Download presentation
Presentation is loading. Please wait.
Published byCarol Poole Modified over 8 years ago
1
Security of Broadcast Networks 1
2
Overview r Broadcast networks are used mostly for TV r Historical development r Commercial models r One-way or Two-way networks r Threats and security goals Content Prevent unauthorized access to content Identify pirates 2
3
Initial Attempts r Attempt 1 Unique key for every user r Attempt 2 Single broadcasting key r Attempt 3 Multiple keys, broadcast directly over keys 3
4
DVB Architecture r Variants: satellite, cable, terrestrial r Broadcaster r Set-Top Box r PID r Sets of PIDs for viewing – e.g. video, audio, subtitles r Encapsulated MPEG-2, MPEG-4 etc. r DVR 4
5
DVB Security Architecture r Content encrypted by Control Word CW per PID or per set of PIDs r Single source end to end architecture Conditional Access provider r Various encryption algorithms – e.g. CSA2 r Access rights Entitlement Management Message (EMM) r Encrypted Control Word Entitlement Control Message (ECM) r Set-Top Box and Smart Card Decryption of Control Word 5
6
DVB key management r EMM sent to each user encrypting key k with user’s key r Broadcast cycle of EMMs r General ECMs encrypting CW with k r Key derivation – one secret key and multiple public values provide multiple secret keys r Key ladder r Control Word rollover Even / odd keys 6
7
Additional issues r STB-SC pairing Defines whether SC can be used with multiple STB r Securing PVR content r DRM 7
8
Problems r Keys Card sharing Control Word sharing r Content Digital hole HDMI problems Analog hole Content on the Internet More difficult for HD, 3-D 8
9
Mitigations r High physical security Smart cards Advanced chips Cloning is difficult Hardware eavesdropping, MITM, side-cannel, fault attacks are all difficult r Content sharing is expensive r Legal action 9
10
Different Model r Client hardware is not trusted Low physical security Device security driven by device vendor, not broadcaster r Remote revocation r Traitor tracing r Watermarking 10
11
Remote Revocation r Assumption: one-way channel r Stateless vs. stateful r Encryption of content key, not content r Parameters: Number of users – n Number of revoked users – r r Measure: message length, receiver storage, receiver processing r Example: basic broadcast encryption system Message length – O(n-r), storage O(1), processing O(1) 11
12
Complete sub-tree r Subset cover: Collection of subsets of all users (U) Each subset is assigned key. User has keys of all subsets in which it is a member Revocation of R – cover U\R exactly with subsets. Encrypt message with all keys from cover r Complete sub-tree Users arranged in complete tree with n leaves n-1 internal nodes r Key for root of each sub-tree r Cover of U\R – sub-trees hanging of paths to R r Message length – easy to see r(log n) keys 12
13
Complete sub-tree (cont.) r Message length – r (log n/r) r Storage – O(log n) keys r Processing – Search is O(log n) in broadcast and O(log log n) if all keys are given One decryption r Adding users is a problem – tree is static Can keys and tree nodes be recycled? Partial solution – large initial tree 13
14
Traitor Tracing r Goal: trace keys used for illegal decryption r Can be part of a trace-and-revoke mechanism r Assumption: Broadcaster controls key management DVD style assumption – tracer has pirate box (which can be reset) Broadcasting assumption - tracer has agents that receive keys from pirate r Assumption: pirate can “sense” tracing and react r If pirate doesn’t produce CW then pirate loses r Black-box tracing – no access to pirate’s algorithm 14
15
Examples r Example: pirate has single decryption key Send two PIDs – each revoking half the users, extract a single bit. Iterate for other bits r Example: adversary controls two keys with ID 1 and ID 2 such that ID 1 ID 2 =1…1 Adversary easily defeats binary search traitor tracing r In general – pirate has t keys 15
16
Subset tracing r Approach Partition users to subsets U 1,…,U m Encrypt different CW for every subset Trace pirate’s CW to subset r Problem – pirate with multiple keys can switch between CWs r Algorithm Initialize partition to U Encrypt different CW to each set in partition If pirate returns CW j assigned to U j partition U j into two subsets of similar size U j =U j1 U j2 Iterate until a subset includes only one user. Revoke user 16
17
Subset tracing (cont.) r Number of iterations / keys – t*log n/t r Base of log depends on ration of U j partition r Practical problem – head-end broadcast systems are often limited in number of different CWs per PID r In DVD style revocation, subset tracing can work with two keys or key and random string r Trace and revoke – complete sub-tree revocation method + subset traitor tracing 17
18
Watermarking r Idea r Uses r Visible vs. not visible r Historical analog methods r Method secrecy Example – changing lower bits in picture pixels 18
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.