CONDITIONAL ACCESS FOR PAY-TV. â Entitlement. â An entitlement is a customized authorization. â The validity of an entitlement should always be limited in ...
CRYPTOLOGY FOR DIGITAL TV BROADCASTING B. M. Macq and J.-J. Quisquater Proceedings of the IEEE, Volume 83, No. 6, June 1995
1
INTRODUCTION
Cryptography for TV broadcasting is an old issue. Cryptography aims to prevent unauthorized receivers from decoding the programs by scrambling them. Cryptography and cryptanalysis are the two complementary approaches of cryptology. TV programs are very different from military secrets or banking information. The information rate is very much higher. The information value is very much lower.
This paper is devoted to three issues: Conditional aces for pay TV Watermarking of images for copyright protection Image signature for authentication
2
SCRAMBLING DIGITAL TV
Notation Message M (plaintext) Invertible transformation EK1 Encrypted message C=EK1(M) (cipher text) The cipher text is transmitted over a public channel. An authorized receiver decodes the message by the transformation Dk2 := E-1K1. DK2(C) = E-1K1[EK1(M)] = M. K1: encryption key K2: decryption key
Two kinds of encryption algorithms: Block encryption: The plaintext is segmented into blocks of fixed size. Each block is encrypted independently from the other blocks. If a block is sent on a noisy channel, errors propagate on the whole block.
Stream encryption Each plaintext word is EXORed with a key ki generated by a PRN generator. Such schemes are more resistant to channel errors.
3
CONDITIONAL ACCESS FOR PAY-TV
Entitlement An entitlement is a customized authorization The validity of an entitlement should always be limited in time. If the user stops fulfilling the access conditions, he/she cannot receive his/her new entitlement. The entitlements of each user can be granted, renewed or modified.
Specifications Some specific requirements of a CA system Minimizing the constraints imposed on the user Minimization of the management cost Minimization of the theft of services
Control Word The control word should have a sufficient length and a sufficiently short lifetime. The control word will only be passed to the unscrambling system in the decoders of users if the users have the relevant entitlements. In general, an access control system (ACS) may include a security processor that can be removed. 4
CONDITIONAL ACCESS FOR PAY-TV
Access Control
The user of an access control system will be provided with a decoder. The main function of the decoder is to contain the user’s access rights (i.e., the description of the programs to which he/she is entitled). The program provider embeds in his broadcast an entitlement control message (ECM). An ECM will contain the enciphered control word as well as a description of the program (identifier, data, time, level, class, etc.).
Confidentiality problems
Eavesdropping the transmitted signal: To thwart this attack, the design of the system has an encryption technique. Reading sensible information stored in the decoder: This threat is circumvented by using a security processor. Commercial confidentiality Personal privacy
Integrity problems
Introduction of altered information in the decoder (e.g., an extension of the validity period of some entitlement.
Authentication problems
The security processor will behave as the authorized representative of the program provider.
5
CONDITIONAL ACCESS FOR PAY-TV
Access Control Messages Two types of messages: ECMs and EMMs. The entitlement control message (ECM) An enciphered form of the control words The access parameters: an identification of the program and of the conditions required for accessing this program. z z z z z
Program number Program cost per view Program cost per unit of time Program theme/level and date Maturity rating
These messages are routed to the security processor (implemented as a smart card). The security processor will decipher the control word and send it to the unscrambling circuit if one of the entitlements it contains covers the access parameters appearing in the ECM.
The entitlement management message (EMM) z New entitlements to the end user (new subscriptions, new program numbers) z Information about the consumption
The EMMs can be routed either on the signal transmission channel or on a distinct channel.
6
MPEG 2 FRAMES
The picture frames are divided into 3 classes: I frames are coded without reference to preceding or upcoming frames in the sequence. P frames are coded with respect to the temporally closest preceding I frame or P frame in the sequence. B frames are interspersed between the I frames and P frames in the sequence. Renewability of content protection systems
MPEG 2 is based on the Discrete Cosine Transform (DCT). Each frame (I, P, and B) goes through the following steps: DCT Quantization Entropy coding
7
AN I FRAME
8
A CASE STUDY: AN 8X8 BLOCK
52
55
61
66
70
61
64
73
63
59
66
90
109
85
69
72
62
59
68
113
144
104
66
73
63
58
71
122
154
106
70
69
67
61
68
104
126
88
68
70
79
65
60
70
77
68
58
75
85
71
64
59
55
61
65
83
87
79
69
68
65
76
78
94
9
A CASE STUDY: LEVEL SHIFTING
The quantity 2n-1 is subtracted from each pixel value. n=8 => 2n-1= 128
-76
-73
-67
-62
-58
-67
-64
-55
-65
-69
-62
-38
-19
-43
-59
-56
-66
-69
-60
-15
16
-24
-62
-55
-65
-70
-57
-6
26
-22
-58
-59
-61
-67
-60
-24
-2
-40
-60
-58
-49
-63
-68
-58
-51
-65
-70
-53
-43
-57
-64
-69
-73
-67
-63
-45
-41
-49
-59
-60
-63
-52
-50
-34
10
A CASE STUDY: APPLICATION OF DCT
-415
-29
-62
25
55
-20
-1
3
7
-21
-62
9
11
-7
-6
6
-46
8
77
-25
-30
10
7
-5
-50
13
35
-15
-9
6
0
3
11
-8
-13
-2
-1
1
-4
1
-10
1
3
-3
-1
0
2
-1
-4
-1
2
-1
2
-3
1
-2
-1
-1
-1
-2
-1
-1
0
-1
11
A CASE STUDY: NORMALIZATION MATRIX
Z (u , v)
16
11
10
16
24
40
51
61
12
12
14
19
26
58
60
55
14
13
16
24
40
57
69
56
14
17
22
29
51
87
80
62
18
22
37
56
68
109
103
77
24
35
55
64
81
104
113
92
49
64
78
87
103
121
120
101
72
92
95
98
112
100
103
99
12
A CASE STUDY: QUANTIZATION
DCT coefficients are quantized using the below formula
⎡ T (u, v) ⎤ Tˆ (u , v) = round ⎢ ⎥ ⎣ Z (u, v) ⎦
38 consecutive zeros!
-26
-3
-6
2
2
0
0
0
1
-2
-4
0
0
0
0
0
-3
1
5
-1
-1
0
0
0
-4
1
2
-1
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
13
A CASE STUDY: ZIGZAG REORDERING
[-26 -3 1 -3 -2 -6 2 -4 1 -4 1 1 5 0 2 0 0 -1 2 0 0 0 0 0 -1 -1 EOB]
a special EOB Huffman code word indicates that the remainder of the coefficients are zeros.
14
A CASE STUDY: ZIGZAG REORDERING
Entropy coding is lossless. DC and AC coefficients are treated differently. Differential Pulse Code Modulation (DPCM) on DC coefficients Each DPCM-coded DC coefficient is represented by a pair of symbols: (CATEGORY, AMPLITUDE) CATEGORY: indicates the # of bits needed to represent the coefficient. AMPLITUDE: contains the actual bits. The 1’s complement notation is used for negative numbers.
Run-length coding (RLC) on AC coefficients
RLC replaces each AC coefficient by a pair (RUNLENGTH, VALUE) RUNLENGTH: indicates the # of zeros in the run. VALUE: the next nonzero coefficient. The special pair (0,0) indicates the EOB after the last nonzero AC coefficient.
15
A CASE STUDY: COMPLETELY CODED ARRAY
1010110 0100 001 0100 0101 100001 0110 100011 001 100011 001
[-26 -3 1 -3 -2 -6 2 -4 1 -4 1 1 5 0 2 0 0 -1 2 0 0 0 0 0 -1 -1 EOB]
001 100101 11100110 110110 0110 11110100 000 1010 # of bits needed to store the 8x8 block = 64x8 = 512 # of bits after JPEG compression = 92 Compression ratio = 512/92 => 5.6:1
16
SET-TOP BOX
Set-Top Box DVD player
Broadcast network
PC Switched network
DTV
Remote control device
17
COPYRIGHT PROTECTION BY DIGITAL IMAGES
The issue of copyright protection of digital broadcasted sources is being studied. An electronic stamp must be a holographically inlaid over all the picture. The requirements for the electronic stamp:
Undeletable by a hacker. Perceptually invisible. ∈ Statistically invisible. Fully resistant to any additional noise (compression, transmission, etc.)
I: the original image, ∈ : the stamp Stamp procedure
Q: a procedure which extracts essential characteristics of I. S(Q(I)) → ∈ , where S is a secret algorithm. I ⊕ ∈: the stamped image CS(Q(I ⊕ ∈)), → stamped by S = “YES”, where CS is a correlation procedure.
18
AUTHENTICATION OF PICTURES
A stamp is not a signature. The stamp aims to protect the author while the signature aims to protect the receiver. There are different methods of signature generation: Symmetric Asymmetric
Asymmetric methods
Diffie-Hellman key agreement RSA signature scheme ElGamal signature scheme Digital Signature Standard (DSS): This standard specifies a Digital Signature Algorithm (DSA).
Symmetric methods Diffie-Lamport signature scheme Merkle signature scheme 19