Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security of Broadcast Networks 1. Overview r Broadcast networks are used mostly for TV r Historical development r Commercial models r One-way or Two-way.

Similar presentations


Presentation on theme: "Security of Broadcast Networks 1. Overview r Broadcast networks are used mostly for TV r Historical development r Commercial models r One-way or Two-way."— Presentation transcript:

1 Security of Broadcast Networks 1

2 Overview r Broadcast networks are used mostly for TV r Historical development r Commercial models r One-way or Two-way networks r Threats and security goals  Content  Prevent unauthorized access to content  Identify pirates 2

3 Initial Attempts r Attempt 1  Unique key for every user r Attempt 2  Single broadcasting key r Attempt 3  Multiple keys, broadcast directly over keys 3

4 DVB Architecture r Variants: satellite, cable, terrestrial r Broadcaster r Set-Top Box r PID r Sets of PIDs for viewing – e.g. video, audio, subtitles r Encapsulated MPEG-2, MPEG-4 etc. r DVR 4

5 DVB Security Architecture r Content encrypted by Control Word  CW per PID or per set of PIDs r Single source end to end architecture  Conditional Access provider r Various encryption algorithms – e.g. CSA2 r Access rights  Entitlement Management Message (EMM) r Encrypted Control Word  Entitlement Control Message (ECM) r Set-Top Box and Smart Card  Decryption of Control Word 5

6 DVB key management r EMM sent to each user encrypting key k with user’s key r Broadcast cycle of EMMs r General ECMs encrypting CW with k r Key derivation – one secret key and multiple public values provide multiple secret keys r Key ladder r Control Word rollover  Even / odd keys 6

7 Additional issues r STB-SC pairing  Defines whether SC can be used with multiple STB r Securing PVR content r DRM 7

8 Problems r Keys  Card sharing  Control Word sharing r Content  Digital hole HDMI problems  Analog hole  Content on the Internet  More difficult for HD, 3-D 8

9 Mitigations r High physical security  Smart cards  Advanced chips  Cloning is difficult  Hardware eavesdropping, MITM, side-cannel, fault attacks are all difficult r Content sharing is expensive r Legal action 9

10 Different Model r Client hardware is not trusted  Low physical security  Device security driven by device vendor, not broadcaster r Remote revocation r Traitor tracing r Watermarking 10

11 Remote Revocation r Assumption: one-way channel r Stateless vs. stateful r Encryption of content key, not content r Parameters:  Number of users – n  Number of revoked users – r r Measure: message length, receiver storage, receiver processing r Example: basic broadcast encryption system  Message length – O(n-r), storage O(1), processing O(1) 11

12 Complete sub-tree r Subset cover:  Collection of subsets of all users (U)  Each subset is assigned key. User has keys of all subsets in which it is a member  Revocation of R – cover U\R exactly with subsets. Encrypt message with all keys from cover r Complete sub-tree  Users arranged in complete tree with n leaves  n-1 internal nodes r Key for root of each sub-tree r Cover of U\R – sub-trees hanging of paths to R r Message length – easy to see r(log n) keys 12

13 Complete sub-tree (cont.) r Message length – r (log n/r) r Storage – O(log n) keys r Processing –  Search is O(log n) in broadcast and O(log log n) if all keys are given  One decryption r Adding users is a problem – tree is static  Can keys and tree nodes be recycled?  Partial solution – large initial tree 13

14 Traitor Tracing r Goal: trace keys used for illegal decryption r Can be part of a trace-and-revoke mechanism r Assumption:  Broadcaster controls key management  DVD style assumption – tracer has pirate box (which can be reset)  Broadcasting assumption - tracer has agents that receive keys from pirate r Assumption: pirate can “sense” tracing and react r If pirate doesn’t produce CW then pirate loses r Black-box tracing – no access to pirate’s algorithm 14

15 Examples r Example: pirate has single decryption key  Send two PIDs – each revoking half the users, extract a single bit. Iterate for other bits r Example: adversary controls two keys with ID 1 and ID 2 such that ID 1  ID 2 =1…1  Adversary easily defeats binary search traitor tracing r In general – pirate has t keys 15

16 Subset tracing r Approach  Partition users to subsets U 1,…,U m  Encrypt different CW for every subset  Trace pirate’s CW to subset r Problem – pirate with multiple keys can switch between CWs r Algorithm  Initialize partition to U  Encrypt different CW to each set in partition  If pirate returns CW j assigned to U j partition U j into two subsets of similar size U j =U j1  U j2  Iterate until a subset includes only one user. Revoke user 16

17 Subset tracing (cont.) r Number of iterations / keys – t*log n/t r Base of log depends on ration of U j partition r Practical problem – head-end broadcast systems are often limited in number of different CWs per PID r In DVD style revocation, subset tracing can work with two keys or key and random string r Trace and revoke – complete sub-tree revocation method + subset traitor tracing 17

18 Watermarking r Idea r Uses r Visible vs. not visible r Historical analog methods r Method secrecy  Example – changing lower bits in picture pixels 18


Download ppt "Security of Broadcast Networks 1. Overview r Broadcast networks are used mostly for TV r Historical development r Commercial models r One-way or Two-way."

Similar presentations


Ads by Google