1. Secure Communication between Set-top Box and Smart Card in DTV Broadcasting Authors: T. Jiang, Y. Hou and S. Zheng Source: IEEE Transactions on Consumer Eletronics, 50(3), pp. 882-886, 2004. Reporter: Chun-Ta Li ( 李俊達 )

2. 2 Outline  Introduction  Schnorr ’ s identification scheme  The proposed scheme  Comments

3. 3 Introduction  Digital television (DTV) broadcasting service This work was developed by China Roles: broadcasters (head-end system) and subscribers (terminal device) Terminal device: set-top box (STB) and smart card Broadcaster Set-top Box Smart Card issue scrambled message (unidirectional) descrambled Terminal device Head-end system

4. 4 Introduction (cont.)  The structure of conditional access system Scrambler PRG TS CWs Encrypt 1 AK Encrypt 2 Entitlement MPK SMS Head-end Descrambler channel PRG Decrypt 1 Decrypt 2 EMM ECM TS Receiver TS: transport stream CW: control word PRG: pseudo random sequence generator AK: authorization key MPK: master private key ECM: entitlement control message EMM: entitlement management message SMS: subscriber management system

5. 5 Introduction (cont.)  The cooperation of STB and smart card RF: radio frequency signal

6. 6 Introduction (cont.)  Problem statement No authentication between the head-end and the subscriber on line (DTV broadcasting is unidirectional)  Solution: Utilize authentication between STB and smart card Without mutual authentication between STB and smart card  Attacks: McCormac Hack and smart card cloning problems  Solution: Secure key exchange with mutual authentication A common session key and heavy computation load  Solution: Establishing a dynamic session key and low power wireless communications

7. 7 Schnorr ’ s identification scheme  Three phases: Initiation of the trusted authority  TA chooses p and q that q|p-1, q > 2 140, p > 2 512 α with order q, α q = 1 mod p public key pk A and private key sk A one-way hash function h(.) and a secure parameter t = 72 Registration of the user  Every user chooses A random number s as his private key, s The public key is v = α -s mod p TA verifies its identity I, signs the pair (I,v) and issues the signature to the user

8. 8 Schnorr ’ s identification scheme (cont.) Identity authentication  The prover P needs to prove its identity to the verifier V ProverVerifier 1. Sends I, v and TA ’ s signature on (I,v) 2. Checks the validity of the received message by verifying TA ’ s signature 3. Chooses a random number r and computes x = α r mod p 4. Sends x 5. Sends a random number e 6. Computes y = (r+se) mod q 7. Sends y 8. Checks x ?= α y v e mod p

9. 9 The proposed scheme  Notations h(.): secure one-way hash function : exclusion operation ID c : smart card ’ s identity // STB only stores SC ’ s identity // ID s : STB ’ s identity PW: password x s : secret key of the STB p and q: two public primes E(.): symmetrical encryption algorithm : only known to the both entities : secret parameters : public parameters

10. 10 The proposed scheme (cont.)  Five phases Registration phase: SMSSubscriber 1. Smart card identity ID c and password PW 2. Computes R = h (ID c ⊕ x s ) ⊕ h(PW) // x s is a secret key of the STB // 3. Chooses two public primes p and q, then computes y c = g - x c mod p // x c and y c are the private key and the pubic key of smart card 4. Stores {R,g,ID c,ID s,h(.),E(.)} in smart card 5. Issues the smart card to the subscriber

11. 11 The proposed scheme (cont.) Login phase Smart cardSubscriber 1. Attach smart card to the STB and inputs the ID c and PW 2. The smart card generates two random number t and r in Z q and computes T = g t mod p and Y = h(T, ID c, ID s ) Pre-computed 3. Computes X = R ⊕ h(PW) = h (ID c ⊕ x s ) 4. Sends login request message {X, Y, r, ID c }to the STB STB

12. 12 The proposed scheme (cont.) Mutual authentication phase Smart card STB 1. Checks the validity of ID c 2. Checks X ?= h(ID c ⊕ x s ) 3. Chooses a random number e, 0<e<2 k and computes M = h(ID s,r) // k is 72 bits suggested by Schnorr // 4. Sends {M, e} to smart card 5. Checks M ?= h(ID s,r) 6. Computes d = t + ex c mod q and sends it to STB 7. Checks Y ?= h(g d y c e, ID c, ID s ) 8. If it holds, STB accepts the smart card; otherwise STB rejects it

13. 13 The proposed scheme (cont.) Key agreement phase (if mutual authentication is passed successfully for both STB and smart card) Smart card STB They agree a common session key SK = h(r, e, ID c, ID s ) CW transmission phase Smart card STB 1. After decrypting out CW, smart card computes CW e = E SK (CW) 2. Sends CW e to STB for descrambling the program 3. Decrypt out the CW

14. 14 Comments  Some deficiencies on Jiang ’ s protocol (Liu et al.) The certificate verification required in Schnorr ’ s scheme was missed in the protocol (allows any SC with a fake certificate) The protocol doesn ’ t provide any key confirmation The security of the protocol based on the privacy of the hash algorithm is suspicious The run of the protocol should be initiated by STB rather than by SC It seems that both x c and y c should be stored in SC in registration phase How STB obtains the value y c and g in the mutual authentication phase

15. 15 Comments (cont.)  Ours Because STB only stores SC ’ s identity  The relation between SC and STB is 1-to-1 mapping  Improvement: extend the relation with n-to-n mapping Any legal SC can be used in any STB STB can communicate with any legal SC Some party compromise attacks on Jiang et al. ’ s scheme  Assume these parameters {ID c, ID s, h(.)} are given to an adversary  Improvement: let these parameters public and the scheme is still secure to prevent attacks

16. 16 Comments (cont.)  Our scheme Registration phase SMSSubscriber 1. Offers ID i and PW Secure channel 3. Computes R = h(ID i ⊕ x s ⊕ expiration date) ⊕ h(PW) 4. Stores ID i, h(.), E(.), V, R and expiration date in smart card 6. Issues smart card and set-top box 5. Stores ID i, h(.), E(.), x s in set-top box Secure channel 2. Computes V = h(ID i ⊕ x s ⊕ expiration date)

17. 17 Comments (cont.) Login phase Smart cardSTB 1. When power on, STB will request user to insert smart card and provide ID i and PW 2. Computes V ’ = R ⊕ h(PW) 4. Generates a random number r 1 and computes Y = V ’ ⊕ r 1 5. Computes C 1 = E V ’ [r 1 ] and C 2 = h(Y ⊕ N 1 ) 6. Sends C 1, C 2, expiration date and N 1 3. Verifies V ’ ?= V

18. 18 Comments (cont.) Mutual authentication and key agreement phase Smart cardSTB 1. Checks the validity of ID i and expiration date 2. Computes V ’ = h(ID i ⊕ x s ⊕ expiration date) and C3 = D V ’ [E V ’ [r 1 ]] 3. Verifies h(V ’ ⊕ C 3 ⊕ N 1 ) ?= C 2 4. Computes Y = V ’ ⊕ r 1 and C4 = E Y [r 2, N 1 +1, N 2 ] 5. Sends C4 6. Computes D Y [C 4 ] and check the nonce N 1 +1 7. Computes session key SK = h(r 1, r 2, V ’ ) 8. Sends C 5 = E SK [N 2 +1] 9. Computes D SK [C 5 ] and check the nonce N 2 +1

19. 19 Comments (cont.) Change password phase  Inputs old password PW and computes V ” = R ⊕ h(PW)  Verifies V ” ?= V  If above holds, user inputs new password PW ” and computes R ” = V ” ⊕ h(PW ” )  Finally, replace R with R ” on the smart card Continue a contract  SMS and subscriber use the above processes including mutual authentication and key agreement to replace the V, R and expiration date with new V, new R and new expiration date on the smart card