At 03:56 PM 2/23/00 -0600, Rick Smith wrote:
>Now, on the other hand, they could do smartcard sorts of things like the
>satellite TV folks. That ups the ante, since you have to build in a
>smartcard reader and do smartcard-based key management. I'll bet that none
>of those costs are in their business model yet.
*Ding*
The "open" set top boxes will have an FCC-required,
*separable* access control device (aka POD
or glorified sim/smartcard) which can be controlled by the
head-end (ie, the cable co). The head-end can en/disable various services
by talking to a POD, which does *PK ops* and both decrypts the stuff coming
over the cable (if you've paid) and then re-encrypts content inside your
box (if its copy protected). The box will have a unique ID, too, just like
your ethernet
card.
The FCC-requirement that the POD be physically detachable will probably be
found to be an attack point, but the Fed requires it.
Fair-use excerpts :-) from the opencable.org site's public docs:
1. Introduction
This copy protection specification defines the means to protect high value
content on the interface
between the Point of Deployment (POD) Removable Security Module and the
OpenCable Host
device (Host). ...
Content, which is delivered with copying permitted, e.g., free access
off-air broadcast content, is not
copy protected and the means described in this specification do not apply
to it. Such content may be
encrypted from headend to POD but will be delivered in the clear on the POD
Host Interface.
Conversly only ‘copying permitted’ content will be delivered in the clear
(unencrypted) from
headend to POD and so will be output in the clear from the POD to Host with
CCI=00.
The objective of copy protection is to secure protected content against
unauthorized 1 access
throughout the entire delivery chain from source to display. Program
providers have deployed
means to secure content from source to the cable headend and cable systems
have similarly
deployed secure systems from headend to home. Cable set-tops use copy
protection technology to
protect content on the analog and digital outputs to consumer displays.
With the introduction of the POD Module, cable security will terminate in
the POD. A means is
needed to prevent unauthorized access on the POD«Host interface. This
document specifies such a
means. Basically, the POD Module shall decrypt services under control of
the headend and shall re-encrypt
content for the purpose of copy protection across the interface between the
POD Module
and Host device.2
b) The POD«Host interface is protected using:
i) Integer field, 1024 bit Diffie-Hellman key exchange with DFAST
intellectual property
incorporated into the key exchange process.3
ii) Encryption of protected MPEG data across the interface, using DES
encryption.
iii) Authentication of Copy Control Information (CCI) during transmission
from POD to
Host. The POD will receive the CCI through an authenticated CA System
message, and
transfer it to the Host using a specified authentication protocol.
c) Copy Protection on Host device outputs. The digital Host device will
support Macrovision
copy protection on standard-definition analog outputs 4 and will use “5C”
DTLA copy
protection on digital 1394 outputs (per SCTE Standard DVS-194) when these
outputs are
present. Digital Host devices with other outputs will be granted a license
to implement
OpenCable POD Module Interface Technology only if they can satisfactorily
protect copy
protected material.
d) [Informative 5 ] Revocation of selected services. The cable operator’s
Conditional Access
System (CAS) will maintain a list of validated Host devices. When a Host is
determined to
be fraudulent the CAS will selectively deny the appropriate encrypted
services to the
POD/Host. The denial of service may apply to all protected content or to
specific content as
determined by the CAS. For example, if properly enabled, the CAS may
perform the
following:
i) Cut off service to a single channel, such as “HBO”. This could be done
through an EMM,
which would selectively deny service based on a Content Provider’s concerns
about copy
protection.
ii) Cut off service on a program-by-program basis. This might be done
through an ECM,
which would prevent descrambling based on a flag. It addresses the Content
Provider’s
concern about a particular program being sent to a fraudulent or
non-validated Host.
iii) When a Host cannot be validated, e.g., it is lacking a valid
certificate, the CA System
will deny all copy protected services to the POD/Host.
e) [Informative] Service restoration. The CAS will have the ability to
deliver either a
targeted or a broadcast message that authorizes the restoration of services
to a POD that is
mated to a Host previously identified as fraudulent but then cleared of
revalidated.
