Sistemul De Acces Conditionat!

[gessle]

All pay-media operators require a means for ensuring that payment is received in return for the program content they provide. The technical system that achieves this objective is called a conditional-access (CA) system.

Two key functions of CA systems are to exercise control over the access to a service that is transmitted electronically, and to control the conditions under which access is granted. There are various reasons for implementing a CA system, such as the need to enforce payment by the end user for consumed services, to restrict access to programming in a particular geographical area because of program rights considerations or to facilitate parental control.

[gessle]

RSA ALGORITHM:

RSA-based Cryptographic Schemes

The RSA algorithm was invented by Ronald L. Rivest, Adi Shamir, and Leonard Adleman in 1977. There are a variety of different cryptographic schemes and protocols based on the RSA algorithm in products all over the world; RSA Laboratories recommends the RSAES-OAEP encryption scheme and the RSASSA-PSS signature scheme with appendix for new applications.
RSAES-OAEP (RSA Encryption Scheme - Optimal Asymmetric Encryption Padding) is a public-key encryption scheme combining the RSA algorithm with the OAEP method. The inventors of OAEP are Mihir Bellare and Phillip Rogaway, with enhancements by Don B. Johnson and Stephen M. Matyas.
RSASSA-PSS (RSA Signature Scheme with Appendix - Probabilistic Signature Scheme) is an asymmetric signature scheme with appendix combining the RSA algorithm with the PSS encoding method. The inventors of the PSS encoding method are Mihir Bellare and Phillip Rogaway. During efforts to adopt RSASSA-PSS into the P1363a standards effort, certain adaptations to the original version of RSA-PSS were made by Bellare and Rogaway and also by Burt Kaliski (the editor of IEEE P1363a) to facilitate implementation and integration into existing protocols.

[gessle]

CSA Overview

The CSA is shown in the following 2 figures:

and

The overview figure show a block diagram of a CSA descrambler which is a combination of 2 cryptographic algorithms: a stream and a block cipher.
A CSA scrambler could look like this:

Stream Cipher Overview


Block Cypher Overview

[gessle]

The following list of technical terms often used in discussions on the
tv-crypt mailing list is intended to help newcomers getting started
quickly and hopefully will also provide for more efficient
communication and less misunderstandings. If you don't understand any
term or abbreviation in a tv-crypt contribution, just do a fulltext
search over this text with your editor.

Any additions and suggestions for improvement are very welcome.

Below follows also a list of recommended introductory literature.


ATR

The Answer-To-Reset message is the first reaction of a smart card
after a reset strobe. The format is specified in ISO 7816.

ASIC

An Application Specific Integrated Circuit is a chip that has been
produced for one specific customer according to his specifications
by a semiconductor manufacturer. In order to keep mask design costs
low, ASICs are usually based on gate arrays, i.e. chips with a large
number of standard cells that are connected by an aluminum path
layer designed specifically for one customer.

blocker

A device inserted between a card and a decoder that checks the data
traffic and interrupts or modifies data packets whenever a card
deactivation message is about to be sent to the card in order to
avoid the deactivation of unsubscribed cards.

BSkyB

British Sky Broadcasting, a TV broadcasting company for the British
and Irish market, belonging to News Corporation, Ruppert Murdoch's
global media empire.

card

A detachable cryptographic module that can be inserted into a pay-TV
decoder, usually conforming to the form factors described in the ISO
7816 or PCMCIA standards, sometimes also in other forms (e.g. the
Nagravision card is formed like a small plastic key). Cards contain
special smart card security processors with a few hundred bytes of
RAM and a few kilobytes of ROM and EEPROM, and sometimes also
additional chips with cryptographic functions.

CM

A Counter Measure is any action taken by the operator of a pay-TV
access control system in order to render clone devices ineffective,
e.g. by using alternative keys in the cards or by exploiting
incompatibilities in the clone software. Especially the nanocommand
interpreters of BSkyB 09 clones have been highly non-portable and
allowed NDC to design a large number of counter measures.

CW

A Control Word is the data used to generate the seed value for the
PRNG that determines the cut-point coordinates for the next approx.
10 s in the EuroCrypt system. In VideoCrypt, the data of the 0x78
instruction corresponds to the CW, which is there changed every 2.5
seconds.

Dallas

The DS5002FP is a 8051 compatible microcontroller from Dallas
Semiconductors designed for highest security applications. It keeps
its software in encrypted form in external battery buffered SRAM and
encrypts each single RAM access. The DS5002FPM version is designed
to be especially resistant against EBT analysis. The DS5000 is the
predecessor of the DS5002FP.

[gessle]

EBT

An Electron Beam Tester is a special modified scanning electron
microscope (SEM) that examines the electrons reflected from a chip
surface in order to determine the voltages on the chip. EBTs can
visualize logic states of on-chip connections as different grey
values (voltage contrast imaging). EBTs are probably a very powerful
tools for analyzing security processors, but they are very expensive
devices.

ECM

An Entitlement Control Message used in EuroCrypt contains the CW
encrypted with an operation key SK. In John McCormac's Black Book,
ECM also means Electronic Counter Measure (see CM).

EMM

An Entitlement Management Message transfers a new operation key SK
to a EuroCrypt smartcard that will allow to decrypt further ECMs.
EMMs can be encrypted using the service management key PDK or the
issuer key IK.

ETSI

European Telecommunication Standards Institute, a company that sells
incredibly expensive paper, including the D2MAC and DVB standards.

[gessle]

EuroCrypt

A pay-TV access control system for the D2MAC color TV broadcasting
system that has been standardized by CENELEC in the European
Standard EN 50094.

FIB

A focused ion beam workstation is an extremely powerful tool to
manipulate VLSI circuits. It can remove and deposit material on
chip surfaces with very high resolution. FIBs can be used to
rewire circuits in chips. They cost several million USD, however
they can be rented for comparatively little money.

hash function

Any function that maps a large set of values onto a much smaller set
of values. Good hash functions have the property that all possible
result values are equally likely. Hash functions are commonly used
in order to store and retrieve data efficiently. Checksums for
example are typical hash functions. Cryptographic hash functions
(also known as message digest algorithms or one-way hash functions)
have the property that it is a very difficult problem to find an
input value that produces a given hash result. Well known
cryptographic hash functions are for example SHS and MD5. In
VideoCrypt, the 32 data bytes of the 0x74 instruction serve as input
to a secret cryptographic hash function; the hash result can be
fetched from the card with using the 0x78 instruction. The
cryptographic hash function implemented in a VideoCrypt smartcard has
in addition a property common with an encryption function: It is
designed such that it is a very difficult problem to guess the
algorithm that implements the hash function by examining a large
number of input/output pairs.

ICC analysis

ICC is the current in the VCC connection of a security processor.
ICC depends on the internal events in a processor and it might be
possible to learn more about the executed algorithm by observing ICC
with digital storage oscilloscopes.

instruction

This term usually refers to a ISO 7816 data packet sent or requested
by a decoder. The instruction number INS is the second byte of the
5-byte long ISO 7816 header.

ISO

International Standards Organization, another company that sells
even more expensive paper, including the MPEG digital TV compression
and ISO 7816 chip card standards. Address: ISO, Case postale 56,
CH-1211 Geneve 20, Switzerland, phone +41 22 749 01 11, fax +41 22
733 34 30. See also <www.iso.ch>.

ISO 7816

The standard to which all cards used today in common pay-TV access
control systems conform at least partially. ISO 7816 defines the
physical form of the card, the location of the eight contacts (VCC,
GND, I/O, CLK, RST, VPP, C4, C8), the electrical characteristics of
the contact interface, the answer to reset (ATR) and protocol
selection mechanisms, and several generic command and data
transmission protocols. EuroCrypt and VideoCrypt use the T=0
protocol of ISO 7816.

ISO header

This refers to the 5-byte header of the T=0 protocol specified in
ISO 7816-3. The five bytes are referred to as CLA, INS, P1, P2, P3.

key

A sequence of bits used as a parameter to cryptographic algorithms.

laser cutter

A laser with a special optic and control unit that can be attached
to microscopes or microprobers. Laser cutters can be used for
micrometer-resolution manipulations on VLSI chips such as local
removal of the passivation layer or the interruption of metal
interconnections.

LFSR

A Linear Feedback Shift Register is probably the form of PRNG that
can most easily be implemented in hardware. It is a simple shift
register where the next input value is always the parity bit (= XOR
result) of certain shift register bits. A shift register that
delivers an input to the XOR is called a tap. The selection of taps
used in a particular LFSR is commonly written as a polynomial over
x, with coefficients one for taps and coefficients zero for other
shift register bits. The degree of the polynomial indicates the
length of the LFSR. Factorizing this polynomial allows to determine
the length of the pseudo random bit sequence generated by the LFSR.
A primitive polynomial corresponds to a LFSR with maximal sequence
length. The output bit of a LFSR is the bit shifted out of the
register. This usual form of the LFSR is known as Fibonacci
configuration. An alternative LFSR form known as Galois
configuration has XOR elements located between certain shift
register bit flip-flops and XORs certain shifted bits with the
output bit. LFSRs alone are extremely bad cryptographic PRNGs,
because the Berlekamp-Massey algorithm can crack them very easily.
However, good cryptographic PRNGs can be constructed using a
combination of several LFSRs that influence each other.

microprober

A special optical microscope and a set of very fine needles that
can be used to contact the metal interconnection layer of
VLSI circuits. This is the most frequently used tool to extract
software stored in EEPROM security microcontrolers. It can be used
to interfere with instruction processing and to eavesdrop on-chip bus
lines. One manufacturer of microprobers is Karl Suss KG in Munich.

nanocommand

In a subcommand 0x80 received by a BSkyB 09 card, the 16 data bytes
before the final 5 signature and checksum bytes contained tiny
programs in a special interpreter language. The bytes of these
programs are known as nanocommands. The nano-opcodes were simply
jump vectors into a quite obscure EEPROM area of the BSkyB 09 card.
Some nanocommands allowed to extend the hash function, others
allowed write access to EEPROM and RAM that could affect the
interpretation of later nanocommands. Nanocommands proofed to be an
efficient means for allowing many counter measures.

NDC

News Datacom Ltd, the company that developed the VideoCrypt and
VideoGuard pay-TV access control systems and other security
applications. NDC is owned by Ruppert Murdoch's News Corporation and
has headquarters in Maidenhead near London and research and
development laboratories in Jerusalem, Israel. News Datacom has now
changed its name into NDS.

PIC

The PIC16C84 and other low-cost microcontrollers as well as serial
EEPROMs are produced by Microchip Technology Inc.

[gessle]

PGP

Pretty Good Privacy is a very popular e-mail encryption and
autentication tool developed by Phil Zimmermann and used very
frequently by tv-crypt members to exchange confidential information
over the Internet.
Phoenix

A PC software developed in early July 1994 by tv-crypt members that
emulates the card interface of a decoder and allowed to send faked
card and channel activation messages to genuine BSkyB series 09
cards.

PPV

A Pay Per View mechanism allows a broadcaster to charge viewers
not only for a permanent subscription to a set of channels,
but also for the access to special single broadcasts like a
spectacular boxing massacre.

PRNG

A Pseudo Random Number Generator is an algorithm that produces a
sequence of numbers that are usually uniformly distributed over a
given range and that show no obvious statistical dependency with
each other. A pseudo random number has an internal state that
changes with each produced random number. Each generated random
number is a function of the internal state. The set of possible
internal states is usually much larger than the set of possible
output numbers. The initial state of a PRNG is called the seed
value. A cryptographic PRNG has the property that if a long sequence
of random numbers produced by the PRNG is know, it is a very
difficult problem to determine the internal state, the seed value or
one of the next output numbers, even if the algorithm is completely
known.

Season7

A PC software that can emulate a VideoCrypt smart card. By using a
serial-port to ISO 7816 adapter, this software allowes to watch
VideoCrypt programs with a normal VideoCrypt decoder, but without a
VideoCrypt subscription card. The first version was released by
Markus Kuhn in early April 1994 to around 10 people who participated
in technical discussions about VideoCrypt in the old
alt.satellite.tv.europe USENET group. This group of people became
the first tv-crypt members. Later, others took the software,
extended and upgraded it or modified it heavily for EuroCrypt
emulation and published it under various names like Season7a,
Season9, MACcess, Voyager, etc. OMIGOD was a nickname for Season7
used in Hack-Watch by John McCormac. The name refers to the original
motivation for writing the software: allowing the author to watch
the seventh season of Star Trek episodes on BSkyB.

seed value

The initial internal state of a PRNG. The seed value sent to the
PRNG implemented in the PTV-3 chip in each VideoCrypt decoder is
calculated by the Motorola 68705R3 processor using the 8-byte hash
result (control word) fetched from the smart card using the 0x78
instruction.

SEM

A Scanning Electron Microscope uses electron beams instead of light
in order to provide very large magnification factors.

signature

A digital signature is the part of a data packet that proves to the
receiver that the data packet was prepared by an authorized source
and has not been created or modified by a hacker. Digital signatures
are usually based on the result of a cryptographic hash function.

subcommand

This fourth byte of the 32 data bytes in a 0x74 instruction
indicated to the series 07 and 09 BSkyB cards a command that was to
be executed. Example subcommands are the activation or deactivation
of certain channels or of the whole card as well as counter measure
subcommands that execute highly non-portable and difficult to
understand code. The subcommand byte was XORed with a value
calculated from the previous data bytes using a very simple XOR and
rotate algorithm. Subcommand 0x80 contained up to 16 nanocommands.

Syster Nagravision

A pay-TV access control system for the PAL color TV broadcasting
system developed by Nagra Kudelski of Switzerland and manufactured
by Eurodec/SAGEM. Syster Nagravision is used by Canal Plus, Canal
Plus Espagna, Premiere, and Teleclub.

token

In a PPV mechanism the access code for one PPV event.

VBL

A VideoCrypt Broadcast Logfile contains a recording of all 0x74
instructions sent to the card during one TV event. The data format
of VBL files is very similar to VCL files. VBL files allow to submit
to the owner of a genuine card the data necessary to create a VCL
file even if the owner of the genuine card has missed the broadcast
of the program from which a VCL file should be produced.

VCL

A VideoCrypt Card Logfile contains all information necessary in
order to allow a VideoCrypt card emulator to respond like a genuine
card to the instruction 0x78 hash value requests of the decoder. The
VCL file format is specified in the file details.txt of Season7. VCL
files allow the delayed data transfer hack: a person without a
genuine VideoCrypt card records the encrypted broadcast of a program
on a VCR, downloads later from the Internet a published VCL file for
this program, and decrypts it while playing the VCR recording to the
decoder.

VCR

Video Cassette Recorder, a magnetic tape recorder for TV signals.

VideoCrypt

A pay-TV access control system developed by NDC for the PAL color TV
broadcasting system used by BSkyB, The Adult Channel, BOB, Sky TV
New Zealand, and a few other channels. Described by european patent
application 0 428 252 A2.

VideoGuard

A pay-TV access control system developed by NDC for the Huges
DirecTV digital satellite broadcasting system (DSS) in the US. DSS
and VideoGuard are technically similar to DVB and MPEG-2, but not
compatible.