310 likes | 478 Views
Group Key Distribution Scheme in Digital Pay-TV Systems. Adviser: Min-Shiang Hwang Reporter: Chun-Ta Li ( 李俊達 ) Date: 2006/06/13. Outline. Introduction Requirements Huang et al. ’ s scheme[1] Sun et al. ’ s scheme[2] Comparisons Comments References. Introduction. Pay-TV system
E N D
Group Key Distribution Scheme in Digital Pay-TV Systems Adviser: Min-Shiang Hwang Reporter: Chun-Ta Li (李俊達) Date: 2006/06/13
Outline • Introduction • Requirements • Huang et al.’s scheme[1] • Sun et al.’s scheme[2] • Comparisons • Comments • References
Introduction • Pay-TV system • Conditional Access System (CAS) • Two classes of pay-TV system • The subscription (pay-per-channel, PPC) channels • Pay for a period of time, e.g. weekly or monthly • Disadvantage: not allowed to unsubscribe the channels • The pay-per-view (PPV) channels • Pay for each single program • Disadvantage: can only be applied on small scale
C1 C2 C1 C1 C3 C3 C2 C1 C2 C2 C3 C3 Introduction (cont.) C1 C2 C3 • Group key distribution • Four-level key hierarchy [3] • Control Word: CW scrambling of video programs • Authorization Key: AK encrypt the CW • Distribution Key: DK consists of a Private Key (PK) and a Group Key (GK) • Master Private Key: MPK encrypt the entitlement management message and DK and is stored in a smart card-based device m=3 # of groups = 2m-1 uniquely for each subscriber used as a group key for each group of channels
Requirements • Functionality • Subscribers can freely choose the channels and Pay-TV modes • Suitable for large scale environment with lots of subscribers and channels (scalability) • Group key distribution: groups of subscribed channels and groups of subscribed channels of subscribers (subscriber leaves) • Computation load and transmission cost (efficiency) • Storage requirement
Requirements (cont.) • Security • Only the authorized subscribers can receive the program (unsubscribed users can’t watch the Pay-TV programs) • The conspiracy of subscribers should not compromise the system
Notations in group-oriented scheme Four-level key hierarchy Huang et al.’s scheme CW : scramble/descramble programs on channels (updated frequently, e.g., 5-20 s) AK : encrypt/decrypt CW (updated periodically, e.g., daily) DK : used to derive AK (updated monthly) SK : secret key held by the subscriber, is used to encrypt and decrypt the DK (stored in smart card)
Huang et al.’s scheme (cont.) • Group-Oriented Key Distribution Scheme • [Initial Phase] For service provider (SP): • SP randomly generate <DKSP>, where <DKSP> = [dk1,dk2,…,dkm] • SP derive new <AKSP> by the following procedures: • ak1 = D ⊕ dk1, where D is a random number. (A.1) • akj = akj-1 ⊕ dkj, 2 < j < m. (A.2) • [Initial Phase] For each subscriber (Si): • SP generate the vector <DKi>, for each subscriber Si, • dkij is randomly generated, for GjSGi. • dkij = (dk1 ⊕… ⊕dkj) ⊕(dkij ⊕… ⊕dkij-1), for GjSGi (A.3) • SP encrypts <DKi> using the secret key Ski of Si. • SP transmits {<DKi>, D}ski to Si • Si derives new <AKi> by following procedures: • akij = D ⊕ dkij (A.4) • akij = akij-1 ⊕ dkij, 2 < j < m. (A.5)
// Huang et al.’s scheme (cont.) • Group-Oriented Key Distribution Scheme • Example of the initial phase of group-oriented key distribution scheme: • Four groups: G1, G2, G3, and G4 • Subscriber S1 subscribes subscription channel groups, G1, G3, and G4
Huang et al.’s scheme (cont.) • Group-Oriented Key Distribution Scheme • [Update Phase] For service provider (SP): • SP generates a random number R • SP derives new <AKSP> by the following procedures: • ak1 = R ⊕ dk1, where D is a random number. (A.6) • akj = akj-1 ⊕ dkj, 2 < j < m. (A.7) SP broadcasts (R, h(R)) to all subscribers. • [Update Phase] For each subscriber (Si): • After receiving (R, h(R)), Si checks h(R) • Si derives new <AKi> by following procedures: • aki1 = R ⊕ dki1. (A.8) • akij = akij-1 ⊕ dkij, 2 < j < m. (A.9)
Huang et al.’s scheme (cont.) • Rating-Oriented Key Distribution Scheme interdiction permission
Huang et al.’s scheme (cont.) • Rating-Oriented Key Distribution Scheme • [Initial Phase] For service provider (SP): • SP generate <DKSP> = [dk1,dk2,…,dkm], where dk1 is randomly generated. (B.1) dkj = f(dkj-1), where 2 < j < m and m is the lowest rating (B.2) • SP then derives the authorization keys by performing the formula (A.1) and (A.2) • [Initial Phase] For subscriber (Si): • SP transmits {<DKi>}Ski to subscriber Si, where <DKi> = [dkk], for SRi = RK (B.3) • Si derives [dkk+1,…,dkm], where dkj = f(dkj-1), k+1 < j < m (B.4) AK ?
Huang et al.’s scheme (cont.) • Rating-Oriented Key Distribution Scheme • [Update Phase] For service provider (SP): • ak1 is randomly generated. (B.5) • akj = {dkj-1}dkj-1, 2 < j < m. (B.6) • SP broadcasts the only one message which is the encrypted AK of the lower rating channel, is broadcast to all subscriber Si SP broadcasts (M, h(M)) to all subscribers • [Update Phase] For subscriber (Si): • After receiving message, Si uses his vector <DKi> to derive the new vector <AKi> • Si derives new <AKi> = [akk,akk+1,…,akm], where • akm = {M}-1dkm. (B.7) • akj = {akj+1}-1dkj+1 , k < j < m. (B.8)
Huang et al.’s scheme (cont.) • Example of rating-oriented key distribution scheme: • Four ratings: R1, R2, R3, and R4 • Subscriber S1 subscribes channel rating, R2 [Initial Phase] [Update Phase]
Huang et al.’s scheme (cont.) • Key distribution scheme for PPV channel protection • Three-level key hierarchy: CW, AK and SK protect channel [Join] [Leave]
Huang et al.’s scheme (cont.) • Example of key distribution scheme for PPV channel protection 1.Max # subscribers in a UG: 3 2.GPi: group secret of UGi 3. S4 join 1. S1 join 2. S2,S3 join SP (GP1) SP (GP1) SP (GP1, GP2) {GP2}akcurrent {GP1,akcurrent}sk3 {akcurrent}sk1 {akcurrent}sk2 {akcurrent}sk3 S4 S1 S2 S3 S1 S2 S3 S1 GP2 GP2 GP2 GP1 UG2 UG1 UG1 UG1 5. S4 leave 4. S5,S6,S7 join SP (GP1, GP2,GP3) SP (GP1, GP2,GP3) {Si in UG2 leaves} {GP1,GP2,akcurrent}sk7 {Si in UG2 leaves} {GP3,akcurrent}sk6 {aknew}sk5 {GP3}akcurrent {aknew}sk6 {GP3,akcurrent}sk5 GP1 GP1 S7 S1 S2 S3 S5 S6 S7 S4 S1 S2 S3 S5 S6 S4 GP1,GP2 GP1,GP3 GP1,GP3 GP1,GP3 GP2,GP3 GP2,GP3 GP2,GP3 GP1,GP2 GP2,GP3 GP2,GP3 GP2,GP3 GP1,GP3 GP1,GP3 GP1,GP3 UG3 UG2 UG3 UG1 UG2 UG1 //{aknew}=H(akcurrent,GP2)
Sun et al.’s scheme • Key management scheme for user revocation [3][4] • Notations Group key K .Member m3 (Rmi is utilize to update the group key K) Im6({Rv1, Rv3, Rv4, Rv6, Rm1, Rm2, Rm3, Rm4, Rm5, Rm7, Rm8}) K .Member m3 leave the group: Server broadcasts a message {LEAVE, m3} then the server and all members but m3 calculate the new group key K’ K’
Sun et al.’s scheme (cont.) • Key management scheme for user revocation[3][4] • Storage problem The required storage for Imi is |Imi| = 2M – logM – 2, where M is members in the system • Solution: HL(Rvi) and HR(Rvi) m3: Rv0 Rv1 = HL(Rv0) m3: Rv5 Rv4 Rv6 = HR(Rv2)
Sun et al.’s scheme (cont.) • Key management scheme for user revocation [3][4] • Extension process (n-level tree) • If M is less than 2n assign the new member to a vacant leave directly • If M is equals to 2n the server should perform an extension process n=2
Sun et al.’s scheme • System overview (PPC) • Roles: One service provider and many subscribers • Four-level hierarchy: CW, AK, RGK and MPK • Notations every group every channel secret key of subscriber
Sun et al.’s scheme (cont.) • Motivation To distribute AK securely and updated AK when any subscriber leaves • Initial phase: • Server AKi Tchi (generate a tree Tchi) • Server RGKj Gj (generate a key tree TGj) • User registration phase: • Service provider assign uk a unique MPKk (secure channel) stored in uk’s register card
Sun et al.’s scheme (cont.) • Subscribing phase: when uk subscribes some channels • Service provider transmits four secret information: • RGKj • All AKs of CHGj • All Ichi,Gj for each chiCHGj • IGj,uk to uk • RGK updating phase: when uk leave Gj • Service provider broadcasts the message {LEAVE, uk} • All subscribers but uk in Gj can obtain the new receiving group key RGKj’ = RGKj⊕RGj,uk E(MPKk) E(RGKj) E(RGKj) E(MPKk)
Sun et al.’s scheme (cont.) • AK updating phase: • uk is suspended from the system • (Step1) Service provider broadcasts the {LEAVE, Gj, uk} • (Step2) Subscribers who subscribe chi and are not classified into Gj calculate the new AKi’=AKi⊕Rchi,Gj • (Step3) Subscribers classified into Gjfirst perform RGK updating phase to obtain new RGKj’. Since they don’t know Rchi,Gj, the service provider broadcasts the AKi’ encrypted by RGKj’ to obtain new AKi’
Sun et al.’s scheme (cont.) • AK updating phase: • uk changes subscribed channels and it must be re-classified into an appropriate Gl from original Gj • The RGKj of Gj sould be updated through RGK updating phase • All the channels in CHGj∪CHGl can be categorized into following cases: • Case1: CHGj– CHGl: The channels in this case are un-subscribed by uk. The AKiof these channels must be updated through AK updating phase • Case2: CHGl– CHGj: The channels in this case are impending subscribed by uk. System will perform the subscribing phase to assign uk all the necessary information of each channel • Case3: CHGj∩CHGl: The channels chi in this case are both belong to Gj and Gl, so Gj and Glare two leaves in Tchi
Sun et al.’s scheme (cont.) • The problem of the update of one single secret number causes the update of whole Tchi • For every node vn in Tchi public counter Cchi,n Tchi v0 Rchi,v0 Rchi,v1 = HL(Rchi,vparent_n,Cchi,n) Rchi,v2 = HR(Rchi,vparent_n,Cchi,n) v1 v2 Rchi,G5 = HL(Rchi,v1,Cchi,G5) Rchi,G4 = HR(Rchi,v2,Cchi,G4) G2 G5 G6 G4 // If a node vn is on the path from Gl to the root and already known by uk Cchi,n becomes Cchi,n+1 and Rchi,vn is re-calculated with the same method
◙ ◙ • Example of changing subscribed channels • RGK2 update: all users in G2 but u3 know RG2,u3 • ch3:SP transmits four kinds of messages to u3 • ch2: AK2 must be updated through the AK updating phase ◙ ◙ ◙ ◙ ◙
◙ ◙ (counter +1) ◙ ◙ ◙ • Example of changing subscribed channels • ch5:
Comments • Huang et al.’s scheme • collusion problem • update phase in group-oriented key distribution scheme encrypted (R, h(R)) • How to compute AK for subscriber in initial phase of rating-oriented key distribution scheme • leak of DK update phase in both two proposed schemes • Sun et al.’s scheme • collusion problem • barter time for space • omit the two hashing functions in space requirement • leak of reduction process in the tree
References • [1] Yu-Lun Huang, Shiuhpying Shieh, Fu-Shen Ho, and Jian-Chyuan Wang, “Efficient Key Distribution Schemes for Secure Media Delivery in Pay-TV Systems”IEEE Transactions on Multimedia, 6(5), pp. 760-769, 2004. • [2] Hung-Min Sun, Cheng-Zong Shieh, and Chien-Ming Chen, “An Efficient and Flexible Key Distribution Scheme for Conditional Access System in Pay-TV Systems” in 16th Information Security Conference, Taichung, Taiwan, June 2006. • [3] A. Fiat and M. Naor, “Broadcast Encryption,”Advances in Cryptology – CRYPTO ’93, Lecture Notes in Computer Science 733, Springer, pp. 480-491, 1994. • [4] D. Naor, M. Naor and J. Lotspiech, “Revocation and Tracing Schemes for Stateless Receivers,” In Proc. Crypto 2001, Lecture Notes in Computer Science, pp. 41-62, 2001.
References (cont.) • Motion Picture Association of America (MPAA) • 普遍級(G;GENERAL AUDIENCES):任何年齡階段的觀眾皆可觀賞。該電影片不含過份的色情、犯罪、殘暴、恐怖、血腥、暴力與打鬥等鏡頭,列為「普」級電影片。 • 保護級(PG;PARENTAL GUIDANCE SUGGESTED):未滿六歲之兒童不得觀賞,六歲以上十二歲未滿之兒童須父母、師長或成年親友陪伴輔導觀賞。電影片涉及性問題、恐怖情節或混淆道德秩序觀,須父母、師長或成年親友陪同予以輔導,以免對兒童心理產生不良影響者,列為「護」級。 • 輔導級(PG-13;PARENTS STRONGLY CAUTONED):未滿十三歲之兒童不得觀賞,十三歲以上十八歲未滿之少年需父母或師長注意輔導觀賞。「輔」級電影片不含有性之問題,犯罪、暴力、打鬥事件,離奇怪異或反映社會。也不涉及畸型現象、不涉及褻瀆字眼或對白有不良引喻者對於兒童心理有不良影響之虞者。 • 約束級(R;RESTRICTED):未滿十七歲之少年需父母或師長約束和陪伴輔導觀賞。該電影片含有不良成份的意識,如色情、犯罪、暴力、打鬥,涉及褻瀆字眼或對白有不良引喻者對於少年心理有不良影響,未滿十七歲之少年需要父母、師長或成年親友約束或陪伴輔導觀賞。 • 限制級(NC-17;NO ONE 17 AND UNDER ADMITTED):未滿十八歲之人不得觀賞。「限」級電影片描述賭技、吸毒、過份的色情、狎妓、搶劫、綁架、竊盜、走私、幫派或其他犯罪行為情節細密,有誘發擬作用者。「限」級電影片也包含了恐怖、血腥、殘暴、變態,淫穢等鏡頭。 • 參考資料http://www.chinesepyp.com/infohome/link/usafilm.htm