directly.

4. Conclusion

We have proposed a new satellite CAS that would allow a subscriber usage knowing only identity and password, and not carrying a smart card. At first, we reviewed current satellite CAS using smart cards, and then examined some of its shortcomings. We also delved into the history of some password-based protocols, our central thesis, and have shown structures and modules for a new system. Finally, we have presented two password-based protocols applicable to the new system. Since this system does not need expensive CAD’s, its implementation could reduce costs. Furthermore, this system would provide for the descrambler independence allowing for its use through any TV set-top box having a descrambler. So, with the realization of our proposed satellite CAS model, improvement and increased productivity can only but be the result.

References

[1] N.Asokan, G.Tsudik, M.Waidner, "Server-Supported Signatures", Proc. of ESORICS'96, 1996 13

[2] N.Asokan, M.Schunter, M.Waidner, "Optimistic Protocols for Fair Exchange", 4th ACM Conference on Computer and Communications Security, Zurich, 1997 [3] S.M.Bellovin, M.Merritt, "Encrypted Key Exchange: Password-based protocols secure against dictionary attacks", Proc. of the IEEE Computer Society Conference on Research in Security and Privacy, 1992 [4] S.M.Bellovin, M.Merritt, "Augmented Encrypted Key Exchange: a Password-Based Protocol secure against dictionary attacks and password file compromise", TR, AT&T Bell Lab, 1994 [5] W.Diffie, M.E.Hellman, "New directions in cryptography", IEEE Transaction on Information Theory, v. IT-22, n.6, pp.644-654, 1976 [6] M.Fiat, A.Shamir, "How to prove yourself: practical solution to identification and signature problems", Proc. of Crypto'86, Springer-verlag, LNCS vol.263, pp.186-199, 1986 [7] D.P.Jablon, "Strong Password-only authenticated key exchange", ACM Computer Communications Review, 1996 [8] D.P.Jablon, "Extended password methods immune to dictionary attack", In WETICE '97 Enterprise Security Workshop, 1997 [9] K.S.Kim, "A study on the cryptographic protocols for the Conditional Access System using smart card", Ph.D. thesis, Dept. of Information Engineering, Sungkyunkwan University, Korea, 1996 [10] K.S.Kim, S.J.Kim, D.H.Won, "Conditional access system using smart card", Proc. of JCCI'96, The 6th Joint Conference on Communication & Information, pp.180-183, 1996 [11] T.Kwon, J.Song, "Efficient Key Exchange and Authentication Protocols Protecting Weak Secrets", IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, Vol. E81-A, No. 1, pp.156-163, 1998 [12] T.Kwon, J.Song, "Secure Agreement Scheme for g^xy via Password Authentication", Electronics Letters, vol.35, no.11, pp.892-893, May 1999 [13] H.Massias, J.J.Quisquater, "Time and Cryptography", TIMESEC WP1, Technical Report, 1997 14

[14] R.Perlman, C.Kaufman, "Secure Password-Based Protocol for Downloading a Private Key", Proc. of the 1999 Network and Distributed System Security (NDSS), 1999 [15] A.D.Rubin, "Independent One-time passwords", USENIX Journal of Computer Systems, 1996 [16] M.Steiner, G.Tsudik, M.Waidner, "Refinement and extension of encrypted key exchange", ACM Operating Systems Review, 1995 [17] T.Wu, "The Secure Remote Password Protocol", 1998 Internet Society Symposium on Network and Distributed System Security, 1998

15