Download presentation
Presentation is loading. Please wait.
Published byNeal Harris Modified over 8 years ago
1
Secure Communication between Set-top Box and Smart Card in DTV Broadcasting Authors: T. Jiang, Y. Hou and S. Zheng Source: IEEE Transactions on Consumer Eletronics, 50(3), pp. 882-886, 2004. Reporter: Chun-Ta Li ( 李俊達 )
2
2 Outline Introduction Schnorr ’ s identification scheme The proposed scheme Comments
3
3 Introduction Digital television (DTV) broadcasting service This work was developed by China Roles: broadcasters (head-end system) and subscribers (terminal device) Terminal device: set-top box (STB) and smart card Broadcaster Set-top Box Smart Card issue scrambled message (unidirectional) descrambled Terminal device Head-end system
4
4 Introduction (cont.) The structure of conditional access system Scrambler PRG TS CWs Encrypt 1 AK Encrypt 2 Entitlement MPK SMS Head-end Descrambler channel PRG Decrypt 1 Decrypt 2 EMM ECM TS Receiver TS: transport stream CW: control word PRG: pseudo random sequence generator AK: authorization key MPK: master private key ECM: entitlement control message EMM: entitlement management message SMS: subscriber management system
5
5 Introduction (cont.) The cooperation of STB and smart card RF: radio frequency signal
6
6 Introduction (cont.) Problem statement No authentication between the head-end and the subscriber on line (DTV broadcasting is unidirectional) Solution: Utilize authentication between STB and smart card Without mutual authentication between STB and smart card Attacks: McCormac Hack and smart card cloning problems Solution: Secure key exchange with mutual authentication A common session key and heavy computation load Solution: Establishing a dynamic session key and low power wireless communications
7
7 Schnorr ’ s identification scheme Three phases: Initiation of the trusted authority TA chooses p and q that q|p-1, q > 2 140, p > 2 512 α with order q, α q = 1 mod p public key pk A and private key sk A one-way hash function h(.) and a secure parameter t = 72 Registration of the user Every user chooses A random number s as his private key, s The public key is v = α -s mod p TA verifies its identity I, signs the pair (I,v) and issues the signature to the user
8
8 Schnorr ’ s identification scheme (cont.) Identity authentication The prover P needs to prove its identity to the verifier V ProverVerifier 1. Sends I, v and TA ’ s signature on (I,v) 2. Checks the validity of the received message by verifying TA ’ s signature 3. Chooses a random number r and computes x = α r mod p 4. Sends x 5. Sends a random number e 6. Computes y = (r+se) mod q 7. Sends y 8. Checks x ?= α y v e mod p
9
9 The proposed scheme Notations h(.): secure one-way hash function : exclusion operation ID c : smart card ’ s identity // STB only stores SC ’ s identity // ID s : STB ’ s identity PW: password x s : secret key of the STB p and q: two public primes E(.): symmetrical encryption algorithm : only known to the both entities : secret parameters : public parameters
10
10 The proposed scheme (cont.) Five phases Registration phase: SMSSubscriber 1. Smart card identity ID c and password PW 2. Computes R = h (ID c ⊕ x s ) ⊕ h(PW) // x s is a secret key of the STB // 3. Chooses two public primes p and q, then computes y c = g - x c mod p // x c and y c are the private key and the pubic key of smart card 4. Stores {R,g,ID c,ID s,h(.),E(.)} in smart card 5. Issues the smart card to the subscriber
11
11 The proposed scheme (cont.) Login phase Smart cardSubscriber 1. Attach smart card to the STB and inputs the ID c and PW 2. The smart card generates two random number t and r in Z q and computes T = g t mod p and Y = h(T, ID c, ID s ) Pre-computed 3. Computes X = R ⊕ h(PW) = h (ID c ⊕ x s ) 4. Sends login request message {X, Y, r, ID c }to the STB STB
12
12 The proposed scheme (cont.) Mutual authentication phase Smart card STB 1. Checks the validity of ID c 2. Checks X ?= h(ID c ⊕ x s ) 3. Chooses a random number e, 0<e<2 k and computes M = h(ID s,r) // k is 72 bits suggested by Schnorr // 4. Sends {M, e} to smart card 5. Checks M ?= h(ID s,r) 6. Computes d = t + ex c mod q and sends it to STB 7. Checks Y ?= h(g d y c e, ID c, ID s ) 8. If it holds, STB accepts the smart card; otherwise STB rejects it
13
13 The proposed scheme (cont.) Key agreement phase (if mutual authentication is passed successfully for both STB and smart card) Smart card STB They agree a common session key SK = h(r, e, ID c, ID s ) CW transmission phase Smart card STB 1. After decrypting out CW, smart card computes CW e = E SK (CW) 2. Sends CW e to STB for descrambling the program 3. Decrypt out the CW
14
14 Comments Some deficiencies on Jiang ’ s protocol (Liu et al.) The certificate verification required in Schnorr ’ s scheme was missed in the protocol (allows any SC with a fake certificate) The protocol doesn ’ t provide any key confirmation The security of the protocol based on the privacy of the hash algorithm is suspicious The run of the protocol should be initiated by STB rather than by SC It seems that both x c and y c should be stored in SC in registration phase How STB obtains the value y c and g in the mutual authentication phase
15
15 Comments (cont.) Ours Because STB only stores SC ’ s identity The relation between SC and STB is 1-to-1 mapping Improvement: extend the relation with n-to-n mapping Any legal SC can be used in any STB STB can communicate with any legal SC Some party compromise attacks on Jiang et al. ’ s scheme Assume these parameters {ID c, ID s, h(.)} are given to an adversary Improvement: let these parameters public and the scheme is still secure to prevent attacks
16
16 Comments (cont.) Our scheme Registration phase SMSSubscriber 1. Offers ID i and PW Secure channel 3. Computes R = h(ID i ⊕ x s ⊕ expiration date) ⊕ h(PW) 4. Stores ID i, h(.), E(.), V, R and expiration date in smart card 6. Issues smart card and set-top box 5. Stores ID i, h(.), E(.), x s in set-top box Secure channel 2. Computes V = h(ID i ⊕ x s ⊕ expiration date)
17
17 Comments (cont.) Login phase Smart cardSTB 1. When power on, STB will request user to insert smart card and provide ID i and PW 2. Computes V ’ = R ⊕ h(PW) 4. Generates a random number r 1 and computes Y = V ’ ⊕ r 1 5. Computes C 1 = E V ’ [r 1 ] and C 2 = h(Y ⊕ N 1 ) 6. Sends C 1, C 2, expiration date and N 1 3. Verifies V ’ ?= V
18
18 Comments (cont.) Mutual authentication and key agreement phase Smart cardSTB 1. Checks the validity of ID i and expiration date 2. Computes V ’ = h(ID i ⊕ x s ⊕ expiration date) and C3 = D V ’ [E V ’ [r 1 ]] 3. Verifies h(V ’ ⊕ C 3 ⊕ N 1 ) ?= C 2 4. Computes Y = V ’ ⊕ r 1 and C4 = E Y [r 2, N 1 +1, N 2 ] 5. Sends C4 6. Computes D Y [C 4 ] and check the nonce N 1 +1 7. Computes session key SK = h(r 1, r 2, V ’ ) 8. Sends C 5 = E SK [N 2 +1] 9. Computes D SK [C 5 ] and check the nonce N 2 +1
19
19 Comments (cont.) Change password phase Inputs old password PW and computes V ” = R ⊕ h(PW) Verifies V ” ?= V If above holds, user inputs new password PW ” and computes R ” = V ” ⊕ h(PW ” ) Finally, replace R with R ” on the smart card Continue a contract SMS and subscriber use the above processes including mutual authentication and key agreement to replace the V, R and expiration date with new V, new R and new expiration date on the smart card
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.