ci plus overview - wikileaks/ci-plus...ci plus - system overview ca conditional access cc content...
TRANSCRIPT
CI Plus Limited Liability Partnership (LLP)www.ci-plus.com
CI Plus Overview
6th July 2009
CI Plus LLP - www.ci-plus.comfile: ci-plus_overview.ppt, v2009-07-06
2 / 24
Table of ContentPage:
• One Page Overview of CI Plus 3• History of Common Interface 4• Requirements & Scope with CI Plus 8• CI Plus System Overview 10• CI Plus Specification 11
- SAC (Secure Authenticated Channel)- Authentification - Protection of TS (Transport Stream)
with CC (Content Control)- URI (Usage Rules Information)- Revocation, Shunning- Interactivity with MHP CA API
• CI Plus Administration 19- CI+ LLP, Certificate Agent & Test Center- CI+ Documentation- Flow Chart of Certification & Licensing
• Summary 23
SC
PCMCIA
CI-CAM
CA
CI
CA Conditional AccessCAM CA ModuleCI Common InterfacePCMCIA Personal Computer Memory
Card International AssociationSC Smart Card
CI Plus LLP - www.ci-plus.comfile: ci-plus_overview.ppt, v2009-07-06
3 / 24
Issue with and Solution with• 1997-02 Quite old standard EN 50221 with unencrypted CAM output• 2006-09 Closed DVB TM-CIT group after missing consensus
• 2007-07 CI+ Forum founded by 6 companies • 2008-01 CI Plus Spec.v1.0 with encrypted output• 2008-11 CI+ forum replaced by CI Plus LLP• 2009-03 Appointment of
Plasma/LCD IDTV
additional Usage Rules for A/D output and storage
Encrypted TV Signal Encrypted Common Interface Module Smartcard
☺
Copy of originaldigital contentis impossible!
x
PCMCIA
Interface
x
One pageoverview
STB, Recorder, ...
CI Plus LLP - www.ci-plus.comfile: ci-plus_overview.ppt, v2009-07-06
4 / 24
History of Common Interface (CI)1997-02: Standard DVB CI v1 (EN 50221)
(with unencrypted output of CAM) 1999-11: Extension ETSI TS 101 6992002-01: EU directive for CI in IDTV with > 30cm2006-09: Start of DVB TM-CIT group
(to close security gaps with new CI v2 ...) Closed after missing consensus on technology
2007-07: Founding CI+ Forum by 6 companies 2007-12 CI Plus Specification draft 2008-01 CI Plus Specification v1.0
(with encrypted CAM interface) 2008-11 Disbanding of CI+ Forum & creation of
CI Plus LLP (UK Limited Liability Partnership) 2009-02 CI Plus Specification v1.1
2009-02 TC TrustCenter GmbH appointed 2009-03 DTV Labs Ltd. appointed test facility
CI Plus LLP - www.ci-plus.comfile: ci-plus_overview.ppt, v2009-07-06
5 / 24
DVB-CI & CI Plus - Usage for SD/HDTV
Set-Top-Box withintegrated
Decrypton-System
(Only for few contentused or permitted)
SDTV
SDTV
SDTV
Smart Card with DVB-CI
Smart Card with CI+
Smart Card Displayor IDTV
CI Plus LLP - www.ci-plus.comfile: ci-plus_overview.ppt, v2009-07-06
6 / 24
DVB CI - Current Standard v1• CI-Module used with smartcard containing key-informationen• CI-Module remove the encryption of protected content• The output of CI-Module is unencrypted• Due to this, most content providers prefer integrated
solutions because of higher security
EncryptedTelevion Signal
CI-module
Smartcard
No
Encryption
Copy of original
digital contentis possible
Plasma / LCD IDTV
EncryptedTelevion Signal
PCMCIA Interface
CI Plus LLP - www.ci-plus.comfile: ci-plus_overview.ppt, v2009-07-06
7 / 24
CI Plus - Protection of Content• Based on existing DVB-CI Standard• Main requirement: achieving the same level of security as embedded solutions• CI Plus Module and Receiver
- Calculation & Usage of a secure key for content protection- Secure, authentificated channel for critical system messages
• The output of module is encrypted• Only certified devices are supported
Plasma / LCD IDTV
Smartcard
Local Encryption
EncryptedTelevision Signal
EncryptedTelevision Signal
Copy oforiginal
digital contentis not possible!
CI Plus Module
PCMCIA Interface
CI Plus LLP - www.ci-plus.comfile: ci-plus_overview.ppt, v2009-07-06
8 / 24
CI Plus - Scope of Protection
CA Conditional AccessCC Content Control
CI Plus LLP - www.ci-plus.comfile: ci-plus_overview.ppt, v2009-07-06
9 / 24
CI Plus - Scope of Compatibility
Host
CA Module (CAM)
DVB CI CI Plus
Host in DVB-CI mode
Module in DVB-CI mode*
Host & Module CI Plus mode
Host & Module DVB-CI mode
☺* DVB-CI mode operation defined by network operator
CI Plus LLP - www.ci-plus.comfile: ci-plus_overview.ppt, v2009-07-06
10 / 24
CI Plus - System Overview
CA Conditional AccessCC Content ControlCI Common InterfaceCAM Conditional Access Module
CI Plus LLP - www.ci-plus.comfile: ci-plus_overview.ppt, v2009-07-06
11 / 24
CI Plus - Specification v1.2Chapter: Pages:
1-3 Scope, References, Definitions, ... 174 System Overview 45 Theory of Operation 316 Authentication Mechanisms 167 Secure Authenticated Channel 128 Content Key Calculations 49 Public Key Infrastr. & Certificate Details 910 Host Service Shunning 411 Command Interface 1312 CI Plus Application Level MMI 1013 CI Plus MMI Resource 214 Other CI Extensions 1415 PVR Resource 8
Annex A...N 99Total: 243
file: ci_plus_specification_v1.2.pdf date: 2009-04-25
CI Plus LLP - www.ci-plus.comfile: ci-plus_overview.ppt, v2009-07-06
12 / 24
CI Plus - Protocols1. Compare CI+ versions supported by IDTV and CAM.2. If both sides have the same auth key, they have
performed a successful authentication with each other.3. CI+ CAM and IDTV authenticate each other to make sure
the opposite device is a valid CI+ device.4. The Secure Authenticated Channel (SAC) is used
for transmission of security-related messages between CAM and IDTV.
5. Usage Rules Information (URI) version negotiation to find a URI version that is supported on both sides.
6. URI transmission and acknowledgement used by CAM to send a set of usage rules information to the IDTV.
7. Content Control (CC) key calculation used by both sides to calculate keys for scrambling /descrambling of transport stream (TS).
8. System Renewability Message (SRM) transmission and acknowledgement is used from CI+ CAM to transfer SRM for HDCP and DTCP-IP to the IDTV.
Host Capability Evaluation
Auth Key Verification
Authentication
SAC Key Calculation
URI Version Negotiation
URI Acknowledgement
CC Key Calculation
SRM Acknowledgement
1.
2.
3.
4.
5.
6.
7.
8.
CI Plus LLP - www.ci-plus.comfile: ci-plus_overview.ppt, v2009-07-06
13 / 24
CI Plus - Transport Stream Output ProtectionHost and CICAM Capabilities:
• DES-56-ECB Data Encryption Standard, 56-bit key, Electronic Code Book (USA 1999-10, Federal Information Processing Standards, FIPS 46-3)
• AES-128-CBC Advanced Encryption Standard, 128-bit key, Cipher Block Chaining (USA 2000-10, National Institute of Standards and Technology, NIST, FIPS 197)
CI Plus LLP - www.ci-plus.comfile: ci-plus_overview.ppt, v2009-07-06
14 / 24
CI Plus - AuthenticationSupported Authentication Phases per Service Mode:
• Basic Service Mode• Registered Service Mode
- Requires upstream communication to HE (Head End)
example:
DH = Diffie-Hellman key exchange
CI Plus LLP - www.ci-plus.comfile: ci-plus_overview.ppt, v2009-07-06
15 / 24
CI Plus - Devices & external Interfaces
Analogue PAL / NTSC / SECAMRGB / YUV / S-Video
DigitalHDMI / HDCP
DTCP-IP
IDTV Signals
/ Interfaces
Devices
time shifted recording(optional)
STB/PVR
CI Plus
Display
Encrypted Content, paired to receiver: the content cannot be copied without authorization..
CI Plus LLP - www.ci-plus.comfile: ci-plus_overview.ppt, v2009-07-06
16 / 24
URI initial default value for host, e.g. after channel change:• protocol version = 0x01• emi_copy_control_info = 0b11 (Encryption Mode Indicator)• aps_copy_control_info = 0b00 (Analog copy Protection System)• ict_copy_control_info = 0b0 (Image Constraint Trigger/Token)• rct_copy_control_info = 0b0 (Redistribution Control Trigger)• rl_copy_control_info = 0b000000 (Retention Limit, default 90 min)• reserved bits = 0b0
URI Mapping Table:• Analog Output (MV, APS, CGMS, ICT) • Digital Output (HDCP, DTCP, SPDIF)• Digital Storage (AACS, CPRM, VCPS)
see e.g. Digital Transmission Content Protection (DTCP), www.dtcp.com• Specification 2007-10, rev 1.51
CI Plus - Usage Rules Information (URI)
URIURI
Analog Digital Digital Storage
CI Plus LLP - www.ci-plus.comfile: ci-plus_overview.ppt, v2009-07-06
17 / 24
Host Service Shunning• Host shunning state determined from Service Descriptor Table (SDT)• Shunning active: Service can only be descrambled by CI+ Module• Shunning non active: Service can be descrambled by DVB-CI or CI+ Module
Host Revocation• Certificate Revocation List (CRL) transmitted to CICAM black-lists a host• Certificate White List (CWL) can revert a previous revocation of a host• Level of revocation granularity:
1. Unique host2. Range of hosts3. Certain model4. Certain brand
Revocation by CAS• Possible, but out of CI Plus specification scope
CI Plus - Mechanisms of Revocation
CI Plus LLP - www.ci-plus.comfile: ci-plus_overview.ppt, v2009-07-06
18 / 24
CI Plus - Additional Interactivity with ConsumerCI Plus Browser
• Enables to CI Plus modules to display graphics with menues, pictures, logos, ... in a common method on all CI Plus receivers/displays Allows easy interaction with default remote control
Support of MHP CA API• Enables to the broadcasted MHP applikation to communicate
with a CA Smartcard inside the CI Plus module
Country- and Language Support• Enables CI Plus modules to use the same language in menues,
which is already defined by user in the receiver setting.
CI Plus LLP - www.ci-plus.comfile: ci-plus_overview.ppt, v2009-07-06
19 / 24
CI Plus - LLP, Certificate Agent & Test CenterCI Plus LLP contact details:
• CI Plus LLP, www.ci-plus.com• The Billings, Guildford, Surrey GU1 4YD, UK• Tel/Fax: +44.1483. 302264/-302254
CI Plus LLP authorized Certificate Agent: • TC TrustCenter GmbH, www.trustcenter.de• Sonninstrasse 24-28, 20097 Hamburg, Germany• Tel/Fax: +49.40.808026-0/-126• Mail: [email protected]
CI Plus LLP approved Test Center:• Digital TV Labs Ltd., www.digitaltv-labs.com • Venturers House, King Street, Bristol, BS1 4PB, UK• Tel/Fax: +44.117.915-4018/-4088• Mail: [email protected]
CI Plus LLP - www.ci-plus.comfile: ci-plus_overview.ppt, v2009-07-06
20 / 24
CI Plus - DocumentationDocuments on www.ci-plus.com:
• CI Plus Device Interim License Agreement- Compliance and Robustness Rule...
• CI Plus Specification v1.2- Detailed Specification for Receiver and Module
with change notices 001 and 002• Supplementary Specification v1.2
- Requirements for host revocation/shunning• Test Specification v1.0
- Definition of test- and registration process• Registration Application
- Application for test and registration of a device
Documents on www.trustcenter.de:• On-Boarding Guideline, CI Plus Specification• Interim License Agreement (ILA)
Certificate Supply Agreement (CSA)• Forms: Identification, Administrator Authorization
Brand On-Boarding, Registration Application• Robustness Certification Checklist
last update: 2009-04-25
.../solutions/consumer_electronics.htm
CI Plus LLP - www.ci-plus.comfile: ci-plus_overview.ppt, v2009-07-06
21 / 24
CI Plus - License Agreement with Exhibits A-L
A: Device Type
B: Robustness Rules
C: Compliance Rules for Host Device
D: Compliance Rules for CICAM Device
E: URI Mapping Table
G: Robustness Rules Checklist
H: Confidentiality Agreement
I: Fee schedule
J: Registration Procedure
K: Change Procedure
L: Revocation Procedure
CICAM Device
Host Device
Robustness Rules
ComplianceRules
Confidentiality Agreement
CI Plus LLP - www.ci-plus.comfile: ci-plus_overview.ppt, v2009-07-06
22 / 24
CI Plus - Implementation
CI Plus LLP (Limited Liability Partnership)
Trust Authority
(TA)
Certification Authority (CA)
Test of Device
Device Manufacturer
of CI Plus Module / Host
TC Trust Center
Sign License Agreement€15,000 registration/yearlyReceive License specs and Test technologyAt Website
Public Specification, License Agreement (incl. Compliance and Robustness)
Order Certificates (keys) € 500/10.000 devices
Device Testing Result Robustness Checklist € 5,000/device type
Device RegistrationProduction Credentials
Test Partner
New deviceRobustness Checklist Device Testing
Result
or Self-Test-Registration(after registration of 2 different device types)
Deliver Certificates (keys)
...
CI Plus LLP - www.ci-plus.comfile: ci-plus_overview.ppt, v2009-07-06
23 / 24
CI Plus - Summary• CI Plus is based on DVB-CI standard and is downward compatible• Encrypted communication over the CI/CI+ interface
- Secure & authenticated channel for critical system messages- Encrypted transmission of digital content from CI+ module towards the host device
• Implementation- Licensing & administration of Certificates managed by independant Trust-Center- Certification of end user devices & CI+ modules in a digital TV laboratory
• Future proof with URI (Usage Rules Information) for UPnP, CPCM, CSA3, DTCP, DLNA, ...
STBPVR
LAN Internet
CI Plus Limited Liability Partnership (LLP)www.ci-plus.com
Thank you for your interest
CI Plus LLP www.ci-plus.comwww.ci-plus.com/forum
TC TrustCenter GmbH www.trustcenter.deDigital TV Labs Ltd www.digitaltv-labs.com