1 / 18

Security of Broadcast Networks

Security of Broadcast Networks. Overview. Broadcast networks are used mostly for TV Historical development Commercial models One-way or Two-way networks Threats and security goals Content Prevent unauthorized access to content Identify pirates. Initial Attempts. Attempt 1

chavez
Download Presentation

Security of Broadcast Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security of Broadcast Networks

  2. Overview • Broadcast networks are used mostly for TV • Historical development • Commercial models • One-way or Two-way networks • Threats and security goals • Content • Prevent unauthorized access to content • Identify pirates

  3. Initial Attempts • Attempt 1 • Unique key for every user • Attempt 2 • Single broadcasting key • Attempt 3 • Multiple keys, broadcast directly over keys

  4. DVB Architecture • Variants: satellite, cable, terrestrial • Broadcaster • Set-Top Box • PID • Sets of PIDs for viewing – e.g. video, audio, subtitles • Encapsulated MPEG-2, MPEG-4 etc. • DVR

  5. DVB Security Architecture • Content encrypted by Control Word • CW per PID or per set of PIDs • Single source end to end architecture • Conditional Access provider • Various encryption algorithms – e.g. CSA2 • Access rights • Entitlement Management Message (EMM) • Encrypted Control Word • Entitlement Control Message (ECM) • Set-Top Box and Smart Card • Decryption of Control Word

  6. DVB key management • EMM sent to each user encrypting key k with user’s key • Broadcast cycle of EMMs • General ECMs encrypting CW with k • Key derivation – one secret key and multiple public values provide multiple secret keys • Key ladder • Control Word rollover • Even / odd keys

  7. Additional issues • STB-SC pairing • Defines whether SC can be used with multiple STB • Securing PVR content • DRM

  8. Problems • Keys • Card sharing • Control Word sharing • Content • Digital hole • HDMI problems • Analog hole • Content on the Internet • More difficult for HD, 3-D

  9. Mitigations • High physical security • Smart cards • Advanced chips • Cloning is difficult • Hardware eavesdropping, MITM, side-cannel, fault attacks are all difficult • Content sharing is expensive • Legal action

  10. Different Model • Client hardware is not trusted • Low physical security • Device security driven by device vendor, not broadcaster • Remote revocation • Traitor tracing • Watermarking

  11. Remote Revocation • Assumption: one-way channel • Stateless vs. stateful • Encryption of content key, not content • Parameters: • Number of users – n • Number of revoked users – r • Measure: message length, receiver storage, receiver processing • Example: basic broadcast encryption system • Message length – O(n-r), storage O(1), processing O(1)

  12. Complete sub-tree • Subset cover: • Collection of subsets of all users (U) • Each subset is assigned key. User has keys of all subsets in which it is a member • Revocation of R – cover U\R exactly with subsets. Encrypt message with all keys from cover • Complete sub-tree • Users arranged in complete tree with n leaves • n-1 internal nodes • Key for root of each sub-tree • Cover of U\R – sub-trees hanging of paths to R • Message length – easy to see r(log n) keys

  13. Complete sub-tree (cont.) • Message length – r (log n/r) • Storage – O(log n) keys • Processing – • Search is O(log n) in broadcast and O(log log n) if all keys are given • One decryption • Adding users is a problem – tree is static • Can keys and tree nodes be recycled? • Partial solution – large initial tree

  14. Traitor Tracing • Goal: trace keys used for illegal decryption • Can be part of a trace-and-revoke mechanism • Assumption: • Broadcaster controls key management • DVD style assumption – tracer has pirate box (which can be reset) • Broadcasting assumption - tracer has agents that receive keys from pirate • Assumption: pirate can “sense” tracing and react • If pirate doesn’t produce CW then pirate loses • Black-box tracing – no access to pirate’s algorithm

  15. Examples • Example: pirate has single decryption key • Send two PIDs – each revoking half the users, extract a single bit. Iterate for other bits • Example: adversary controls two keys with ID1 and ID2 such that ID1ID2=1…1 • Adversary easily defeats binary search traitor tracing • In general – pirate has t keys

  16. Subset tracing • Approach • Partition users to subsets U1,…,Um • Encrypt different CW for every subset • Trace pirate’s CW to subset • Problem – pirate with multiple keys can switch between CWs • Algorithm • Initialize partition to U • Encrypt different CW to each set in partition • If pirate returns CWj assigned to Uj partition Uj into two subsets of similar size Uj=Uj1Uj2 • Iterate until a subset includes only one user. Revoke user

  17. Subset tracing (cont.) • Number of iterations / keys – t*log n/t • Base of log depends on ration of Uj partition • Practical problem – head-end broadcast systems are often limited in number of different CWs per PID • In DVD style revocation, subset tracing can work with two keys or key and random string • Trace and revoke – complete sub-tree revocation method + subset traitor tracing

  18. Watermarking • Idea • Uses • Visible vs. not visible • Historical analog methods • Method secrecy • Example – changing lower bits in picture pixels

More Related