CONDITIONAL ACCESS AND ENCRYPTION OPTIONS FOR DIGITAL COMPRESSION SYSTEMS

1V/COM Intemational 16516 Via Esprillo San Diego, CA 92127 Tony Wechselberger Executive Vice President

Abstract Many methodologies have been developed for terrestrial, satellite and The development of digital cable distribution for both broadcast transport of television signals marks a and point-to-point applications. change from traditional approaches for "secure" distribution using analog For entertainment scrambling technology. The aU-digital distribution, true encryption nature of these signals makes hard techniques were introduced in the encryption of aU program services and early 1980's. Since that time there network information possible, and thus has been a steady increase in the our expectations for good security adoption of encryption techniques, performance over long periods of time leading (eventually) to a better in future digital compression systems awareness in, and utility of proper is high. application of cryptographic technology. At the same time there is much effort today to standardize elements Except for very high cost and subsystems of this new systems that could afford total technology, such that maximum digitization of the audio and video benefits accrue from interoperability material, virtually all existing with related developing technologies systems have employed techniques and markets. This paper discusses the that use the "randomizing" issues surrounding encryption in capabilities of encryption to digital compression systems, and deterministically "scramble" analog explores the possibUities for encryption program components, and reorder or standardization in certain areas of the otherwise reassemble these transport level. Included are comments components at the receiving end. on replaceable "Smart Card" and Examples of this are line shuffling, "Processor Card" approaches and cut-and-rotation, and random benefits. inversion of video. The fundamentally analog INTRODUCTION nature of the above randomizing approaches has problems. For The consumer and commercial example, in most implementations business and entertainment (but not all) enough recognizable television industries have now some information remains in the received twenty years of experience in the programming to sometimes not design, fielding and operation of satisfy desired requirements of a privacyI conditional access systems. good conditional access security

1993 NCTA TECHNICAL PAPERS -- 144 system-namely that the scrambled positive and negative reactions information contain no useful throughout the operator /user base. remnants of its original form, and In addition the esoteric nature of that reconstruction of the signal not cryptographic technology, in be possible by examination of the combination with the veil of secrecy scrambled waveform alone. (For a that surrounds most products tends good treatise on desirable attributes to shroud reality from view. The of security systems, see reference [1].) result is that decisions regarding the whole subject become driven in part In addition, the ways in which by sound technical judgments and the need for security systems part by emotion. developed and solutions evolved have resulted in a plethora of different The very mention of systems which are not only "standardized conditional access" in incompatible with each other, but the wrong circles will frequently be also with other types of equipment met by cries of eventual disaster. Yet used at the source, transit, storage many who have studied the issue or display chain. (Most obviously from a neutral position have evidenced by the consumer concluded that when theory and environment situation, and the experience are applied properly, there resultant quagmire of "opportunities" are indeed procedures and structures to be solved there.) that can be implemented to provide some basis of commonality in future Today we find ourselves at the generation systems. Note the many crossroads of a technological digital non-military implementation revolution: one where participation standards used by the U.S. in going forward forces decisions to government and the longevity of the be made that involve significant DES algorithm, for example. departures from previous generation technology. This change begs the The motivation for the examination of opportunities to consideration of standardization attain improvements over the current develops primarily from compatibility situation in several areas, such as and interoperability issues. More and consumer friendliness, compatibility more relationship and and interoperability, improved interdependency exists today between security, ... all topics where some heretofore unrelated markets. This degree of standardization has trend will dramatically expand. The important potential. One of the more merging of the television and controversial areas is computer industries into a standardization of conditional "multimedia environment" is in the access. The all-digital nature of sights of many wishing to put to use compression systems provides at the broadband highways that lie in least the technical opportunity for our future. The growth accomplished future-friendly advances in this area. by these new markets will be throttled by interoperability issues.

STANPARDIZATION Surrounding digital compres­ sion developments are significant The experiences of our industry efforts to define standards. Driven with encryption products over the primarily through the International past decade has left a trail of both Standards Organization (ISO), the

1993 NCTA TECHNICAL PAPERS -- 145 global unification of digital television stream will be "packetized"; that is, program generation, editing, storage, consist of packets of data (sizes of retrieval, transport and display is the packets are in the 130 byte to leading to a set of agreed upon 192 byte range) containing digital methodologies for audio and video information from a single elementary compression, and transport of stream or data type. The packets will complex multiplexes of associated each be preceded by a "header" of up data and ancillary digital services. to 4 bytes of packet-specific These standards, known as information such as packet ID, "MPEG-2," cover the primary areas of clearI scrambled indicator, even/ odd audio compression, video key, continuity counter and other compression and transport. They will information. The "generalized" digital serve as the guides to intemational nature of these packets makes for utility of future systems for most very flexible opportunities in the area indus trial and consumer of encryption and conditional access, applications. and the packets can be easily and singularly protected (scrambled) In the transport area, the work throughout their distribution and has led to the development of a routing "life." working draft which defines: In order for the digital • Program Stream-A grouping of television market to fully and freely audio, video and data elemental develop, it is very important not only components having a common that specific audio and video time relationship, and being compression techniques be codified, generally "associated" for delivery, but this transport area as well. The storage, playback, etc. requirements vary greatly between various applications for digital • n-ansport Stream-A collection of storage media (DSM) and direct program streams or elementary broadcast satellite (DBS), for streams (video, audio, data) which example. Yet it is essential that easy have been multiplexed in a non­ movement between such mediums be specific relationship for purposes available. Many factors come into of transmission. play, such as timing, program stream reconstruction, synchronization, While discussions are de I remultiplexing, (re)packetizing, continuing at the time of this and of course the need for encryption writing, these "system layer" efforts in certain applications. are aimed at providing a basic data structure, the "semantics and It has been an objective of the syntax" of a data stream, that can ISO systems working group to limit serve as a common format for local the extent of "specification" to a and broadcast transmission. minimum ... to defme only as much as is generally agreed to provide Entities working within the meaningful interoperability. The ISO MPEG-2 System Layer Group remainder of this paper discusses the have agreed to a number of basic implications of encryption on structural elements that are expected interoperability, and the issues to become part of the system layer regarding separation of systems and syntax. Fundamental to this long term security. structure is that the transport

1993 NCTA TECHNICAL PAPERS -- 146 CONDITIONAL ACCESS video/sound/data service (i.e. RECOMMENDATIONS television program or service) in order to prevent unauthorized Both the European (through reception of the information in a the CCIR) and the North American clear form. The alteration is a (primarily through the ATSC) specific process under the control communities have considered the of the conditional access system issues surrounding conditional (sending end). access standardization, and both have extensive expertise and • Access Control-The function of experience in the subject matter. The the conditional access control at conclusions and recommendations of the sending end is to generate the both groups are very similar [1].(2]; scrambling control signals, and that: the provision of information to enable authorized users to conditional access systems can be descramble the program or designed according to jimdamental service. The availability of this theoretic principles and information is controlled by the implementation procedures such conditional access system, that different systems can share between the transmitter and certain common security elements receiver(s); thus information is without compromising security. structured in secure messages multiplexed with the signal itself. It is helpful to observe the CCIR's definition of "conditional So conditional access is the total access," and note the two key envelope of mechanisms which are elements which comprise it [3]: responsible for delivering information to selected receivers only. • Conditional Access System­ Within a television distribution In the context of system system, the means to selectively implementations and the above provide television programs to defmitions, one notes that there is a specific individual subscribers. natural segmentation between the The system includes means to requirements of a system's transport track access for accounting layer hardware-level scrambling purposes. elements and the addressing/autho­ rization access control elements of • Scrambling*-Alteration of the almost any proto-typical system. In characteristics of a broadband fact, the above distinct processes have become systemic to modem * The European Community has maintained broadband system security the term Nscrambltng .. as associated with the approaches: operations performed on the digital content of elemental streams and/ or other raw The information (programming) to services data. This is a holdover from the be transmitted is secured by analog world where signal components were scrambling (encrypting) the data scrambled in the traditional sense. The U.S. community is adopting this terminology, during transit, which ts convenient tn separating the security mechanisms/algorithms used in the The access control delivers to the access control channel from those of the decoder commands and transport level data packet. procedures associated with who,

1993 NCTA TECHNICAL PAPERS -- 147 where, and when a decoder is SCRAMBLERS allowed to unscramble the information and deliver the The most straightforward program. method to secure a digital signal when presented in a bit serial In practice systems get very fashion is simple modulo 2 EXOR of complex, and many factors must be the data with a stream of random considered. Assuming the scrambling data. Of course the random stream process is done correctly from a cannot be literally random or the cryptographic standpoint, it can be information will be thoroughly and made very straightforward; permanently encrypted forever. For essentially mechanical or generic. this reason, "pseudo random binary Access control is an area, however, streams" (PRBS) are utilized ... they where one finds much of the look random to anyone not having distinction between systems: how certain "key" information. •• fast, how often, how user-friendly, how operator friendly, ... .It is in this The basic premise that a domain that we find many of L.lte pseudo random stream employed to processes that define a system's scramble data can be essentially as "personality" as well as those that secure as a truly random strea....~ is a control program access: PPV /IPPV fundamental notion of modern procedures, cryptographic key cryptographic doctrine. When distribution, all addressability cryptographic systems are processes, latencyI synchronization compromised it is not that this factors, etc. Subscriber management doctrine is at fault, it is that the systems, headend control systems, design or the use of the PRBS and system data channel(s) are generator is flawed, or (more often) dedicated to these functions, and that the other conditional access they are aU unique to different system element, "access control." has broken implementations. down. But what can be thought of as The basic argument that it is common are system services, possible to standardize on the especially if one considers that an scrambler without compromising MPEG-2 compressed version of a security is that all systems employ movie can be universally coded (the PRBS generators. or they can be program stream), no matter what modeled that way, and that no system is carrying it, or digital "good" PRBS generator is any better storage device is saving it. The scrambling of the signal is what has •• This approach is commonly used with a been recommended by the ATSC and "private key" or symmetrical encryption CCIR as a factor that can be approach which works well for high speed standardized on. The access control encryption and decryption. There are other remains unique to each respective techniques for encrypting information. The access control channels of most systems system, responsible for providing typically use other/additional techniques enabling parametric information (e.g. public key cryptosystem attributes) to (keys, etc.) to common descramblers. ensure that factors such as message authentication, message replay, and other kinds of spoofing, etc. are appropriately handled. These techniques are system­ unique.

1993 NCTA TECHNICAL PAPERS -- 148 than any other "good" PRBS Smart cards occur in four generator. That is to say if a given types [4]: PRBS generator qualifies as good it must have certain qualities, and 1. Small Memory Cards-Pay phone, these qualities certify that it can be gas station credit use, employed to generate pseudo random 2. CPU /Memory Cards-Banking, data that will be as random as any health care, pay1V, gaming use, other generator of that quality. 3. Large Memory/PCMCIA Cards­ Sub-notebook, handheld com­ Modem theory and experience, puters, along with capabilities of today's 4. "Super" Cards-Type 2 or 3 with digital electronics, allow the design on-card keyboard, displays. of PRBS generators (and techniques for employing them to insure their The last type is not always inherent randomness is exploited) technically a "smart card" in the that meet nicely the requirements of sense that it might not follow the today's systems. By accepting the ISO 7816 or PCMCIA standards for qualification of "good" above, one physical size and 1/0. It is included has no argument that the in this discussion for completeness, scramblerI de scrambler hardware and to indicate where the state-of­ cannot be standardized. This is a the-art is progressing. In addition, difficult notion to accept both there are other types of replaceable intuitively and emotionally, and it modules that have been developed may be a lost cause to expect it to be and used for the computer. accepted. (Indeed, should the entertainment and security qualification process for defining industries that provide functionality "good" be flawed, the result could be similar to smart cards. disastrous, and that argument cannot be ignored.) But in the general sense of "changeable security" (which will Ideally. to make everyone become ubiquitous). with recognition comfortable it would be nice to be that the access control portions of able to change the scrambler if conditional access systems will most needed. The concept of changeable certainly remain unique among security leads to the next section. vendors, what all such approaches provide is an alternative to building into the decoder hardware ACCESS CONTROL AND permanent, and therefore potentially REPLACEABLE SECURITY tamper able, security-related parameter storage and/ or functional Most newer system designs processing elements. The security today employ (or will employ) some card allows replacement of.the access type of replaceable security hardware. control functions of a system, or at This approach provides for the least the cryptographically sensitive placement in a replaceable card or aspects of the access control, such module some or all of the circuits that should it ever be necessary to associated with access control. update or change the system in this Several systems in Europe have area, it is possible to do so. relied upon "smart card" technology for this capability. The major trade-off surrounding system design employing

1993 NCTA TECHNICAL PAPERS -- 149 replaceable security cards is the order to maintain operation at data decision about how much goes into rates to 50 or 60 Mbpsl This kind of the card? It turns out to be a performance is not feasible in question of economics. Security inexpensive replaceable cards, in cards can cost from $2 to $30. The combination with the demands that cost penalty for changing out a large this would place on the card I/ 0 and system's population of security cards associated receptacle. may well turn out to be less than the cost of tolerating piracy! But the degree of freedom allowed SUMMARY nevertheless has given the replaceable card a large popularity at The developing transport level this time, and the hard costs definition of the MPEG-2 System associated with more card Layer will result in a structure easily functionality for fewer dollars availing itself to a marriage of continues to drop. vendor-unique access control, and industry-wide common scrambling. A natural breakdown between Many implementation variations are the access control and scrambler possible, allowing the specific needs functions that constitute conditional of each system designer /user to access,) is to place the core decide what form solutions are to "descranibler" circuits in the decoder take. Relative "levels" of security and hardware VLSI, and the system­ risk assessments thereof can thus be specific (critical) access control weighed and appropriate functions in the replaceable card. requirements accommodated. One has to study carefully then the activity that takes place at the card There are many advantages in interface to ensure that information having interoperable scrambling in available there, assuming total the broadcast and storage arenas; knowledge of what's in the decoder this paper has not attempted to hardware, will not allow compromise make those arguments. (References of the system. [1] and [2] are recommended reading for these discussions.) In the end, It would be better yet to place however, there will continue to be both descrambler and access control controversy, and commercial factors functions in the security card, but will dictate what the industry decides this can get cost prohibitive. The to do. But it is felt that there are structure of the digital compression compelling technical methods for multiplex and packetization of how interoperability can be elementary streams described above accomplished, and that these need to which may be concatenated and be (unemotionally) discussed. encrypted (scrambled) with different keys gives rise to a need for very sophisticated and high-speed logic in

1993 NCTA TECHNICAL PAPERS -- 150 REFERENCES [4] Robinson, B. and M. Ryan, "Smart Cards," Electronic Engineering [ 1] Advanced Television Systems Times, March 29, 1993, p. 52. Committee Final Report T3/217. "Interoperability Among Alternate Media for the Delivery of Advanced About the Author: Television Programming and Related Mr. Wechselberger has held various positions Consumer Product Interface Issues," with 1V/COM International (formerly OAK December 1992. Communications) since 1980. His staff supports all of1V/COM's cable, satellite, and [2] CCIR Study Group II, compression engineering initiatives and he is responsible for a number of key patents. Document 11/66. "Conditional Before joining 1V/COM, Mr. Wechselberger Access Broadcasting Systems was with the General Dynamics Electronics Recommendations," May 26, 1992. Division. He holds B.S. and M.S. degrees in Electrical Engineering and has published [3] Stubbs, G.S., "Digital and lectured extensively in the fields of 1V Compression, An Industry Process to signal security, and general conditional Achieve Secure Conditional Access," access requirements involving Communications Technology, March communications, and encryption. 1992.

1993 NCTA TECHNICAL PAPERS -- 151