Embed Size (px)
Citation preview
Secure Communication between Set-top Box and Smart Card in
DTV Broadcasting
Authors: T. Jiang, Y. Hou and S. Zheng
Source: IEEE Transactions on Consumer Eletronics, 50(3), pp. 882-886, 2004.
Reporter: Chun-Ta Li (李俊達 )
2
Outline Introduction Schnorr’s identification scheme The proposed scheme Comments
3
Introduction Digital television (DTV) broadcasting service
This work was developed by China Roles: broadcasters (head-end system) and subscribers (terminal
device) Terminal device: set-top box (STB) and smart card
BroadcasterBroadcaster
Set-top BoxSet-top Box
Smart CardSmart Cardissueissue
scrambled message scrambled message (unidirectional)(unidirectional)
descrambleddescrambled
Terminal Terminal devicedevice
Head-end Head-end systemsystem
4
Introduction (cont.) The structure of conditional
access system
Scrambler
PRG
TS
CWs
Encrypt 1
AK
Encrypt 2Entitlement
MPK
SMS
Head-endHead-end
Descrambler
channelchannel
PRG
Decrypt 1
Decrypt 2
EMM
ECM
TS
ReceiverReceiver
TS: transport streamCW: control word
PRG: pseudo random sequence generator
AK: authorization keyMPK: master private key
ECM: entitlement control messageEMM: entitlement management message
SMS: subscriber management system
5
Introduction (cont.) The cooperation of STB and smart card
RF: radio frequency signal
6
Introduction (cont.) Problem statement
No authentication between the head-end and the subscriber on line (DTV broadcasting is unidirectional) Solution: Utilize authentication between STB and smart card
Without mutual authentication between STB and smart card Attacks: McCormac Hack and smart card cloning problems Solution: Secure key exchange with mutual authentication
A common session key and heavy computation load Solution: Establishing a dynamic session key and low power wir
eless communications
7
Schnorr’s identification scheme Three phases:
Initiation of the trusted authority TA chooses
p and q that q|p-1, q > 2140, p > 2512
α with order q, αq = 1 mod p public key pkA and private key skA
one-way hash function h(.) and a secure parameter t = 72
Registration of the user Every user chooses
A random number s as his private key, s The public key is v = α-s mod p TA verifies its identity I, signs the pair (I,v) and issues the signatur
e to the user
*pZ
},...,2,1{ q
8
Schnorr’s identification scheme (cont.) Identity authentication
The prover P needs to prove its identity to the verifier V
Prover Verifier
1. Sends I, v and TA’s signature on (I,v)
2. Checks the validity of the received message by verifying TA’s signature
3. Chooses a random number r and computes x = αr mod p
}1,...,2,1{ q
4. Sends x
5. Sends a random number e }12...,,0{ t
6. Computes y = (r+se) mod q7. Sends y
8. Checks x ?= αyve mod p
9
The proposed scheme Notations
h(.): secure one-way hash function : exclusion operation IDc: smart card’s identity // STB only stores SC’s identity //
IDs: STB’s identity
PW: password xs: secret key of the STB
p and q: two public primes E(.): symmetrical encryption algorithm
: only known to the both entities
: secret parameters
: public parameters
10
The proposed scheme (cont.) Five phases
Registration phase:
SMS Subscriber
1. Smart card identity IDc and password PW
2. Computes R = h (IDc x⊕ s) h(PW) ⊕// xs is a secret key of the STB //3. Chooses two public primes p and q, then computes yc = g -xc mod p // xc and yc are the private key and the pubic key of smart card4. Stores {R,g,IDc,IDs,h(.),E(.)} in smart card
5. Issues the smart card to the subscriber
11
The proposed scheme (cont.) Login phase
Smart cardSubscriber
1. Attach smart card to the STB and inputs the IDc and PW
2. The smart card generates two random number t and r in Zq and computes T = gt mod p and Y = h(T, IDc, IDs)
Pre-computedPre-computed
3. Computes X = R h(P⊕W) = h (IDc
x⊕ s) 4. Sends login request message {X, Y, r, IDc}to the STB
STB
12
The proposed scheme (cont.) Mutual authentication phase
Smart card STB
1. Checks the validity of IDc
2. Checks X ?= h(IDc x⊕ s)
3. Chooses a random number e, 0<e<2k and computes M = h(IDs,r) // k is 72 bits suggested by Schnorr //
4. Sends {M, e} to smart card
5. Checks M ?= h(IDs,r)
6. Computes d = t + exc mod q and sends it to STB
7. Checks Y ?= h(gdyce, IDc,IDs)
8. If it holds, STB accepts the smart card; otherwise STB rejects it
13
The proposed scheme (cont.) Key agreement phase (if mutual authentication is
passed successfully for both STB and smart card)
Smart card STB
They agree a common session key SK = h(r, e, IDc, IDs)
CW transmission phaseSmart card STB
1. After decrypting out CW, smart card computes CWe = ESK(CW)
2. Sends CWe to STB for descrambling the program
3. Decrypt out the CW
14
Comments Some deficiencies on Jiang’s protocol (Liu et al.)
The certificate verification required in Schnorr’s scheme was missed in the protocol (allows any SC with a fake certificate)
The protocol doesn’t provide any key confirmation The security of the protocol based on the privacy of the hash
algorithm is suspicious The run of the protocol should be initiated by STB rather tha
n by SC It seems that both xc and yc should be stored in SC in registra
tion phase How STB obtains the value yc and g in the mutual authentica
tion phase
15
Comments (cont.) Ours
Because STB only stores SC’s identity The relation between SC and STB is 1-to-1 mapping Improvement: extend the relation with n-to-n mapping
Any legal SC can be used in any STB STB can communicate with any legal SC
Some party compromise attacks on Jiang et al.’s scheme Assume these parameters {IDc, IDs, h(.)} are given to an adversary Improvement: let these parameters public and the scheme is still secu
re to prevent attacks
16
Comments (cont.) Our scheme
Registration phase
SMS Subscriber
1. Offers IDi and PW
Secure channel
3. Computes R = h(IDi x⊕ s ⊕ expiration date) h(PW)⊕4. Stores IDi, h(.), E(.), V, R and expiration date in smart card
6. Issues smart card and set-top box
5. Stores IDi, h(.), E(.), xs in set-top box
Secure channel
2. Computes V = h(IDi x⊕ s ⊕ expiration date)
17
Comments (cont.) Login phase
Smart card STB
1. When power on, STB will request user to insert smart card and provide IDi and PW
2. Computes V’ = R h(P⊕W)
4. Generates a random number r1 and computes Y = V’ r⊕ 1
5. Computes C1 = EV’[r1] and C2 = h(Y N⊕ 1)
6. Sends C1, C2, expiration date and N1
3. Verifies V’ ?= V
18
Comments (cont.) Mutual authentication and key agreement phase
Smart card STB
1. Checks the validity of IDi and expiration date2. Computes V’ = h(IDi x⊕ s ⊕ expiration date) and C3 = DV’[EV’[r1]]3. Verifies h(V’ C⊕ 3 N⊕ 1) ?= C2
4. Computes Y = V’ r⊕ 1 and C4 = EY[r2, N1+1, N2]5. Sends C4
6. Computes DY[C4] and check the nonce N1+17. Computes session key SK = h(r1, r2, V’)
8. Sends C5 = ESK[N2+1]
9. Computes DSK[C5] and check the nonce N2+1
19
Comments (cont.) Change password phase
Inputs old password PW and computes V” = R h(P⊕W)
Verifies V” ?= V If above holds, user inputs new password PW” and com
putes R” = V” h(PW”)⊕ Finally, replace R with R” on the smart card
Continue a contract SMS and subscriber use the above processes including
mutual authentication and key agreement to replace the V, R and expiration date with new V, new R and new expiration date on the smart card
