130 likes | 297 Views
OCAS. Open Conditional Access System By Menno de Jong A DISSERTATION Submitted to The University of Liverpool in partial fulfillment of the requirements for the degree of MASTER OF SCIENCE 6 March 2004. Sponsor. EchoStar Communication Corporation with
E N D
OCAS Open Conditional Access System By Menno de Jong A DISSERTATION Submitted to The University of Liverpool in partial fulfillment of the requirements for the degree of MASTER OF SCIENCE 6 March 2004
Sponsor EchoStar Communication Corporation with DISH Networks (10 mil. Customers). Delivering Direct Broadcast Satellite. The manager of the European Engineering team Peter Hillen, sponsor of the project with the request: define a design of the next generation conditional access system.
Customer Trustworthy Low cost No CI module or smart card Easy exchangeable Requirements Broadcaster • Secure • Low cost • Easy updates • Killer application • Fair competition Goal Open Conditional Access System that is downloaded and activated like a plug in and no dedicated hardware is needed
Objectives • Analyze standards, existing CA and DRM systems to learn their advantage and weakness. • Identify/analyze existing encryption technique's and protocols to find their advantages to be used for OCAS. • Design an secure environment based on use of a VM and back path to a server. • Find an Open Source implementation for selected encryption technique and VM environment. • Implement a prototype running on a satellite receiver and PC.
Research Standards • DVB is the most used world wide standard. • The DVB-CI interface creates exchangeable CA systems using a module. • All cards can be hacked and become to expensive. • Return channel is integrated in security model. • Market is dominated by large actors. • Future CA systems can be download like a plug-in.
Research Encryption ECC Elliptic Curve Cryptography • ECC creates the best ratio key size and level of security • ECC creates less computation (time) for the same security. • ECC supports public key encryption and signature checking • Many different ECC security schema's are standardized
Analysis • OpenSSL for EC + BN functionality Apache-style license http://www.openssl.org/ • Christophe Devine's AES + SHA-1 GNU General Public License http://www.cr0.net:8040/code/crypto/ • There are no patents on use of elliptic curves, AES and SHA-1. • Open-source licensed code can be used commercial purpose when this is explicit mentioned. • Different patent exists for ECC schema's and standards. • Patents on software implementation working reversed in relation to adoption of standards.
Key Challenges • DSDM, iterative and (prototype) incremental. • Design a DVB compliant CA system cope with all constrains. • Port OpenSSL on satellite receiver. • Replace BN assembler code. • Find fast AES and SHA-1 source code. • Select the best ECC algorithms. • Research on IP. • Create the final prototype supporting generating a public key , encrypt, decrypt, signature generate and verify.
Implementation OCAS • Elliptic Curve Encryption Public Key generation (EC_CreatePubKey) • Elliptic Curve Authentication Encryption Scheme (ECAES)Encrypt (EC_Encrypt_File)Decrypt (EC_Decrypt_File) • Elliptic Curve Key Establishment Protocol (ECKEP)Generation (EC_SignatureGeneration)Validation (EC_SignatureVerify) • Windows prototype (ECC) • The total project (BN lib excluded) is analyzed using Understand for C++.Project Metrics (Index).
display usage enter password 2X enter password enter password Signature OK? ECC Examples • The Windows prototype EXE (ecc.exe)Download the ecc.exe and open a command box to start ecc. • ECC<Enter> • ECC p 512 my512<Enter> • ECC g my512 file<Enter> • ECC e my512 file<Enter> • ECC d my512 file.ecc<Enter> • ECC v my512 file<Enter> Test performance: Same commands but with “-t”: • ECC p -t 512 my512<Enter>
Conclusions • ECC and AES encryption can support all CA functionalities and satisfy all constrains inflicted by use of a satellite receiver as operating system. • ECC algorithms provides a secure exchange of data and together with key management design it replace the need for extra hardware and/or a smart card. • High security; (requirement) All of the security elements are exchangeable and exists only in RAM. • low cost; (requirement) Smart card and or expensive CI connectors are not required. • Interchange;(requirement) The entire CA/security system can be exchanged/add and so alternate CA supplier can be introduced by only a new download of Byte Code
Recommendations • ECC, although in development, can already support high level of encryption security. • Care must be taken adopting a standard because not all standards are royalty free. • When decide about using public source evaluate also the supported documentation. • Improve security of DVB CA systems for broadcast content by balance timing, synchronize and create a method to insert and skip fake Control Words.
Downloads (on-line) • OCAS DISSERTATIONOCAS_dissertation.pdf • OCAS Source code (ecc_103.zip)Windows based LCC-win32 • OCAS executable Windows version 1.03ecc.exe + ecc.exe.sig • This presentationOCAS_presentation / .pdf / .sxi / .ppt • My public key