WO2007116390A2 - Fingerprinting descrambling keys - Google Patents

Fingerprinting descrambling keys Download PDF

Info

Publication number
WO2007116390A2
WO2007116390A2 PCT/IL2006/000472 IL2006000472W WO2007116390A2 WO 2007116390 A2 WO2007116390 A2 WO 2007116390A2 IL 2006000472 W IL2006000472 W IL 2006000472W WO 2007116390 A2 WO2007116390 A2 WO 2007116390A2
Authority
WO
WIPO (PCT)
Prior art keywords
key
descrambling
data
content
personalization data
Prior art date
Application number
PCT/IL2006/000472
Other languages
French (fr)
Other versions
WO2007116390A3 (en
Inventor
Reuben Sumner
Yaron Sella
Aviad Kipnis
Erez Waisbard
Original Assignee
Nds Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nds Limited filed Critical Nds Limited
Priority to PCT/IL2006/000472 priority Critical patent/WO2007116390A2/en
Publication of WO2007116390A2 publication Critical patent/WO2007116390A2/en
Publication of WO2007116390A3 publication Critical patent/WO2007116390A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3231Biological data, e.g. fingerprint, voice or retina
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/42Anonymization, e.g. involving pseudonyms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/60Digital content management, e.g. content distribution

Definitions

  • the present invention relates to systems used for secure communications and more particularly to systems fingerprinting keys used for secure communications in order to make a key traceable back to its source.
  • VideoGuardTM system commercially available from NDS Ltd., One London Rd., Staines, Middlesex,
  • Conditional access systems typically include a Conditional Access Module (CAM), typically comprised in a set top box (STB).
  • CAM Conditional Access Module
  • STB set top box
  • ECM Entitlement Control Message
  • ECM includes information necessary to generate a Control Word (CW) used for descrambling content such as broadcast content.
  • the CAM passes the ECM to a secure computation unit, where the ECM is processed, typically using a secret cryptographic function, to obtain the CW.
  • the CW is then passed back to the CAM, which in turn passes the CW to other components of the STB for use in descrambling the content. Examples of such systems are described in US Patents 5,282,249 and 5,481,609 to Cohen et al and in US Patent 6,178,242 to Tsuria, the disclosures of which are hereby incorporated herein by reference.
  • Control word sharing simply stated, is the redistribution of key data from a datastream between a decoder and a legitimate smartcard, in order to enable any appropriately equipped decoder to decode a channel.
  • a single subscription could provide keys for an unlimited number of individuals.
  • control word sharing can also be performed in a non-smart card environment, and that the above discussion is not meant to be limiting. It is also appreciated that if control word sharing cannot be prevented, it would be advantageous at least to locate the source of redistribution of key data, so that the broadcaster may attempt to stop the redistribution of key data.
  • Fingerprinting is a measure that preferably enables a legitimate content provider to gather evidence against unauthorized users and re-distributors of digital content.
  • Fingerprinting is generally divided into two categories, covert fingerprinting and overt fingerprinting.
  • IQ covert fingerprinting information about the unauthorized user or re- distributor' s smartcard ID is typically coded, in a covert manner, along with some other data which is typically inaccessible unless some effort is made to retrieve the information.
  • overt fingerprinting information about the unauthorized user or re- distributor's smartcard ID is typically displayed overtly on the screen of the device on which fingerprinting is activated.
  • PCT application PCT/US02/29881 published in the English language as WO 03/028287 on 3 April 2003 describes a method and apparatus that selectively pairs a receiver configured to receive a media program encrypted according to a media encryption key and a conditional access module.
  • the apparatus comprises a security module for receiving and modifying the media encryption key, and a transport module, comprising a decryptor for decrypting the media program.
  • the media encryption key has a portion indicating a first state in which the media program is to be viewable by a set of receivers or a second state in which the media program is to be viewable only by a subset of the set of receivers.
  • the secure e-commerce trade system includes a trade service center, a data transmission network and at least one user end device.
  • the user end device has a unique hardware serial number for use in verification and encryption/decryption of the trade data. By the uniqueness of the hardware serial number, a user cannot verify and encrypt/decrypt trade data via another user end device with another hardware serial number even in the case of the public key and private key known to the user.
  • European Patent EP 1000511 to Scientific- Atlanta Inc. describes a conditional access system comprising a method of decrypting an instance of a service that has been encrypted with a given short-term key.
  • ISO/DEC 13818-1 Information Technology, Generic Coding of Moving Pictures and Associated Audio Information: Systems (also known as the MPEG-2 standard) is a well known standard for broadcast compression.
  • a distributed key can be distributed anonymously. It is desirable, therefore, to provide a mechanism, such as a fingerprinting mechanism, for the distributed key so that the distributed key can be traced back to its source.
  • a mechanism such as a fingerprinting mechanism
  • the only key an attacker is able to access is personalized.
  • the attacker has no access to a depersonalization device.
  • the present invention in preferred embodiments thereof, seeks to provide an improved content key comprising a fingerprint, the fingerprint comprising information is intended to make identification of the source of the content key easier.
  • a method for producing fingerprinted descrambling keys including providing a conditional access module, providing to the conditional access module a content descrambling key and personalization data, the personalization data including data associated with the conditional access module, combining the content descrambling key and the personalization data, encrypting the combined content descrambling key and personalization data according to a key, and outputting the encrypted combined content descrambling key and personalization data.
  • the personalization data includes personalization data unique to the conditional access module.
  • the key is associated with the conditional access module, and is denoted K CAS ID-
  • the key KQ A C T ⁇ J is hard-coded in the conditional access module.
  • KQ ⁇ JJ-J is hard-coded in ROM included in the conditional access module.
  • JQ is hard-coded in EEPROM included in the conditional access module.
  • j -p is hard-coded in circuitry included in the conditional access module.
  • the personalization data includes a CAM ID.
  • the personalization data includes a subscriber ID.
  • the method also includes passing the outputted encrypted combined content descrambling key and personalization data to a descrambling device.
  • the content descrambling key includes an anonymous content descrambling key.
  • the content descrambling key includes data corresponding to an identifiable entity.
  • the identifiable entity includes a particular individual.
  • the identifiable entity includes a group of individuals.
  • the identifiable entity includes a particular device.
  • the identifiable entity includes a group of devices.
  • conditional access module generates redundant data, denoted R, based on the content descrambling key, and inserts the redundant data in the personalization data.
  • redundant data includes a checksum.
  • a method for utilizing a fingerprinted descrambling key including providing a descrambling device with an encrypted combined anonymous content descrambling key and personalization data, the encrypted combined anonymous content descrambling key and personalization data being encrypted according to a key, further providing the descrambling device with a conditional access system ID (CAS ID), producing a fixed decryption key based on the CAS ID, decrypting the encrypted combined anonymous content descrambling key and personalization data with the fixed decryption key, and uncombining the decrypted anonymous content descrambling key from the decrypted personalization data.
  • the fixed decryption key denoted J-Q, is a result of applying a function/to the CAS ID.
  • the method also includes delivering the decrypted anonymous content descrambling key to a content descrambler, and descrambling encrypted content with the decrypted content descrambling key.
  • the decrypted personalization data further includes redundant data, the redundant data operative to ensure the validity of the decrypted anonymous content descrambling key.
  • a method including providing a descrambling device with an encrypted content descrambling key, the encrypted content descrambling key being encrypted according to a key, further providing the descrambling device with a conditional access module ID (CAM ID), producing a fixed decryption key based on the CAM ID, and decrypting the encrypted content descrambling key with the fixed decryption key.
  • CAM ID conditional access module ID
  • the fixed decryption key denoted a PPty m S a function/to the CAM ID.
  • the method includes delivering the decrypted anonymous content descrambling key to a content descrambler, and descrambling encrypted content according to the decrypted anonymous content descrambling key.
  • a method including providing a descrambling device with a doubly encrypted combined anonymous content descrambling key and personalization data, the doubly encrypted combined anonymous content descrambling key and personalization data being encrypted according to a first fixed decryption key and a second fixed decryption key, the doubly encrypted combined anonymous content descrambling key and personalization data, the personalization data including a conditional access module ID (CAM ID) of the conditional access module, further providing the descrambling device with a conditional access system ID (CAS TD), producing the first fixed decryption key based on the CAS ID, decrypting a first layer of encryption on the doubly encrypted combined anonymous content descrambling key and personalization data with the first fixed decryption key, thereby deriving an encrypted personalized descrambling key and the CAM ID, uncombining the encrypted personalized descrambling key from the CAM ID, producing the second fixed decryption key based on the CAM ID, decrypt
  • CAM ID conditional access module ID
  • the method includes delivering the decrypted anonymous content descrambling key to a content descrambler, and descrambling encrypted content with the decrypted content descrambling key.
  • the decrypted personalization data further includes redundant data, the redundant data being operative to ensure the validity of the decrypted anonymous content descrambling key.
  • a method for utilizing a fingerprinted descrambling key including providing a descrambling device with an encrypted content descrambling key, the encrypted content descrambling key being encrypted according to a key, and including personalization data, uncombining the encrypted content descrambling key into a first data block and a second data block, such that the personalization data is included in the first data block, and an anonymous content descrambling key is included in the second data block, further providing the descrambling device with a conditional access system ID (CAS ID), producing a fixed decryption key based on the CAS ID 5 decrypting the first data.block with the fixed decryption key, uncombining the decrypted first data block into a third data block and a fourth data block, the fourth data block including the personalization data, inputting the fourth data block into a function and producing a result, K, and decrypting the second data block with K, thereby deriving the anonymous content des
  • CAS ID conditional access system ID
  • the fixed decryption key denoted a PPly m S a function/to the CAS ID.
  • the method includes delivering the decrypted anonymous content descrambling key to a content descrambler, and descrambling encrypted content with the decrypted content descrambling key.
  • the decrypted personalization data further includes redundant data, the redundant data being operative to ensure the validity of the decrypted anonymous content descrambling key.
  • a method for producing a fingerprinted descrambling key including providing a conditional access module with personalization data, producing, at the conditional access module, a content descrambling key, and combining, with a combining function, the content descrambling key and one of the personalization data, and a result of an operation of a first function on the personalization data, wherein the combining function produces a result which is a functionally non-separable result.
  • the combining function includes a cryptographic function.
  • the first function includes a block cipher encryption function.
  • the block cipher encryption function is operative to encrypt the content descrambling key and the personalization data as a single block, according to a fixed key.
  • the fixed key is a fixed secret string.
  • the block cipher encryption function is operative to encrypt the content descrambling key as a single block, according to a derived key.
  • the derived key is derived from the operation of a hash function on the personalization data and a fixed key.
  • fixed key is a fixed secret string.
  • a method for utilizing a fingerprinted descrambling key including providing a descrambling device with an encrypted content descrambling key, the encrypted content descrambling key being encrypted according to a key, and including personalization data, and uncombining, with an uncombining function, the encrypted content descrambling key and the personalization data, wherein the encrypted content descrambling key and the personalization data are functionally non-separable.
  • a method for determining a source of an intercepted unauthorized distributed personalized descrambling key the personalized descrambling key including personalization data and a key for decrypting encrypted content, the personalization data being associated with a particular conditional access module, the method including obtaining the unauthorized distributed personalized descrambling key, identifying a portion of the intercepted unauthorized distributed personalized descrambling key including the personalization data, and determining the identity of the conditional access module based on data included in the personalization data.
  • the data included in the personalization data includes a CAM ID.
  • the data included in the personalization data includes a subscriber ID.
  • a system for producing fingerprinted descrambling keys including a conditional access module, a content descrambling key provided to the conditional access module, and personalization data provided to the conditional access module, the personalization data including data associated with the conditional access module, wherein the content descrambling key and the personalization data are combined, and the combined content descrambling key and personalization data are encrypted according to a key, and the encrypted combined content descrambling key and personalization data are ourputted.
  • a system for utilizing a fingerprinted descrambling key including a descrambling device provided with an encrypted combined anonymous content descrambling key and with personalization data, the encrypted combined anonymous content descrambling key and personalization data being encrypted according to a key, the descrambling device including a conditional access system ID (CAS ID) store, storing a CAS ID, and a producer operative to produce a fixed decryption key based on the CAS ID, a decryptor operative to decrypt the encrypted combined anonymous content descrambling key and personalization data according to the fixed decryption key, and an uncombiner operative to uncombine the decrypted anonymous content descrambling key from the decrypted personalization data.
  • CAS ID conditional access system ID
  • a system for utilizing a fingerprinted descrambling key including a descrambling device provided with an encrypted content descrambling key, the encrypted content descrambling key being encrypted according to a key, the descrambling device including a conditional access module ID (CAM ID) store, storing a CAM ID, and a producer operative to produce a fixed decryption key based on the CAM ID, and a decryptor operative to decrypt the encrypted content descrambling key with the fixed decryption key.
  • CAM ID conditional access module ID
  • a system for utilizing a fingerprinted descrambling key including a descrambling device provided with a doubly encrypted combined anonymous content descrambling key and personalization data, the doubly encrypted combined anonymous content descrambling key and personalization data being encrypted according to a first fixed decryption key and a second fixed decryption key, the doubly encrypted combined anonymous content descrambling key and personalization data including a conditional access module ID (CAM XD) of the conditional access module the descrambling device including a conditional access system DD (CAS ID) store, storing a CAS ID, and a producer operative to produce the first fixed decryption key based on the CAS ID, a decryptor operative to decrypt a first layer of encryption on the doubly encrypted combined anonymous content descrambling key and personalization data with the first fixed decryption key, thereby deriving an encrypted personalized descrambling key and the CAM ID 3 an
  • a system for utilizing a fingerprinted descrambling key including a descrambling device provided with an encrypted content descrambling key, the encrypted content descrambling key being encrypted according to a key and including personalization data, the descrambling device being operative to uncombine the encrypted content descrambling key into a first data block and a second data block, such that the personalization data is included in the first data block, and an anonymous content descrambling key is included in the second data block
  • the descrambling device including a conditional access system ID (CAS ID) store, storing a provided CAS ID, a producer operative to produce a fixed decryption key based on the CAS ID, a decryptor operative to decrypt the first data block with the fixed decryption key, an uncombiner operative to uncombine the decrypted first data block into a third data block and a fourth data block, the fourth data block including the personalization data,
  • CAS ID conditional access system ID
  • a system for producing a fingerprinted descrambling key including a conditional access module provided with personalization data, the conditional access module including a producer operative to produce a content descrambling key, and a combining function, operative to combine the content descrambling key and one of the personalization data, and the result of an operation of a first function on the personalization data, the result of the combining function being a functionally non-separable result.
  • an apparatus for determining a source of an intercepted unauthorized distributed personalized descrambling key, the personalized descrambling key including personalization data and a key for decrypting encrypted content, the personalization data associated a particular conditional access module including an interceptor operative to intercept unauthorized distributed personalized descrambling key, an identifier operative to identify a portion of the intercepted unauthorized distributed personalized descrambling key including the personalization data, and a determiner operative to determine the identity of the conditional access module based on data included in the personalization data.
  • Fig. 1 is a simplified block diagram illustration of a system using fingerprinted keys, the system being constructed and operative in accordance with a preferred embodiment of the present invention
  • Fig. 2 is a simplified block diagram illustration of a preferred embodiment of a descrambling device of Fig. 1;
  • Fig. 3 is a simplified block diagram illustration of a preferred embodiment of a personalized descrambling key in the system of Fig. 2;
  • Fig. 4A is a simplified block diagram illustration of a preferred implementation of production of the personalized descrambling key in the system of Fig. 1;
  • Fig. 4B is a simplified block diagram illustration of an alternative preferred embodiment of a descrambling device of Fig. 1;
  • Fig.4C is a simplified block diagram illustration of another alternative preferred embodiment of a descrambling device of Fig. 1;
  • Fig. 4D is a simplified block diagram illustration of still another alternative preferred embodiment of a descrambling device of Fig. 1 ;
  • Fig. 5 is a simplified block diagram illustration of a preferred embodiment of a detective device, operative to utilize personalization data depicted in Fig. 3, in order to determine a source for a pirated personalized descrambling key;
  • Fig. 6 is a simplified flow chart illustration of a preferred method of operation of the apparatus of Fig. 5;
  • Fig. 7 is a simplified flow chart illustration of a preferred method of operation of the apparatus of Fig. 4A;
  • Fig. 8 is a simplified flow chart illustration of a preferred method of operation of the apparatus of Fig. 2;
  • Fig. 9 is a simplified flow chart illustration of a preferred method of operation of the apparatus of Fig. 4B;
  • Fig. 10 is a simplified flow chart illustration of a preferred method of operation of the apparatus of Fig. 4C;
  • Fig. 11 is a simplified flow chart illustration of a preferred method of operation of the apparatus of Fig. 4D;
  • Fig. 12 is a simplified flow chart illustration of an alternative preferred method of operation of the apparatus of Fig. 4A.
  • Fig. 13 is a simplified flow chart illustration of a preferred method of operation of the apparatus of Fig. 5.
  • Fig. 1 is a simplified block diagram illustration of a system using fingerprinted keys, the system being constructed and operative in accordance with a preferred embodiment of the present invention.
  • the system of Fig. 1 preferably implemented in an appropriate combination of hardware and / or software, comprises a descrambling device 100, a conditional access module 300, and an encrypted personalized descrambling key 150.
  • the operation of the system of Fig. 1 is described below, with reference to Figs. 2 - 4D.
  • the system of Fig. 1 may be comprised in any appropriate device, the device being operative to receive scrambled content, decrypt the scrambled content, and display the descrambled content.
  • the system of Fig. 1 may comprise a set top box, personalized video recorder, computer, mp3 player, or other such device.
  • the conditional access module 300 comprises data which can be used to identify the conditional access module.
  • the module preferably combines, with a combining function, the identification data with a control word.
  • the module preferably combines, with a combining function, the result of an operation of some function on the identification data, for example, and without limiting the generality of the foregoing, an encryption function, such as a block cipher encryption function.
  • a block cipher encryption operation is operative to encrypt the content descrambling key and the personalization data as a single block, according to a fixed key, the fixed key being a fixed secret string.
  • the block cipher encryption operation is operative to encrypt the content descrambling key as a single block, according to a derived key, the derived key being derived from the operation of a hash function on the personalization data and the fixed key.
  • the combining function preferably produces a functionally non- separable result (that is, the identification data and the control word cannot be uncombined without an appropriate splitting function).
  • the combining function is typically a cryptographic function.
  • One preferred embodiment of such a method and system is described below, with reference to Fig. 4A. It is appreciated that the splitting function preferably comprises a secret function.
  • the functionally non-separable result is delivered to a descrambling device comprising the appropriate splitting function.
  • the appropriate splitting function is utilized to uncombine, or split, the functionally non-separable result, thereby deriving the control word for use in decrypting content and the identification data, the identification data being ignored by the descrambling device.
  • Fig. 2 is a simplified block diagram illustration of a preferred embodiment of the descrambling device 100 of Fig. 1.
  • the descrambling device 100 receives an input of a conditional access system identifier
  • a third input comprises scrambled content
  • CAS ID 140 is typically embedded in a broadcast stream, comprised in content accompanying metadata.
  • the system of Fig. 1 receives the content accompanying metadata, retrieves the CAS ID, and passes the CAS ID to the descrambling device 100.
  • the CAS ID 140 typically comprises a unique identifier used to identify a particular conditional access system.
  • two broadcasters each of which purchases an identical conditional access system from the same conditional access vendor, each have a different CAS 3D.
  • a conditional access module from one of the two broadcasters will not work within the conditional access system of the second of the two broadcasters.
  • CAS ID is changed for a broadcaster with each new generation of conditional access module. Where the broadcaster is operating with more than one conditional access system, the broadcaster may be using more than one CAS ID.
  • Fig. 3 is a simplified block diagram illustration of a preferred embodiment of a personalized descrambling key 150 in the system of Fig. 2.
  • the personalized content descrambling key 150 comprises two parts: an anonymous content descrambling key 210 and personalization data 220.
  • the anonymous content descrambling key 210 is depicted as comprising 64 bits and the personalization data 220 is depicted as comprising 32 bits.
  • the use of 64 bits and 32 bits for the size of the anonymous content descrambling key 210 and the personalization data 220 respectively is not meant to be limiting. It is appreciated that although Fig.
  • FIG. 3 depicts the personalization data 220 as separate from the anonymous content descrambling key 210, in practice, since the personalized descrambling key 150 is encrypted, with a decryption key JQ 170 referred to below) for the encrypted personalized descrambling key 150, it is difficult to separate the personalization data 220 from the anonymous content descrambling key 210.
  • the encryption of the personalized descrambling key 150 is discussed in detail below, with reference to Fig. 4A.
  • the personalization data 220 may comprise any information which preferably uniquely identifies the source of the data.
  • the personalization data 220 may comprise a unique CAM identification number or a subscriber number.
  • the personalization data 220 is an arbitrary number. It is appreciated that there need not be limitations on the personalization data 220 (such as limitations requiring the personalization data 220 not be all zeros or not be all ones).
  • the CAS ID 140 is input into the secret function/ 110.
  • a value, - j -p 170 is output.
  • the value CAS ID 140 is typically broadcast unencrypted, as part of the MPEG standard conditional access table (see, for example, pages 69 -70 of ISO/IEC 13818-1), and hence is not secret. Since KQ ⁇ J D 170 is a secret value, however, the value of 170 is not easily knowable.
  • secret function/ 110 may be a well known encryption function, such as AES using a global secret key, which is available to all descrambling devices 100.
  • K Q ⁇ g j p j 170 may be hard-coded in one of the following: in ROM comprised in the conditional access module 300; in EEPROM comprised in the conditional access module 300; and in circuitry comprised in the conditional access module 300.
  • the personalized descrambling key both in an encrypted state 150 and in a decrypted state 155, comprises 96 bits.
  • the 96 bit decrypted personalized descrambling key 155 passes through a splitter 125.
  • the splitter 125 separates the 32 bits of the personalization data 220 from the 64 bit anonymous content descrambling key 210.
  • the 64 bit anonymous content descrambling key 210 is passed to a content descrambler 130.
  • the 64 bit anonymous content descrambling key 210 is used by the content descrambler 130 as a key to descramble the scrambled content 160, thereby producing descrambled content 180.
  • the descrambling device 100 typically has no further need for the 32 bits of the personalization data 220. Thus, the 32 bits of the personalization data 220 are preferably ignored by the descrambling device 100.
  • the content descrambler 130 may comprise a typical content descrambler, well known to those skilled in the art, and comprises standard hardware and software, as appropriate. It is further appreciated that data described above as being moved about between components in the content descrambler 130 is preferably moved about between components all comprised inside a single chip therefore making it difficult to eavesdrop in order to intercept the data.
  • the conditional access module 300 comprises a descrambling key production mechanism 310.
  • the descrambling key production mechanism 310 receives an ECM 305 as an input, and, from the ECM 305, produces the anonymous content descrambling key 210, as is well known in the art. (See, for example, US Patents 5,282,249 and 5,481,609 to Cohen et al and in US Patent 6,178,242 to Tsuria, referred to above.)
  • the anonymous content descrambling key 210 is depicted, by way of example only, as comprising 64 bits.
  • the conditional access module 300 inputs the 64 bit anonymous content descrambling key 210 into an encryptor, E 320, comprised therein.
  • the encryptor E 320 also receives an input of the personalization data
  • the personalization data 220 is depicted, by way of example only, as comprising 32 bits.
  • the encryptor E 320 preferably concatenates or otherwise combines the personalization data 220 with the anonymous content descrambling key 210, in order to produce, in accordance with the example of Fig. 3, a 96 bit value.
  • the 96 bit value is encrypted, preferably using encryption key K -Q ⁇ g j p 170.
  • JD 170 is preferably hard coded in the conditional access module 300 for use as the encryption key by the encryptor E 320.
  • the encryptor E 320 preferably encrypts the 96 bit value using the inverse of the decryption method used by the decryptor D 120 (Fig. 2).
  • the decryptor D 120 (Fig. 2) will not decrypt the 96 bit value.
  • the 64 bit anonymous content descrambling key 210 and the personalization data 220 preferably remain encrypted.
  • the encrypted 96 bit result of encryptor E 320 preferably comprises a value which is functionally non-separable. For example, and without limiting the generality of the foregoing, even if the value of the encrypted 96 bit result of encryptor E 320 is known, it is preferably difficult to derive, from the encrypted 96 bit result of encryptor E 320, an encrypted 96 bit result of encryptor E 320 for the 64 bit anonymous content descrambling key 210 and different personalization data (not depicted).
  • the resulting encrypted personalized control word 150 is preferably delivered to the descrambling device 100 for use as described above with reference to Fig. 2.
  • an alternative scheme for combining the anonymous content descrambling key 210 and the personalization data 220 may comprise a concatenation function Cat[(anonymous content descrambling key 210 XOR personalization data 220), personalization data 220].
  • the splitter comprises a function Split[(anonymous content descrambling key 210 XOR personalization data 220), personalization data 220].
  • any other appropriate function may be used to join and split anonymous content descrambling key 210 and personalization data 220.
  • An attempt to eavesdrop on communications between the conditional access module 300 and the descrambling device 100 might intercept a control word being passed from the conditional access module 300 and the descrambling device 100.
  • a point where the encrypted personalized descrambling key 150 might be intercepted is indicated as a theft point 350.
  • the eavesdropper may attempt to distribute the personalized descrambling key, for instance, over the Internet.
  • combining the personalization data 220 with the anonymous content descrambling key 210 to produce the personalized control word 150 enables an investigator to utilize the personalization data 220 to determine the source of the control words being so distributed.
  • a cipher text can be decrypted by any key of appropriate length. However, only a correct key will give a valid plain text message. Decryption with an incorrect key will produce a plain text which is not identical to the original plain text message before encryption. Typically, such a message comprises nonsense.
  • redundant data (not depicted) is preferably added to the personalized descrambling key 150 during the encryption process at the conditional access module 300.
  • redundant data preferably comprises any appropriate function of the personalization data 220.
  • the redundant data may preferably comprise a checksum comprised within the personalization data 220.
  • the redundant data may comprise a data transformation. For example and without limiting the generality of the foregoing: Let X be the bits in the range from bit a until bit b.
  • redundant data NOT (X) 5 where the operation, NOT comprises a bitwise logical NOT operation.
  • Fig.4B is a simplified block diagram illustration of an alternative preferred embodiment of a descrambling device of Fig. 1.
  • the descrambling device 100 receives an input of an identification number of the conditional access module 300 (Fig. 1), hereinafter referred to as CAM ID 143.
  • the CAM ID 143 is input into secret function/ 113.
  • a value, KQ ⁇ j p 173 is output.
  • JQ 170 described above with reference to Fig.2, jj) is not easily knowable.
  • the anonymous content descrambling key 210 is passed to a content descrambler 130.
  • the anonymous content descrambling key 210 is used by the content descrambler 130 as a key to descramble the scrambled content 160, thereby producing descrambled content 180.
  • KQAS ID f° rces a hacker, who is attempting to distribute keys, to blatantly reveal his own CAM ID.
  • CAM ID may preferably be encrypted or hashed with any appropriate encryption or hash function before input into/ 113.
  • h(CAM ID), where h is any appropriate hash function may be hard-coded in one of the following: in ROM comprised in ROM comprised in the conditional access module 300 (Fig. 1); in EEPROM comprised in ROM comprised in the conditional access module 300 (Fig. 1); and in circuitry comprised in ROM comprised in the conditional access module 300 (Fig. 1).
  • Fig.4C is a simplified block diagram illustration of an alternative preferred embodiment of a descrambling device of Fig. 1.
  • the descrambling device 100 receives three inputs: the CAS ID 140; the scrambled content 160; and a doubly encrypted personalized descrambling key 1150 from the conditional access module 300 (Fig. 1).
  • the doubly encrypted personalized descrambling key 1150 is depicted, only for the sake of discussion as being 128 bits.
  • the doubly encrypted personalized descrambling key 1150 comprises a CAM ID 1005 identifying the conditional access module 300 (Fig. 1).
  • the CAS ID 140 is input into a secret function/1110.
  • JPJ 1170 is output.
  • K ( ⁇ g -J j) 1170 is used by a decryptor DI l 120 as a decryption key in order to decrypt the doubly encrypted personalized descrambling key 1150.
  • the 128 bit output of decryptor Dl 1120 is input into Splitterl 1125.
  • Splitterl 1125 splits out the CAM ID 1005 embedded in 32 bits of the 128 bit output of decryptor Dl 1120, thereby potentially identifying the conditional access module associated with the CAM ID 1005.
  • the remaining 96 bits of an encrypted personalized descrambling key 1155 are input into decryptor D2 1121.
  • CAM ID 1005 is input into a secret function_/2 1113, which produces - ⁇ CAM ID 1 ° * 5 • K C AM ID ⁇ * 5 * s use( ⁇ ⁇ decryptor D2 1121 as a decryption key in order to decrypt the encrypted personalized descramblingkey 1155.
  • the 96 bits of decrypted output from decryptor D2 1121 are input into Splitter2 1127.
  • Splitter2 1127 splits the 96 bit output of decryptor D2 1121 into the 32 bit personalization data 220 and the 64 bit anonymous content descrambling key 210. .
  • the anonymous content descrambling key 210 is passed to a content descrambler 130.
  • the anonymous content descrambling key 210 is used by the content descrambler 130 as a key to descramble the scrambled content 160, thereby producing descrambled content 180.
  • CHIP_TYPE an arbitrary value, CHIP_TYPE, may be assigned to each type of decryptor chip.
  • ⁇ CHIP_TYPE preferably produces a key K CHI p_ ⁇ pE .
  • the broadcaster may preferably divide information needed to decrypt the anonymous content descrambling key 210.
  • a conditional access vendor may only be provided by the broadcaster with information required to generate K ⁇ yy ⁇ JJD and KQJJJP ⁇ p£-
  • a chip vendor may only be given information required to generate J-Q and j p.
  • Fig.4D is a simplified block diagram illustration of still another alternative preferred embodiment of a descrambling device 100 of Fig. 1.
  • the CAS ID 140 is input into the secret function/1 1210.
  • a value, KQ ⁇ Q pn 170 is output.
  • KQAS ID ⁇ ma ⁇ P re ⁇ era ⁇ y ⁇ e hard-coded in the conditional access module 300 (Fig. 1).
  • JJJ 170 may be hard-coded in one of the following: in ROM comprised in ROM comprised in the conditional access module 300 (Fig. 1); in EEPROM comprised in ROM comprised in the conditional access module 300 (Fig. 1); and in circuitry comprised in ROM comprised in the conditional access module 300 (Fig. 1).
  • a 128 bit personalized content descrambling key 150 from the conditional access module 300 (Fig. 1) is input into the descrambling device 100. It is appreciated, as in the discussions of Figs.2, 4B, and 4C, bit sizes of data blocks are given by way of example only, and are not meant to be limiting.
  • the 128 bit personalized content descrambling key 150 is input into splitterl 1220. Splitter 1
  • the 128 bit personalized content descrambling key 150 is produced by the conditional access module 300 (Fig. 1) such that personalization data is comprised in the first 64 bit data block (not depicted), and the anonymous content descrambling key is comprised in the second 64 bit data block (not depicted).
  • the first 64 bit data block (not depicted) is input into decryptor Dl 1230, which uses j £> 170 a s a key to decrypt the 64 bit data block (not depicted).
  • the decrypted 64 bit data block (not depicted) is input into splitter 2 1240.
  • Splitter 2 1240 outputs a first 32 bit data block 1250.
  • the first 32 bit data block 1250 is ignored.
  • Splitter 2 also outputs a second 32 bit data block (not depicted), comprising the personalization data.
  • the second 32 bit data block (not depicted) is input into a function, ./2 1260.
  • a value, K 1270 is output by function/2 1260.
  • the first 32 bit data block 1250 is also preferably input into function/2 1260.
  • Inputting the first 32 bit data block 1250 into function/2 1260 provides yet another alternative preferred embodiment, similar to the preferred embodiments discussed above with reference to Figs. 4B and 4C, where, in the case of the alternative embodiment of Fig.4D, personalization data (first 32 bit data block 1250) replaces CAM E) as the input to/113 in Fig.4B, and as the input toj2 1113 in Fig. 4C.
  • the second 64 bit data block (not depicted) is input into a decryptor D2 12S0.- Decryptor 1280 uses K 1270 as a decryption key to produce the 64 bit anonymous content descrambling key 210.
  • the 64 bit anonymous content descrambling key 210 is used as a decryption key by the content descrambler 130 to descramble the scrambled content 160, thereby producing descrambled content 180.
  • Fig. 5 is a simplified block diagram illustration of a preferred embodiment of the detective device 500, operative to utilize personalization data depicted in Fig. 3, in order to determine a source for a pirated personalized descrambling key.
  • An intercepted encrypted personalized descrambling key 150 is input into the detective device 500.
  • the 96 bit intercepted encrypted personalized descrambling key 150 is decrypted by decryptor D 120.
  • the 96 bit decrypted personalized descrambling key passes through splitter 125.
  • the splitter 125 separates the 32 bits of the personalization data 220 from the 64 bit anonymous content descrambling key 210.
  • the 64 bit anonymous content descrambling key 210 is typically ignored, since the detective device 500 typically has no scrambled content to descramble.
  • the 32 bits of the personalization data 220 are preferably input into a personalization data analyzer 510.
  • the detective device 500 may be adapted to operate with any other preferred embodiment of the present invention.
  • the 64 bit anonymous content descrambling key 210 is used to identify the attacker.
  • a frame may be encrypted a number of times, each time with a different encryption key. Any given device is permitted to decrypt only one encrypted version of the frame and therefore to produce only one of many possible decryption keys. Depending on which particular decryption key is produced, information is derived to assist in determining the identity of the attacker.
  • the anonymous content descrambling key 210 has been described as comprising an anonymous content descrambling key, in fact, the content descrambling key may comprise data corresponding to an identifiable entity.
  • the identifiable entity may comprise one of: an individual; a group of individuals; a device; and a group of devices.
  • the detective device may comprise one of: an individual; a group of individuals; a device; and a group of devices.
  • the 64 bit content descrambling key 210 need not be anonymous, and may be recombined in an appropriate fashion with the 32 bits of the personalization data 220 in order to produce information which may assist in determining the identity of the attacker.
  • the personalization data analyzer 510 is operative to analyze the personalization data 220 and determine, from the data comprised therein, the source of the personalization data.
  • the detective device 500 then preferably outputs the identity of the source of the personalization data 520. For example and without limiting the generality of the foregoing, if the personalization data comprises a unique CAM identification number or a subscriber number, as explained above, the unique CAM identification number or subscriber number are determined and output.
  • Fig. 6 is a simplified flow chart of a preferred method of operation of the apparatus of Fig. 5. The method of Fig. 6 is believed to be self explanatory in light of the above discussion of Fig. 5. Reference is now made to Figs. 7 - 13, of which: Fig. 7 is a simplified flow chart illustration of a preferred method of operation of the apparatus of Fig. 4A;
  • Fig. 8 is a simplified flow chart illustration of a preferred method of operation of the apparatus of Fig. 2;
  • Fig. 9 is a simplified flow chart illustration of a preferred method of operation of the apparatus of Fig. 4B;
  • Fig. 10 is a simplified flow chart illustration, of a preferred method of operation of the apparatus of Fig. 4C;
  • Fig. 11 is a simplified flow chart illustration of a preferred method of operation of the apparatus of Fig. 4D;
  • Fig. 12 is a simplified flow chart illustration of an alternative preferred method of operation of the apparatus of Fig. 4A; and Fig. 13 is a simplified flow chart illustration of a preferred method of operation of the apparatus of Fig. 5.
  • 2004/0213406 is not easily made to comply with the DVB SimulCrypt model, and also requires calculations which are comparatively computationally intensive. It is appreciated mat the present invention is not meant to prevent key distribution attacks, but rather to provide a way of reacting to such attacks by identifying a source of key distribution. Once the source of key distribution is identified, steps can be taken to close down the identified source.
  • the 96 bit decrypted personalized descrambling key 155 may alternatively comprise other data which can preferably be used for other purposes as well.
  • the 96 bit decryptedpersonalized descrambling key 155 can be used for copy protection.
  • information passed to the descrambling device may be utilized by the descrambling device to identify black listed control words, which originate from a known pirated device. For example and without limiting the generality of the foregoing, if the anonymous content descrambling key 210 is on a black list, then the descrambling device preferably does not descramble scrambled content.

Abstract

A method for producing fingerprinted descrambling keys is described, the method including providing a conditional access module, providing to the conditional access module a content descrambling key and personalization data, the personalization data including data associated with the conditional access module, combining the content descrambling key and the personalization data, encrypting the combined content descrambling key and personalization data according to a key, and outputting the encrypted combined content descrambling key and personalization data. Related methods and apparatus are also described.

Description

FINGERPRINTING DESCRAMBLING KEYS
FIELD OF THE INVENTION
The present invention relates to systems used for secure communications and more particularly to systems fingerprinting keys used for secure communications in order to make a key traceable back to its source.
BACKGROUND OF THE INVENTION
In systems that include secure communications, including conditional access systems as are well known in the art, there is a well-known problem of
"hackers" who attempt to access secured communications in an unauthorized manner.
A typical pay television conditional access system is the VideoGuard™ system, commercially available from NDS Ltd., One London Rd., Staines, Middlesex,
TW 18 4EX, United Kingdom. Conditional access systems typically include a Conditional Access Module (CAM), typically comprised in a set top box (STB). (It is appreciated that some prior art systems may perform similar functions without having a CAM). In prior art systems, as is well known in the art, the CAM receives an
Entitlement Control Message (ECM), typically but not necessarily by broadcast. The
ECM includes information necessary to generate a Control Word (CW) used for descrambling content such as broadcast content. The CAM passes the ECM to a secure computation unit, where the ECM is processed, typically using a secret cryptographic function, to obtain the CW. The CW is then passed back to the CAM, which in turn passes the CW to other components of the STB for use in descrambling the content. Examples of such systems are described in US Patents 5,282,249 and 5,481,609 to Cohen et al and in US Patent 6,178,242 to Tsuria, the disclosures of which are hereby incorporated herein by reference.
Those skilled in the art will appreciate that throughout the present specification and claims, references to the CAM and smart card may also apply to Common Interface modules and pods. One particular hacker attack and a system for frustrating such a hacker attack is describedin US Patent 5,590,200 to Nachman et al, the disclosure of which is hereby incorporated herein by reference. Briefly, the system of Nachman et al is intended to frustrate a particular type of hacker attack known as "the McCormac hack" or "control word sharing". Control word sharing has also been referred to as "control word redistribution" and "card sharing". Control word sharing, simply stated, is the redistribution of key data from a datastream between a decoder and a legitimate smartcard, in order to enable any appropriately equipped decoder to decode a channel. Thus given an adequate communications network, such as the Internet, a single subscription could provide keys for an unlimited number of individuals.
Examples of another system designed to frustrate control word sharing are described in PCT application PCT/IL02/00691, filed 21 August 2002, and published in the English language on 20 March 2003, as PCT Published Patent
Application WO 03/024104 of NDS Ltd.; and corresponding US Patent Application
10/480,413 of Halperin, et al., published as US Published Patent Application
2004/0213406 on 28 Oct.2004. The disclosures of WO 03/02410 and corresponding US Patent Application 10/480,413 are hereby incorporated herein by reference.
Those skilled in the art will appreciate that control word sharing can also be performed in a non-smart card environment, and that the above discussion is not meant to be limiting. It is also appreciated that if control word sharing cannot be prevented, it would be advantageous at least to locate the source of redistribution of key data, so that the broadcaster may attempt to stop the redistribution of key data.
Fingerprinting is a measure that preferably enables a legitimate content provider to gather evidence against unauthorized users and re-distributors of digital content.
Fingerprinting is generally divided into two categories, covert fingerprinting and overt fingerprinting.
IQ covert fingerprinting, information about the unauthorized user or re- distributor' s smartcard ID is typically coded, in a covert manner, along with some other data which is typically inaccessible unless some effort is made to retrieve the information. In overt fingerprinting, information about the unauthorized user or re- distributor's smartcard ID is typically displayed overtly on the screen of the device on which fingerprinting is activated.
PCT application PCT/US02/29881 , published in the English language as WO 03/028287 on 3 April 2003 describes a method and apparatus that selectively pairs a receiver configured to receive a media program encrypted according to a media encryption key and a conditional access module. In one embodiment, the apparatus comprises a security module for receiving and modifying the media encryption key, and a transport module, comprising a decryptor for decrypting the media program. The media encryption key has a portion indicating a first state in which the media program is to be viewable by a set of receivers or a second state in which the media program is to be viewable only by a subset of the set of receivers.
Published US Patent Application 2003/0187805 of Sheng describes a system and a method for secure electronic commerce trade, applicable in a network environment such as Internet or Intranet to encrypt/decrypt trade data in a symmetric manner and via an asymmetric single function through the use of a hardware serial number, a public key and a private key so as to achieve secure e-commerce trade via point-to-point protocol (PPP). The secure e-commerce trade system includes a trade service center, a data transmission network and at least one user end device. The user end device has a unique hardware serial number for use in verification and encryption/decryption of the trade data. By the uniqueness of the hardware serial number, a user cannot verify and encrypt/decrypt trade data via another user end device with another hardware serial number even in the case of the public key and private key known to the user. European Patent EP 0529261 to International Business Machines
Corporation describes a method and apparatus for securely distributing an initial Data Encryption Algorithm (DEA) key-encrypting key by encrypting a key record (consisting of the key-encrypting key and control information associated with that key-encrypting key) using a public key algorithm and a public key belonging to the intended recipient of the key record. European Patent EP 1000511 to Scientific- Atlanta Inc. describes a conditional access system comprising a method of decrypting an instance of a service that has been encrypted with a given short-term key.
ISO/DEC 13818-1, Information Technology, Generic Coding of Moving Pictures and Associated Audio Information: Systems (also known as the MPEG-2 standard) is a well known standard for broadcast compression.
The disclosures of all references mentioned above and throughout the present specification, as well as the disclosures of all references mentioned in those references, are hereby incorporated herein by reference.
SUMMARY OF THE INVENTION
In a key distribution attack on a content distribution system a distributed key can be distributed anonymously. It is desirable, therefore, to provide a mechanism, such as a fingerprinting mechanism, for the distributed key so that the distributed key can be traced back to its source. Preferably, the only key an attacker is able to access is personalized. Preferably, the attacker has no access to a depersonalization device.
The present invention, in preferred embodiments thereof, seeks to provide an improved content key comprising a fingerprint, the fingerprint comprising information is intended to make identification of the source of the content key easier.
There is thus provided in accordance with a preferred embodiment of the present invention a method for producing fingerprinted descrambling keys, the method including providing a conditional access module, providing to the conditional access module a content descrambling key and personalization data, the personalization data including data associated with the conditional access module, combining the content descrambling key and the personalization data, encrypting the combined content descrambling key and personalization data according to a key, and outputting the encrypted combined content descrambling key and personalization data. Further in accordance with a preferred embodiment of the present invention the personalization data includes personalization data unique to the conditional access module.
Still further in accordance with a preferred embodiment of the present invention the key is associated with the conditional access module, and is denoted KCAS ID-
Additionally in accordance with a preferred embodiment of the present invention the key KQ A C TΓJ is hard-coded in the conditional access module.
Moreover in accordance with a preferred embodiment of the present invention KQ^ JJ-J is hard-coded in ROM included in the conditional access module. Further in accordance with a preferred embodiment of the present invention JQ is hard-coded in EEPROM included in the conditional access module.
Still further in accordance with a preferred embodiment of the present invention j-p is hard-coded in circuitry included in the conditional access module.
Additionally in accordance with a preferred embodiment of the present invention the personalization data includes a CAM ID.
Moreover in accordance with a preferred embodiment of the present invention the personalization data includes a subscriber ID.
Further in accordance with a preferred embodiment of the present invention the method also includes passing the outputted encrypted combined content descrambling key and personalization data to a descrambling device.
Still further in accordance with a preferred embodiment of the present invention the content descrambling key includes an anonymous content descrambling key.
Additionally in accordance with a preferred embodiment of the present invention the content descrambling key includes data corresponding to an identifiable entity. Moreover in accordance with a preferred embodiment of the present invention the identifiable entity includes a particular individual.
Further in accordance with a preferred embodiment of the present invention the identifiable entity includes a group of individuals.
Still further in accordance with a preferred embodiment of the present invention the identifiable entity includes a particular device.
Additionally in accordance with a preferred embodiment of the present invention the identifiable entity includes a group of devices.
Moreover in accordance with a preferred embodiment of the present invention the conditional access module generates redundant data, denoted R, based on the content descrambling key, and inserts the redundant data in the personalization data. Further in accordance with a preferred embodiment of the present invention the redundant data includes a checksum.
Still further in accordance with a preferred embodiment of the present invention the redundant data R includes a result of a function operating on a range of bits X included in the content descrambling key, such that R = NOT(X).
Additionally in accordance with a preferred embodiment of the present invention the redundant data R includes a result of a function operating on a range of bits X included in the content descrambling key, such that R = Rotate_Bits(X).
There is also provided in accordance with a another preferred embodiment of the present invention a method for utilizing a fingerprinted descrambling key, the method including providing a descrambling device with an encrypted combined anonymous content descrambling key and personalization data, the encrypted combined anonymous content descrambling key and personalization data being encrypted according to a key, further providing the descrambling device with a conditional access system ID (CAS ID), producing a fixed decryption key based on the CAS ID, decrypting the encrypted combined anonymous content descrambling key and personalization data with the fixed decryption key, and uncombining the decrypted anonymous content descrambling key from the decrypted personalization data. Further in accordance with a preferred embodiment of the present invention the fixed decryption key, denoted
Figure imgf000008_0001
J-Q, is a result of applying a function/to the CAS ID.
Still further in accordance with a preferred embodiment of the present invention the method also includes delivering the decrypted anonymous content descrambling key to a content descrambler, and descrambling encrypted content with the decrypted content descrambling key.
Additionally in accordance with a preferred embodiment of the present invention the decrypted personalization data further includes redundant data, the redundant data operative to ensure the validity of the decrypted anonymous content descrambling key.
There is also provided in accordance with still another preferred embodiment of the present invention a method including providing a descrambling device with an encrypted content descrambling key, the encrypted content descrambling key being encrypted according to a key, further providing the descrambling device with a conditional access module ID (CAM ID), producing a fixed decryption key based on the CAM ID, and decrypting the encrypted content descrambling key with the fixed decryption key.
Further in accordance with a preferred embodiment of the present invention the fixed decryption key, denoted
Figure imgf000009_0001
aPPtymS a function/to the CAM ID.
Still further in accordance with a preferred embodiment of the present invention and the method includes delivering the decrypted anonymous content descrambling key to a content descrambler, and descrambling encrypted content according to the decrypted anonymous content descrambling key.
There is also provided in accordance with still another preferred embodiment of the present invention a method including providing a descrambling device with a doubly encrypted combined anonymous content descrambling key and personalization data, the doubly encrypted combined anonymous content descrambling key and personalization data being encrypted according to a first fixed decryption key and a second fixed decryption key, the doubly encrypted combined anonymous content descrambling key and personalization data, the personalization data including a conditional access module ID (CAM ID) of the conditional access module, further providing the descrambling device with a conditional access system ID (CAS TD), producing the first fixed decryption key based on the CAS ID, decrypting a first layer of encryption on the doubly encrypted combined anonymous content descrambling key and personalization data with the first fixed decryption key, thereby deriving an encrypted personalized descrambling key and the CAM ID, uncombining the encrypted personalized descrambling key from the CAM ID, producing the second fixed decryption key based on the CAM ID, decrypting the encrypted personalized descrambling key with the second fixed decryption key, thereby deriving an anonymous content descrambling key and personalization data, and uncombining the anonymous content descrambling key from personalization data. Further in accordance with a preferred embodiment of the present invention the fixed decryption key, denoted KQ^ J-Q, as a result of applying a function/to the CAS ID.
Still further in accordance with a preferred embodiment of the present invention the method includes delivering the decrypted anonymous content descrambling key to a content descrambler, and descrambling encrypted content with the decrypted content descrambling key.
Additionally in accordance with a preferred embodiment of the present invention the decrypted personalization data further includes redundant data, the redundant data being operative to ensure the validity of the decrypted anonymous content descrambling key.
There is also provided in accordance with still another preferred embodiment of the present invention a method for utilizing a fingerprinted descrambling key, the method including providing a descrambling device with an encrypted content descrambling key, the encrypted content descrambling key being encrypted according to a key, and including personalization data, uncombining the encrypted content descrambling key into a first data block and a second data block, such that the personalization data is included in the first data block, and an anonymous content descrambling key is included in the second data block, further providing the descrambling device with a conditional access system ID (CAS ID), producing a fixed decryption key based on the CAS ID5 decrypting the first data.block with the fixed decryption key, uncombining the decrypted first data block into a third data block and a fourth data block, the fourth data block including the personalization data, inputting the fourth data block into a function and producing a result, K, and decrypting the second data block with K, thereby deriving the anonymous content descrambling key.
Further in accordance with a preferred embodiment of the present invention the fixed decryption key, denoted
Figure imgf000010_0001
aPPlymS a function/to the CAS ID. Still further in accordance with a preferred embodiment of the present invention the method includes delivering the decrypted anonymous content descrambling key to a content descrambler, and descrambling encrypted content with the decrypted content descrambling key.
Additionally in accordance with a preferred embodiment of the present invention and wherein the decrypted personalization data further includes redundant data, the redundant data being operative to ensure the validity of the decrypted anonymous content descrambling key.
There is also provided in accordance with still another preferred embodiment of the present invention a method for producing a fingerprinted descrambling key, the method including providing a conditional access module with personalization data, producing, at the conditional access module, a content descrambling key, and combining, with a combining function, the content descrambling key and one of the personalization data, and a result of an operation of a first function on the personalization data, wherein the combining function produces a result which is a functionally non-separable result. Further in accordance with a preferred embodiment of the present invention the combining function includes a cryptographic function.
Still further in accordance with a preferred embodiment of the present invention the first function includes a block cipher encryption function.
Additionally in accordance with a preferred embodiment of the present invention the block cipher encryption function is operative to encrypt the content descrambling key and the personalization data as a single block, according to a fixed key.
Moreover in accordance with a preferred embodiment of the present invention the fixed key is a fixed secret string. Further in accordance with a preferred embodiment of the present invention the block cipher encryption function is operative to encrypt the content descrambling key as a single block, according to a derived key.
Still further in accordance with a preferred embodiment of the present invention the derived key is derived from the operation of a hash function on the personalization data and a fixed key.
Additionally in accordance with a preferred embodiment of the present invention fixed key is a fixed secret string. There is also provided in accordance with still another preferred embodiment of the present invention a method for utilizing a fingerprinted descrambling key, the method including providing a descrambling device with an encrypted content descrambling key, the encrypted content descrambling key being encrypted according to a key, and including personalization data, and uncombining, with an uncombining function, the encrypted content descrambling key and the personalization data, wherein the encrypted content descrambling key and the personalization data are functionally non-separable.
There is also provided in accordance with still another preferred embodiment of the present invention a method for determining a source of an intercepted unauthorized distributed personalized descrambling key, the personalized descrambling key including personalization data and a key for decrypting encrypted content, the personalization data being associated with a particular conditional access module, the method including obtaining the unauthorized distributed personalized descrambling key, identifying a portion of the intercepted unauthorized distributed personalized descrambling key including the personalization data, and determining the identity of the conditional access module based on data included in the personalization data.
Further in accordance with a preferred embodiment of the present invention the data included in the personalization data includes a CAM ID.
Still further in accordance with a preferred embodiment of the present invention the data included in the personalization data includes a subscriber ID.
There is also provided in accordance with still another preferred embodiment of the present invention a system for producing fingerprinted descrambling keys, the system including a conditional access module, a content descrambling key provided to the conditional access module, and personalization data provided to the conditional access module, the personalization data including data associated with the conditional access module, wherein the content descrambling key and the personalization data are combined, and the combined content descrambling key and personalization data are encrypted according to a key, and the encrypted combined content descrambling key and personalization data are ourputted. There is also provided in accordance with still another preferred embodiment of the present invention a system for utilizing a fingerprinted descrambling key, the system including a descrambling device provided with an encrypted combined anonymous content descrambling key and with personalization data, the encrypted combined anonymous content descrambling key and personalization data being encrypted according to a key, the descrambling device including a conditional access system ID (CAS ID) store, storing a CAS ID, and a producer operative to produce a fixed decryption key based on the CAS ID, a decryptor operative to decrypt the encrypted combined anonymous content descrambling key and personalization data according to the fixed decryption key, and an uncombiner operative to uncombine the decrypted anonymous content descrambling key from the decrypted personalization data.
There is also provided in accordance with still another preferred embodiment of the present invention a system for utilizing a fingerprinted descrambling key, the system including a descrambling device provided with an encrypted content descrambling key, the encrypted content descrambling key being encrypted according to a key, the descrambling device including a conditional access module ID (CAM ID) store, storing a CAM ID, and a producer operative to produce a fixed decryption key based on the CAM ID, and a decryptor operative to decrypt the encrypted content descrambling key with the fixed decryption key.
There is also provided in accordance with still another preferred embodiment of the present invention a system for utilizing a fingerprinted descrambling key, the system including a descrambling device provided with a doubly encrypted combined anonymous content descrambling key and personalization data, the doubly encrypted combined anonymous content descrambling key and personalization data being encrypted according to a first fixed decryption key and a second fixed decryption key, the doubly encrypted combined anonymous content descrambling key and personalization data including a conditional access module ID (CAM XD) of the conditional access module the descrambling device including a conditional access system DD (CAS ID) store, storing a CAS ID, and a producer operative to produce the first fixed decryption key based on the CAS ID, a decryptor operative to decrypt a first layer of encryption on the doubly encrypted combined anonymous content descrambling key and personalization data with the first fixed decryption key, thereby deriving an encrypted personalized descrambling key and the CAM ID3 an uncombiner operative to uncombine the encrypted personalized descrambling key from the CAM ID, a second producer operative to produce the second fixed decryption key based on the CAM ID, a second decryptor operative to decrypt the encrypted personalized descrambling key with the second fixed decryption key, thereby deriving an anonymous content descrambling key and personalization data, and an second uncombiner operative to uncombine the anonymous content descrambling key from personalization data. There is also provided in accordance with still another preferred embodiment of the present invention a system for utilizing a fingerprinted descrambling key, the system including a descrambling device provided with an encrypted content descrambling key, the encrypted content descrambling key being encrypted according to a key and including personalization data, the descrambling device being operative to uncombine the encrypted content descrambling key into a first data block and a second data block, such that the personalization data is included in the first data block, and an anonymous content descrambling key is included in the second data block the descrambling device including a conditional access system ID (CAS ID) store, storing a provided CAS ID, a producer operative to produce a fixed decryption key based on the CAS ID, a decryptor operative to decrypt the first data block with the fixed decryption key, an uncombiner operative to uncombine the decrypted first data block into a third data block and a fourth data block, the fourth data block including the personalization data, an inputter operative to input the fourth data block into a function and producing a result, K, and a second decryptor operative to decrypt the second data block with K, thereby deriving the anonymous content descrambling key.
There is also provided in accordance with still another preferred embodiment of the present invention a system for producing a fingerprinted descrambling key, the system including a conditional access module provided with personalization data, the conditional access module including a producer operative to produce a content descrambling key, and a combining function, operative to combine the content descrambling key and one of the personalization data, and the result of an operation of a first function on the personalization data, the result of the combining function being a functionally non-separable result.
There is also provided in accordance with still another preferred embodiment of the present invention an apparatus for determining a source of an intercepted unauthorized distributed personalized descrambling key, the personalized descrambling key including personalization data and a key for decrypting encrypted content, the personalization data associated a particular conditional access module, the apparatus including an interceptor operative to intercept unauthorized distributed personalized descrambling key, an identifier operative to identify a portion of the intercepted unauthorized distributed personalized descrambling key including the personalization data, and a determiner operative to determine the identity of the conditional access module based on data included in the personalization data.
BRIEF DESCRIPTION OF THE DRAWINGS The present invention will be understood and appreciated more folly from the following detailed description, taken in conjunction with the drawings in which: Fig. 1 is a simplified block diagram illustration of a system using fingerprinted keys, the system being constructed and operative in accordance with a preferred embodiment of the present invention;
Fig. 2 is a simplified block diagram illustration of a preferred embodiment of a descrambling device of Fig. 1; Fig. 3 is a simplified block diagram illustration of a preferred embodiment of a personalized descrambling key in the system of Fig. 2;
Fig. 4A is a simplified block diagram illustration of a preferred implementation of production of the personalized descrambling key in the system of Fig. 1; Fig. 4B is a simplified block diagram illustration of an alternative preferred embodiment of a descrambling device of Fig. 1;
Fig.4C is a simplified block diagram illustration of another alternative preferred embodiment of a descrambling device of Fig. 1;
Fig. 4D is a simplified block diagram illustration of still another alternative preferred embodiment of a descrambling device of Fig. 1 ;
Fig. 5 is a simplified block diagram illustration of a preferred embodiment of a detective device, operative to utilize personalization data depicted in Fig. 3, in order to determine a source for a pirated personalized descrambling key;
Fig. 6 is a simplified flow chart illustration of a preferred method of operation of the apparatus of Fig. 5;
Fig. 7 is a simplified flow chart illustration of a preferred method of operation of the apparatus of Fig. 4A;
Fig. 8 is a simplified flow chart illustration of a preferred method of operation of the apparatus of Fig. 2; Fig. 9 is a simplified flow chart illustration of a preferred method of operation of the apparatus of Fig. 4B; Fig. 10 is a simplified flow chart illustration of a preferred method of operation of the apparatus of Fig. 4C;
Fig. 11 is a simplified flow chart illustration of a preferred method of operation of the apparatus of Fig. 4D;
Fig. 12 is a simplified flow chart illustration of an alternative preferred method of operation of the apparatus of Fig. 4A; and
Fig. 13 is a simplified flow chart illustration of a preferred method of operation of the apparatus of Fig. 5.
DETAILED DESCRIPTION OF A PREFERRED EMBODIMENT
Reference is now made to Fig. 1, which is a simplified block diagram illustration of a system using fingerprinted keys, the system being constructed and operative in accordance with a preferred embodiment of the present invention. The system of Fig. 1 , preferably implemented in an appropriate combination of hardware and / or software, comprises a descrambling device 100, a conditional access module 300, and an encrypted personalized descrambling key 150. The operation of the system of Fig. 1 is described below, with reference to Figs. 2 - 4D. It is appreciated that the system of Fig. 1 may be comprised in any appropriate device, the device being operative to receive scrambled content, decrypt the scrambled content, and display the descrambled content. For example and without limiting the generality of the foregoing, the system of Fig. 1 may comprise a set top box, personalized video recorder, computer, mp3 player, or other such device.
In a generalized method and system for personalizing control words, as presented herein, the conditional access module 300 comprises data which can be used to identify the conditional access module. The module preferably combines, with a combining function, the identification data with a control word. Alternatively, the module preferably combines, with a combining function, the result of an operation of some function on the identification data, for example, and without limiting the generality of the foregoing, an encryption function, such as a block cipher encryption function. In one preferred embodiment of the present invention, a block cipher encryption operation is operative to encrypt the content descrambling key and the personalization data as a single block, according to a fixed key, the fixed key being a fixed secret string. Alternatively, the block cipher encryption operation is operative to encrypt the content descrambling key as a single block, according to a derived key, the derived key being derived from the operation of a hash function on the personalization data and the fixed key.
The combining function preferably produces a functionally non- separable result (that is, the identification data and the control word cannot be uncombined without an appropriate splitting function). The combining function is typically a cryptographic function. One preferred embodiment of such a method and system is described below, with reference to Fig. 4A. It is appreciated that the splitting function preferably comprises a secret function.
The functionally non-separable result is delivered to a descrambling device comprising the appropriate splitting function. The appropriate splitting function is utilized to uncombine, or split, the functionally non-separable result, thereby deriving the control word for use in decrypting content and the identification data, the identification data being ignored by the descrambling device. Several preferred embodiments of such a method and system are described below, with reference to Figs. 2, 4B, 4C, and 4D. A preferred embodiment of a detective device which utilizes the identification data in order to determine a source for a pirated personalized descrambling key is described below with reference to Fig. 5.
Reference is now made to Fig. 2, which is a simplified block diagram illustration of a preferred embodiment of the descrambling device 100 of Fig. 1. The descrambling device 100 receives an input of a conditional access system identifier
(CAS ID) 140 and an input of a personalized content descrambling key 150 from the conditional access module 300 (Fig. 1). A third input comprises scrambled content
160, typically received from a broadcaster.
Those skilled in the art will appreciate that the. CAS ID 140 is typically embedded in a broadcast stream, comprised in content accompanying metadata. The system of Fig. 1 receives the content accompanying metadata, retrieves the CAS ID, and passes the CAS ID to the descrambling device 100.
The CAS ID 140 typically comprises a unique identifier used to identify a particular conditional access system. Typically, two broadcasters, each of which purchases an identical conditional access system from the same conditional access vendor, each have a different CAS 3D. Thus, a conditional access module from one of the two broadcasters will not work within the conditional access system of the second of the two broadcasters. Typically, CAS ID is changed for a broadcaster with each new generation of conditional access module. Where the broadcaster is operating with more than one conditional access system, the broadcaster may be using more than one CAS ID. Reference is now additionally made to Fig. 3, which is a simplified block diagram illustration of a preferred embodiment of a personalized descrambling key 150 in the system of Fig. 2. The personalized content descrambling key 150 comprises two parts: an anonymous content descrambling key 210 and personalization data 220. By way of example only, the anonymous content descrambling key 210 is depicted as comprising 64 bits and the personalization data 220 is depicted as comprising 32 bits. The use of 64 bits and 32 bits for the size of the anonymous content descrambling key 210 and the personalization data 220 respectively is not meant to be limiting. It is appreciated that although Fig. 3 depicts the personalization data 220 as separate from the anonymous content descrambling key 210, in practice, since the personalized descrambling key 150 is encrypted, with a decryption key
Figure imgf000020_0001
JQ 170 referred to below) for the encrypted personalized descrambling key 150, it is difficult to separate the personalization data 220 from the anonymous content descrambling key 210. The encryption of the personalized descrambling key 150 is discussed in detail below, with reference to Fig. 4A.
Those skilled in the art will appreciate that the personalization data 220 may comprise any information which preferably uniquely identifies the source of the data. For example and without limiting the generality of the foregoing, the personalization data 220 may comprise a unique CAM identification number or a subscriber number. Generally, the personalization data 220 is an arbitrary number. It is appreciated that there need not be limitations on the personalization data 220 (such as limitations requiring the personalization data 220 not be all zeros or not be all ones).
The term "key" and the term "control word" (CW) are used interchangeably throughout the present specification and claims.
Returning to the discussion of the operation of Fig.2, the CAS ID 140 is input into the secret function/ 110. A value,
Figure imgf000020_0002
-j-p 170 is output. It is appreciated that the value CAS ID 140 is typically broadcast unencrypted, as part of the MPEG standard conditional access table (see, for example, pages 69 -70 of ISO/IEC 13818-1), and hence is not secret. Since KQ^§ JD 170 is a secret value, however, the value of
Figure imgf000020_0003
170 is not easily knowable. Without limiting the generality of the foregoing, secret function/ 110 may be a well known encryption function, such as AES using a global secret key, which is available to all descrambling devices 100.
^CAS ID ^® may Preferably be hard-coded in the conditional access module 300. In some preferred embodiments of the present invention, KQ^g jpj 170 may be hard-coded in one of the following: in ROM comprised in the conditional access module 300; in EEPROM comprised in the conditional access module 300; and in circuitry comprised in the conditional access module 300.
-^CAS ID ^® *s usec^ ^y a decryptor D 120 as a decryption key in order to decrypt the personalized descrambling key 150, thereby producing a decrypted personalized descrambling key 155. In the present example, where the anonymous content descrambling key 210 is depicted as comprising 64 bits and the personalization data 220 is depicted as comprising 32 bits, the personalized descrambling key, both in an encrypted state 150 and in a decrypted state 155, comprises 96 bits.
The 96 bit decrypted personalized descrambling key 155 passes through a splitter 125. The splitter 125 separates the 32 bits of the personalization data 220 from the 64 bit anonymous content descrambling key 210. The 64 bit anonymous content descrambling key 210 is passed to a content descrambler 130. The 64 bit anonymous content descrambling key 210 is used by the content descrambler 130 as a key to descramble the scrambled content 160, thereby producing descrambled content 180. The descrambling device 100 typically has no further need for the 32 bits of the personalization data 220. Thus, the 32 bits of the personalization data 220 are preferably ignored by the descrambling device 100.
The content descrambler 130 may comprise a typical content descrambler, well known to those skilled in the art, and comprises standard hardware and software, as appropriate. It is further appreciated that data described above as being moved about between components in the content descrambler 130 is preferably moved about between components all comprised inside a single chip therefore making it difficult to eavesdrop in order to intercept the data.
Reference is now made to Fig.4 A, which is a simplified block diagram illustration of a preferred implementation of production of the personalized descrambling key in the system of Fig. 1. The conditional access module 300 comprises a descrambling key production mechanism 310. The descrambling key production mechanism 310 receives an ECM 305 as an input, and, from the ECM 305, produces the anonymous content descrambling key 210, as is well known in the art. (See, for example, US Patents 5,282,249 and 5,481,609 to Cohen et al and in US Patent 6,178,242 to Tsuria, referred to above.)
In accordance with the example of Fig. 3, the anonymous content descrambling key 210 is depicted, by way of example only, as comprising 64 bits. The conditional access module 300 inputs the 64 bit anonymous content descrambling key 210 into an encryptor, E 320, comprised therein. The encryptor E 320 also receives an input of the personalization data
220 from a personalization data generator 330. In accordance with the example of Fig. 3, the personalization data 220 is depicted, by way of example only, as comprising 32 bits. The encryptor E 320 preferably concatenates or otherwise combines the personalization data 220 with the anonymous content descrambling key 210, in order to produce, in accordance with the example of Fig. 3, a 96 bit value. The 96 bit value is encrypted, preferably using encryption key K
Figure imgf000022_0001
-Q^g jp 170.
JD 170 is preferably hard coded in the conditional access module 300 for use as the encryption key by the encryptor E 320. The encryptor E 320 preferably encrypts the 96 bit value using the inverse of the decryption method used by the decryptor D 120 (Fig. 2).
It is appreciated that in the absence of the encryption key
Figure imgf000022_0002
J^
170, the decryptor D 120 (Fig. 2) will not decrypt the 96 bit value. Thus, the 64 bit anonymous content descrambling key 210 and the personalization data 220 preferably remain encrypted. As is mentioned above, the encrypted 96 bit result of encryptor E 320 preferably comprises a value which is functionally non-separable. For example, and without limiting the generality of the foregoing, even if the value of the encrypted 96 bit result of encryptor E 320 is known, it is preferably difficult to derive, from the encrypted 96 bit result of encryptor E 320, an encrypted 96 bit result of encryptor E 320 for the 64 bit anonymous content descrambling key 210 and different personalization data (not depicted). Alternatively, even if the value of the encrypted 96 bit result of encryptor E 320 is known, it is preferably difficult to derive, from the encrypted 96 bit result of encryptor E 320, an encrypted 64 bit result of encryptor E 320 for the 64 bit anonymous content descrambling key 210.
The resulting encrypted personalized control word 150 is preferably delivered to the descrambling device 100 for use as described above with reference to Fig. 2.
Those skilled in the art will appreciate that the above discussion can be generalized. Given two pieces of information (for instance, the control word and the 32 bits of the personalization data 220) X and Y, the "generalized concatenation" of X and Y is a function GC(X5Y). Similarly, the splitter 125 can be generalized as a function GS satisfying GS(GC(X5Y)) = X5Y. For instance, if X and Y are of similar lengths, then GC(X3Y) = X5(X xor Y). Likewise, where the length in bits of X and Y are multiples of 2, then, GS(Z) = UP(Z)5(LP xor UP(Z)), where LP is the lower half part of Z and UP is the upper half part of Z. Although it is arguable that manipulations as described above are some sort of encryption, and thus the suggested manipulation is meaningless as an extra layer of encryption included in encryptor E 320, the inventors of the present invention are of the opinion that since no key is involved, the manipulations described above do not, in fact, comprise an additional layer of encryption. For example and without limiting the generality of the foregoing, an alternative scheme for combining the anonymous content descrambling key 210 and the personalization data 220 may comprise a concatenation function Cat[(anonymous content descrambling key 210 XOR personalization data 220), personalization data 220]. In such a case, the splitter comprises a function Split[(anonymous content descrambling key 210 XOR personalization data 220), personalization data 220]. Likewise, any other appropriate function may be used to join and split anonymous content descrambling key 210 and personalization data 220. An attempt to eavesdrop on communications between the conditional access module 300 and the descrambling device 100 might intercept a control word being passed from the conditional access module 300 and the descrambling device 100. A point where the encrypted personalized descrambling key 150 might be intercepted is indicated as a theft point 350. Once the personalized descrambling key has been determined by an eavesdropper, the eavesdropper may attempt to distribute the personalized descrambling key, for instance, over the Internet. As explained below with reference to Figs. 5 and 6, combining the personalization data 220 with the anonymous content descrambling key 210 to produce the personalized control word 150 enables an investigator to utilize the personalization data 220 to determine the source of the control words being so distributed. Furthermore, the attacker will be unable to alter the personalized descrambling key in a way which preserves the anonymous content descrambling key 210, and the attacker will also be unable to extract the anonymous content descrambling key 210. Those skilled in the art will appreciate that a cipher text can be decrypted by any key of appropriate length. However, only a correct key will give a valid plain text message. Decryption with an incorrect key will produce a plain text which is not identical to the original plain text message before encryption. Typically, such a message comprises nonsense. Thus, in order to ensure that the personalized descrambling key 150 does not comprise a nonsense key, and will enable proper descrambling of scrambled content 160 (Fig. 2), redundant data (not depicted) is preferably added to the personalized descrambling key 150 during the encryption process at the conditional access module 300.
Typically, such redundant data preferably comprises any appropriate function of the personalization data 220. For example, and without limiting the generality of the foregoing, the redundant data may preferably comprise a checksum comprised within the personalization data 220. Alternatively, the redundant data may comprise a data transformation. For example and without limiting the generality of the foregoing: Let X be the bits in the range from bit a until bit b.
Then, redundant data = NOT (X)5 where the operation, NOT comprises a bitwise logical NOT operation. Another example of an alternative function to generate the redundant data would be ROTATE_BITS(X), such that for example, if range X comprises 8 bits: 11001100, ROTATE_BITS(X) = 10011001. (In the bit rotation operation, the bits are "rotated" as if the left and right ends of the numeral were joined. Any digits which are shifted past the rightmost place are moved to the leftmost place, and vice-versa).
It is appreciated that if it is established that the redundant data is incorrect, decryption will not occur. It is also appreciated that the redundant data is preferably functionally non-separable from the personalized descrambling key 150, as described above. Reference is now made to Fig.4B, which is a simplified block diagram illustration of an alternative preferred embodiment of a descrambling device of Fig. 1. The descrambling device 100 receives an input of an identification number of the conditional access module 300 (Fig. 1), hereinafter referred to as CAM ID 143. The CAM ID 143 is input into secret function/ 113. A value, KQ^ jp 173 is output. Like JQ 170 described above with reference to Fig.2,
Figure imgf000025_0001
jj) is not easily knowable. Similarly,
Figure imgf000025_0002
may preferably be hard-coded in one of the following: in ROM comprised in the conditional access module 300 (Fig. i); in EEPROM comprised in the conditional access module 300
(Fig. 1); and in circuitry comprised in the conditional access module 300
(Hg- 1)-
ICc AM ID *s Preferably used by the decryptor D 120 as a decryption keyin orderto decrypt the personalized descrambling key 150, thereby producing the anonymous content descrambling key 210. The anonymous content descrambling key 210 is passed to a content descrambler 130. The anonymous content descrambling key 210 is used by the content descrambler 130 as a key to descramble the scrambled content 160, thereby producing descrambled content 180. It is appreciated that using jj) instead of KQAS ID f°rces a hacker, who is attempting to distribute keys, to blatantly reveal his own CAM ID. Those skilled in the art will appreciate that various cryptographic applications may preferably be applied to make it harder for the hacker to conclude that his CAM ID is being exposed. For example and without limiting the generality of the foregoing, CAM ID may preferably be encrypted or hashed with any appropriate encryption or hash function before input into/ 113. Alternatively, h(CAM ID), where h is any appropriate hash function, may be hard-coded in one of the following: in ROM comprised in ROM comprised in the conditional access module 300 (Fig. 1); in EEPROM comprised in ROM comprised in the conditional access module 300 (Fig. 1); and in circuitry comprised in ROM comprised in the conditional access module 300 (Fig. 1).
Reference is now made to Fig.4C, which is a simplified block diagram illustration of an alternative preferred embodiment of a descrambling device of Fig. 1. In the preferred embodiment depicted in Fig. 4C, as in the preferred embodiment depicted in Fig. 2, the descrambling device 100 receives three inputs: the CAS ID 140; the scrambled content 160; and a doubly encrypted personalized descrambling key 1150 from the conditional access module 300 (Fig. 1). In the present example, the doubly encrypted personalized descrambling key 1150 is depicted, only for the sake of discussion as being 128 bits. As will be discussed below, the doubly encrypted personalized descrambling key 1150 comprises a CAM ID 1005 identifying the conditional access module 300 (Fig. 1). The CAS ID 140 is input into a secret function/1110. A value, KCAS
JPJ 1170 is output. K(^g -Jj) 1170 is used by a decryptor DI l 120 as a decryption key in order to decrypt the doubly encrypted personalized descrambling key 1150. The 128 bit output of decryptor Dl 1120 is input into Splitterl 1125. Splitterl 1125 splits out the CAM ID 1005 embedded in 32 bits of the 128 bit output of decryptor Dl 1120, thereby potentially identifying the conditional access module associated with the CAM ID 1005. The remaining 96 bits of an encrypted personalized descrambling key 1155 are input into decryptor D2 1121. CAM ID 1005 is input into a secret function_/2 1113, which produces -^CAM ID 1 ° * 5KC AM ID ^ * 5 *s use(^ ^ decryptor D2 1121 as a decryption key in order to decrypt the encrypted personalized descramblingkey 1155. The 96 bits of decrypted output from decryptor D2 1121 are input into Splitter2 1127. Splitter2 1127 splits the 96 bit output of decryptor D2 1121 into the 32 bit personalization data 220 and the 64 bit anonymous content descrambling key 210. . The anonymous content descrambling key 210 is passed to a content descrambler 130. The anonymous content descrambling key 210 is used by the content descrambler 130 as a key to descramble the scrambled content 160, thereby producing descrambled content 180.
Those skilled in the art will appreciate that other appropriate variables may be used as input to function/in order to generate keys. For example and without limiting the generality of the foregoing, an arbitrary value, CHIP_TYPE, may be assigned to each type of decryptor chip. Thus,χCHIP_TYPE) preferably produces a key KCHIp_τγpE.
To further enhance security, the broadcaster may preferably divide information needed to decrypt the anonymous content descrambling key 210. For example and without limiting the generality of the foregoing, a conditional access vendor may only be provided by the broadcaster with information required to generate K^^yy^ JJD and KQJJJP χγp£- A chip vendor may only be given information required to generate
Figure imgf000027_0001
J-Q and
Figure imgf000027_0002
jp. By doing so, in an embodiment similar to the embodiment depicted in Fig.4C, where multiple layers of encryption are utilized to encrypt the personalized descrambling key, only a portion of the keys needed to decrypt the multiple layers of encryption utilized to encrypt the personalized descrambling key are available to various third vendors.
Reference is now made to Fig.4D, which is a simplified block diagram illustration of still another alternative preferred embodiment of a descrambling device 100 of Fig. 1. As in Fig. 2, the CAS ID 140 is input into the secret function/1 1210. A value, KQ^ Q pn 170 is output. KQAS ID ^ ma^ Pre^era^y ^e hard-coded in the conditional access module 300 (Fig. 1). In some preferred embodiments of the present invention,
Figure imgf000027_0003
JJJ 170 may be hard-coded in one of the following: in ROM comprised in ROM comprised in the conditional access module 300 (Fig. 1); in EEPROM comprised in ROM comprised in the conditional access module 300 (Fig. 1); and in circuitry comprised in ROM comprised in the conditional access module 300 (Fig. 1).
A 128 bit personalized content descrambling key 150 from the conditional access module 300 (Fig. 1) is input into the descrambling device 100. It is appreciated, as in the discussions of Figs.2, 4B, and 4C, bit sizes of data blocks are given by way of example only, and are not meant to be limiting. The 128 bit personalized content descrambling key 150 is input into splitterl 1220. Splitter 1
1220 outputs a first 64 bit data block (not depicted) and a second 64 bit data block
(not depicted). The 128 bit personalized content descrambling key 150 is produced by the conditional access module 300 (Fig. 1) such that personalization data is comprised in the first 64 bit data block (not depicted), and the anonymous content descrambling key is comprised in the second 64 bit data block (not depicted).
The first 64 bit data block (not depicted) is input into decryptor Dl 1230, which uses
Figure imgf000028_0001
j£> 170 as a key to decrypt the 64 bit data block (not depicted). The decrypted 64 bit data block (not depicted) is input into splitter 2 1240. Splitter 2 1240 outputs a first 32 bit data block 1250. The first 32 bit data block 1250 is ignored. Splitter 2 also outputs a second 32 bit data block (not depicted), comprising the personalization data. The second 32 bit data block (not depicted) is input into a function, ./2 1260. A value, K 1270 is output by function/2 1260.
Alternatively, the first 32 bit data block 1250 is also preferably input into function/2 1260. Inputting the first 32 bit data block 1250 into function/2 1260 provides yet another alternative preferred embodiment, similar to the preferred embodiments discussed above with reference to Figs. 4B and 4C, where, in the case of the alternative embodiment of Fig.4D, personalization data (first 32 bit data block 1250) replaces CAM E) as the input to/113 in Fig.4B, and as the input toj2 1113 in Fig. 4C.
The second 64 bit data block (not depicted) is input into a decryptor D2 12S0.- Decryptor 1280 uses K 1270 as a decryption key to produce the 64 bit anonymous content descrambling key 210. As in Fig. 2, the 64 bit anonymous content descrambling key 210 is used as a decryption key by the content descrambler 130 to descramble the scrambled content 160, thereby producing descrambled content 180. Reference is now made to Fig. 5, which is a simplified block diagram illustration of a preferred embodiment of the detective device 500, operative to utilize personalization data depicted in Fig. 3, in order to determine a source for a pirated personalized descrambling key. An intercepted encrypted personalized descrambling key 150 is input into the detective device 500. In keeping with the example of Fig.3, the 96 bit intercepted encrypted personalized descrambling key 150 is decrypted by decryptor D 120. The 96 bit decrypted personalized descrambling key passes through splitter 125. The splitter 125 separates the 32 bits of the personalization data 220 from the 64 bit anonymous content descrambling key 210. The 64 bit anonymous content descrambling key 210 is typically ignored, since the detective device 500 typically has no scrambled content to descramble. The 32 bits of the personalization data 220 are preferably input into a personalization data analyzer 510.
Although one particular preferred embodiment of the detective device 500 has been described with reference to Fig. 5, those skilled in the art will appreciate that the detective device 500 may be adapted to operate with any other preferred embodiment of the present invention.
In some schemes designed to determine an identity of an attacker, the 64 bit anonymous content descrambling key 210 is used to identify the attacker. For example, and without limiting the generality of the foregoing, in a video stream, a frame may be encrypted a number of times, each time with a different encryption key. Any given device is permitted to decrypt only one encrypted version of the frame and therefore to produce only one of many possible decryption keys. Depending on which particular decryption key is produced, information is derived to assist in determining the identity of the attacker.
Those skilled in the art will appreciate that although the anonymous content descrambling key 210 has been described as comprising an anonymous content descrambling key, in fact, the content descrambling key may comprise data corresponding to an identifiable entity. The identifiable entity may comprise one of: an individual; a group of individuals; a device; and a group of devices. Thus, in an alternative preferred embodiment of the detective device
500, the 64 bit content descrambling key 210 need not be anonymous, and may be recombined in an appropriate fashion with the 32 bits of the personalization data 220 in order to produce information which may assist in determining the identity of the attacker. The personalization data analyzer 510 is operative to analyze the personalization data 220 and determine, from the data comprised therein, the source of the personalization data. The detective device 500 then preferably outputs the identity of the source of the personalization data 520. For example and without limiting the generality of the foregoing, if the personalization data comprises a unique CAM identification number or a subscriber number, as explained above, the unique CAM identification number or subscriber number are determined and output. An investigator is then able to use the unique CAM identification number or subscriber number to attempt to determine how and where a security breach might have occurred. Reference is now made to Fig. 6, which is a simplified flow chart of a preferred method of operation of the apparatus of Fig. 5. The method of Fig. 6 is believed to be self explanatory in light of the above discussion of Fig. 5. Reference is now made to Figs. 7 - 13, of which: Fig. 7 is a simplified flow chart illustration of a preferred method of operation of the apparatus of Fig. 4A;
Fig. 8 is a simplified flow chart illustration of a preferred method of operation of the apparatus of Fig. 2;
Fig. 9 is a simplified flow chart illustration of a preferred method of operation of the apparatus of Fig. 4B; Fig. 10 is a simplified flow chart illustration, of a preferred method of operation of the apparatus of Fig. 4C; Fig. 11 is a simplified flow chart illustration of a preferred method of operation of the apparatus of Fig. 4D;
Fig. 12 is a simplified flow chart illustration of an alternative preferred method of operation of the apparatus of Fig. 4A; and Fig. 13 is a simplified flow chart illustration of a preferred method of operation of the apparatus of Fig. 5.
The methods of Figs. 7 - 13 are believed to be self explanatory in light of the above discussion.
Those skilled in the art will appreciate that other solutions exist to mitigate key-distribution attacks. It is believed by the inventors of the present invention that most known prior art systems require serialization of a secret into secret non-volatile memory comprised in the descrambling device. In contrast, the present invention, by fingerprinting the descrambling key, does not require any such content personalization. Likewise, the inventors of the present invention believe that the system of Halperin, et al., described in US Published Patent Application
2004/0213406, is not easily made to comply with the DVB SimulCrypt model, and also requires calculations which are comparatively computationally intensive. It is appreciated mat the present invention is not meant to prevent key distribution attacks, but rather to provide a way of reacting to such attacks by identifying a source of key distribution. Once the source of key distribution is identified, steps can be taken to close down the identified source.
It is appreciated that in a scheme such as the scheme discussed above where a frame may be encrypted a number of times, each time with a different encryption key, if there is no difference between two frames except a control word according to which the two frames are scrambled, such a scheme also comprises a personalized control word scheme. However, such a scheme requires that at least one frame be repeated, and thereby increases bandwidth requirements of content.
It is further appreciated that the 96 bit decrypted personalized descrambling key 155 may alternatively comprise other data which can preferably be used for other purposes as well. For example and without limiting the generality of the foregoing, the 96 bit decryptedpersonalized descrambling key 155 can be used for copy protection. Furthermore, information passed to the descrambling device may be utilized by the descrambling device to identify black listed control words, which originate from a known pirated device. For example and without limiting the generality of the foregoing, if the anonymous content descrambling key 210 is on a black list, then the descrambling device preferably does not descramble scrambled content.
It is appreciated that various features of the invention which are, for clarity, described in the contexts of separate embodiments may also be provided in combination in a single embodiment. Conversely, various features of the invention which are, for brevity, described in the context of a single embodiment may also be provided separately or in any suitable subcombination.
It will be appreciated by persons skilled in the art that the present invention is not limited by what has been particularly shown and described hereinabove. Rather the scope of the invention is defined only by the claims which follow:

Claims

What is claimed is:CLAIMS
1. A method for producing fingerprinted descrambling keys, the method comprising: providing a conditional access module; providing to the conditional access module a content descrambling key and personalization data, the personalization data comprising data associated with the conditional access module; combining the content descrambling key and the personalization data; encrypting the combined content descrambling key and personalization data according to a key; and outputting the encrypted combined content descrambling key and personalization data.
2. The method according to claim 1 and wherein the personalization data comprises personalization data unique to the conditional access module.
3. The method according to either claim 1 or claim 2 and wherein the key is associated with the conditional access module, and is denoted
Figure imgf000033_0001
JQ.
4. The method according to claim 3 and wherein the key
Figure imgf000033_0002
J-Q is hard-coded in the conditional access module.
5. The method according to claim 4 and wherein
Figure imgf000033_0003
ID *S nard-coded in ROM comprised in the conditional access module.
6. The method according to claim 4 and wherein
Figure imgf000033_0004
j£) is hard-coded in EEPROM comprised in the conditional access module.
7. The method according to claim 4 and wherein K^g j-p is hard-coded in circuitry comprised in the conditional access module.
8. The method according to any of claims 1 - 4 and wherein the personalization data comprises a CAM ID.
9. The method according to any of claims 1 - 4 and wherein the personalization data comprises a subscriber ID.
10. The method according to any of claims 1 — 9 and also comprising passing the ourputted encrypted combined content descrambling key and personalization data to a descrambling device.
11. The method according to any of claims 1 - 10 and wherein the content descrambling key comprises an anonymous content descrambling key.
12. The method according to any of claims 1 - 10 and wherein the content descrambling key comprises data corresponding to an identifiable entity.
13. The method according to claim 12 and wherein the identifiable entity comprises a particular individual.
14. The method according to claim 12 and wherein the identifiable entity comprises a group of individuals.
15. The method according to claim 12 and wherein the identifiable entity comprises a particular device.
16. The method according to claim 12 and wherein the identifiable entity comprises a group of devices.
17. The method according to any of claims 1 - 16 and wherein the conditional access module generates redundant data, denoted R, based on the content descrambling key, and inserts the redundant data in the personalization data.
18. The method according to claim 17 and wherein the redundant data comprises a checksum.
19. The method according to claim 17 and wherein the redundant data R comprises a result of a function operating on a range of bits X comprised in the content descrambling key, such that R = NOT(X) .
20. The method according to claim 17 and wherein the redundant data R comprises a result of a function operating on a range of bits X comprised in the content descrambling key, such that R = Rotate_Bits(X).
21. A method for utilizing a fingerprinted descrambling key, the method comprising: providing a descrambling device with an encrypted combined anonymous content descrambling key and personalization data, the encrypted combined anonymous content descrambling key and personalization data being encrypted according to a key; further providing the descrambling device with a conditional access system ID (CAS ED); producing a fixed decryption key based on the CAS ID; decrypting the encrypted combined anonymous content descrambling key and personalization data with the fixed decryption key; and uncombining the decrypted anonymous content descrambling key from the decrypted personalization data.
22. The method according to claim 21 and wherein the fixed decryption key, denoted K-Q^g JQ, is a result of applying a function/to the CAS ID.
23. The method according to claim 21 and also comprising: delivering the decrypted anonymous content descrambling key to a content descrambler; and descrambling encrypted content with the decrypted content descrambling key.
24. The method according to any of claims 21 - 23 and wherein the decrypted personalization data further comprises redundant data, the redundant data operative to ensure the validity of the decrypted anonymous content descrambling key.
25. A method for utilizing a fingerprinted descrambling key, the method comprising: providing a descrambling device with an encrypted content descrambling key, the encrypted content descrambling key being encrypted according to a key; further providing the descrambling device with a conditional access module ID (CAM ID); producing a fixed decryption key based on the CAM ID; and decrypting the encrypted content descrambling key with the fixed decryption key.
26. The method according to claim 21 and wherein the fixed decryption key, denoted
Figure imgf000036_0001
TJ> is a result of applying a function/to the CAM ID.
27. . . The method according to either claim 25 or claim 26 and also comprising: delivering the decrypted anonymous content descrambling key to a content descrambler; and- descrambling encrypted content according to the decrypted anonymous content descrambling key.
28. A method for utilizing a fingerprinted descrambling key, the method comprising: providing a descrambling device with a doubly encrypted combined anonymous content descrambling key and personalization data, the doubly encrypted combined anonymous content descrambling key and personalization data being encrypted according to a first fixed decryption key and a second fixed decryption key, the doubly encrypted combined anonymous content descrambling key and personalization data, the personalization data comprising a conditional access module ID (CAM ID) of the conditional access module; further providing the descrambling device with a conditional access system ID (CAS ID); producing the first fixed decryption key based on the CAS ID; decrypting a first layer of encryption on the doubly encrypted combined anonymous content descrambling key and personalization data with the first fixed decryption key, thereby deriving an encrypted personalized descrambling key and the CAM ID; uncombining the encrypted personalized descrambling key from the CAM ID; producing the second fixed decryption key based on the CAM ID; decrypting the encrypted personalized descrambling key with the second fixed decryption key, thereby deriving an anonymous content descrambling key and personalization data; and uncombining the anonymous content descrambling key from personalization data.
29. The method according to claim 28 and wherein the fixed decryption key, denoted
Figure imgf000037_0001
J-Q, as a result of applying a function/to the CAS ID.
30. ' The method according to either claim 28 or claim 29 and also comprising: delivering the decrypted anonymous content descrambling key to a content descrambler; and descrambling encrypted content with the decrypted content descrambling key.
31. The method according to any of claims 28 - 30 and wherein the decrypted personalization data further comprises redundant data, the redundant data being operative to ensure the validity of the decrypted anonymous content descrambling key.
32. A method for utilizing a fingerprinted descrambling key, the method comprising: providing a descrambling device with an encrypted content descrambling key, the encrypted content descrambling key being encrypted according to a key, and comprising personalization data; uncombining the encrypted content descrambling key into a first data block and a second data block, such that the personalization data is comprised in the first data block, and an anonymous content descrambling key is comprised in the second data block; further providing the descrambling device with a conditional access system ID (CAS ID); producing a fixed decryption key based on the CAS ID; decrypting the first data block with the fixed decryption key; uncombining the decrypted first data block into a third data block and a fourth data block, the fourth data block comprising the personalization data; inputting the fourth data block into a function and producing a result, K; and decrypting the second data block with K, thereby deriving the anonymous content descrambling key.
33. The method according to claim 32 and wherein the fixed decryption key, denoted K-Q^g jp, as a result of applying a function/to the CAS ID.
34. The method according to either claim 32 or claim 33 and also comprising: delivering the decrypted anonymous content descrambling key to a content descrambler; and descrambling encrypted content with the decrypted content descrambling key.
35. The method according to any of claims 32 - 34 and wherein the decrypted personalization data further comprises redundant data, the redundant data being operative to ensure the validity of the decrypted anonymous content descrambling key.
36. A method for producing a fingerprinted descrambling key, the method comprising: providing a conditional access module with personalization data; producing, at the conditional access module, a content descrambling key; and combining, with a combining function, the content descrambling key and one of: the personalization data; and a result of an operation of a first function on the personalization data, wherein the combining function produces a result which is a functionally non-separable result.
37. The method according to claim 36 and wherein the combining function comprises a cryptographic function.
38. The method according to either claim 36 or claim 37 and wherein the first function comprises a block cipher encryption function.
39. The method according to claim 38 and wherein the block cipher encryption function is operative to encrypt the content descrambling key and the personalization data as a single block, according to a fixed key.
40. The method according to claim 39 and wherein the fixed key is a fixed secret string.
41. The method according to claim 38 and wherein the block cipher encryption function is operative to encrypt the content descrambling key as a single block, according to a derived key.
42. The method according to claim 41 and wherein the derived key is derived from the operation of a hash function on the personalization data and a fixed key.
43. The method according to claim 42 and wherein the fixed key is a fixed secret string.
44. A method for utilizing a fingerprinted descrambling key, the method comprising: providing a descrambling device with an encrypted content descrambling key, the encrypted content descrambling key being encrypted according to a key, and comprising personalization data; and uncombining, with an uncombining function, the encrypted content descrambling key and the personalization data, wherein the encrypted content descrambling key and the personalization data are functionally non-separable.
45. A method for determining a source of an intercepted unauthorized distributed personalized descrambling key, the personalized descrambling key comprising personalization data and a key for decrypting encrypted content, the personalization data being associated with a particular conditional access module, the method comprising: obtaining the unauthorized distributed personalized descrambling key; identifying a portion of the intercepted unauthorized distributed personalized descrambling key comprising the personalization data; and determining the identity of the conditional access module based on data comprised in the personalization data.
46. The method according to claim 45 wherein the data comprised in the personalization data comprises a CAM ID.
47. The method according to claim 45 wherein the data comprised in the personalization data comprises a subscriber ID.
48. A system for producing fingerprinted descrambling keys, the system comprising: a conditional access module; a content descrambling key provided to the conditional access module; and personalization data provided to the conditional access module, the personalization data comprising data associated with the conditional access module, wherein the content descrambling key and the personalization data are combined, and the combined content descrambling key and personalization data are encrypted according to a key, and the encrypted combined content descrambling key and personalization data are outputted.
49. A system for utilizing a fingerprinted descrambling key, the system comprising: a descrambling device provided with an encrypted combined anonymous content descrambling key and with personalization data, the encrypted combined anonymous content descrambling key and personalization data being encrypted according to a key, the descrambling device comprising: a conditional access system ID (CAS ID) store, storing a CAS ID; and a producer operative to produce a fixed decryption key based on the CAS ID; a decryptor operative to decrypt the encrypted combined anonymous content descrambling key and personalization data according to the fixed decryption key; and an uncombiner operative to uncombine the decrypted anonymous content descrambling key from the decrypted personalization data.
50. A system for utilizing a fingerprinted descrambling key, the system comprising: a descrambling device provided with an encrypted content descrambling key, the encrypted content descrambling key being encrypted according to a key, the descrambling device comprising: a conditional access module ID (CAM ID) store, storing a CAM ID; and a producer operative to produce a fixed decryption key based on the
CAM ID; and a decryptor operative to decrypt the encrypted content descrambling key with the fixed decryption key.
51. A system for utilizing a fingerprinted descrambling key, the system comprising: a descrambling device provided with a doubly encrypted combined anonymous content descrambling key and personalization data, the doubly encrypted combined anonymous content descrambling key and personalization data being encrypted according to a first fixed decryption key and a second fixed decryption key, the doubly encrypted combined anonymous content descrambling key and personalization data comprising a conditional access module ID (CAM ID) of the conditional access module the descrambling device comprising: a conditional access system ID (CAS ID) store, storing a CAS ID; and a producer operative to produce the first fixed decryption key based on the CAS ID; a decryptor operative to decrypt a first layer of encryption on the doubly encrypted combined anonymous content descrambling key and personalization data with the first fixed decryption key, thereby deriving an encrypted personalized descrambling key and the CAM ID; an uncombiner operative to uncombine the encrypted personalized descrambling key from the CAM ID; a second producer operative to produce the second fixed decryption key based on the CAM ID; a second decryptor operative to decrypt the encrypted personalized descrambling key with the second fixed decryption key, thereby deriving an anonymous content descrambling key and personalization data; and an second uncombiner operative to uncombine the anonymous content descrambling key from personalization data.
52. A system for utilizing a fingerprinted descrambling key, the system comprising: a descrambling device provided with an encrypted content descrambling key, the encrypted content descrambling key being encrypted according to a key and comprising personalization data, the descrambling device being operative to uncombine the encrypted content descrambling key into a first data block and a second data block, such that the personalization data is comprised in the first data block, and an anonymous content descrambling key is comprised in the second data block the descrambling device comprising: a conditional access system ID (CAS ID) store, storing a provided CAS ID; a producer operative to produce a fixed decryption key based on the CAS ID; a decryptor operative to decrypt the first data block with the fixed decryption key; an uncombiner operative to uncombine the decrypted first data block into a third data block and a fourth data block, the fourth data block comprising the personalization data; an inputter operative to input the fourth data block into a function and producing a result, K; and a second decryptor operative to decrypt the second data block with K, thereby deriving the anonymous content descrambling key.
53. A system for producing a fingerprinted descrambling key, the system comprising: a conditional access module provided with personalization data, the conditional access module comprising: a producer operative to produce a content descrambling key; and a combining function, operative to combine the content descrambling key and one of: the personalization data; and the result of an operation of a first function on the personalization data, the result of the combining function being a functionally non- separable result.
54. An apparatus for determining a source of an intercepted unauthorized distributed personalized descrambling key, the personalized descrambling key comprising personalization data and a key for decrypting encrypted content, the personalization data associated a particular conditional access module, the apparatus comprising: an interceptor operative to intercept unauthorized distributed personalized descrambling key; an identifier operative to identity a portion of the intercepted unauthorized distributed personalized descrambling key comprising the personalization data; and a determiner operative to determine the identity of the conditional access module based on data comprised in the personalization data.
PCT/IL2006/000472 2006-04-11 2006-04-11 Fingerprinting descrambling keys WO2007116390A2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/IL2006/000472 WO2007116390A2 (en) 2006-04-11 2006-04-11 Fingerprinting descrambling keys

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/IL2006/000472 WO2007116390A2 (en) 2006-04-11 2006-04-11 Fingerprinting descrambling keys

Publications (2)

Publication Number Publication Date
WO2007116390A2 true WO2007116390A2 (en) 2007-10-18
WO2007116390A3 WO2007116390A3 (en) 2009-05-07

Family

ID=38581473

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IL2006/000472 WO2007116390A2 (en) 2006-04-11 2006-04-11 Fingerprinting descrambling keys

Country Status (1)

Country Link
WO (1) WO2007116390A2 (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011064613A1 (en) * 2009-11-25 2011-06-03 Serela Card sharing countermeasures
EP2369778A1 (en) * 2010-03-26 2011-09-28 Irdeto B.V. Personalized whitebox descramblers
EP2373020A1 (en) * 2010-03-29 2011-10-05 Irdeto B.V. Tracing unauthorized use of secure modules
EP2391126A1 (en) * 2010-05-26 2011-11-30 Nagra France Sas Security method for preventing the unauthorized use of multimedia contents
EP2393292A1 (en) * 2010-06-01 2011-12-07 Nagravision S.A. A method and apparatus for decrypting encrypted content
US20140079216A1 (en) * 2012-09-20 2014-03-20 Cisco Technology Inc. Method and System for Prevention of Control Word Sharing

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6510519B2 (en) * 1995-04-03 2003-01-21 Scientific-Atlanta, Inc. Conditional access system
US20030061477A1 (en) * 2001-09-21 2003-03-27 Kahn Raynold M. Method and apparatus for encrypting media programs for later purchase and viewing
US6845159B1 (en) * 1998-10-07 2005-01-18 Protego Information Ab Processing method and apparatus for converting information from a first format into a second format

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6510519B2 (en) * 1995-04-03 2003-01-21 Scientific-Atlanta, Inc. Conditional access system
US6845159B1 (en) * 1998-10-07 2005-01-18 Protego Information Ab Processing method and apparatus for converting information from a first format into a second format
US20030061477A1 (en) * 2001-09-21 2003-03-27 Kahn Raynold M. Method and apparatus for encrypting media programs for later purchase and viewing

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011064613A1 (en) * 2009-11-25 2011-06-03 Serela Card sharing countermeasures
EP2369778A1 (en) * 2010-03-26 2011-09-28 Irdeto B.V. Personalized whitebox descramblers
CN102238430A (en) * 2010-03-26 2011-11-09 爱迪德有限责任公司 Personalized whitebox descramblers
US8594330B2 (en) 2010-03-26 2013-11-26 Irdeto Corporate B.V. Personalized whitebox descramblers
EP2373020A1 (en) * 2010-03-29 2011-10-05 Irdeto B.V. Tracing unauthorized use of secure modules
EP2391126A1 (en) * 2010-05-26 2011-11-30 Nagra France Sas Security method for preventing the unauthorized use of multimedia contents
EP2391125A1 (en) * 2010-05-26 2011-11-30 Nagra France Sas Security method for preventing the unauthorized use of multimedia contents
US8571213B2 (en) 2010-05-26 2013-10-29 Nagra France Sas Security method for preventing the unauthorized use of multimedia contents
US8494160B2 (en) 2010-06-01 2013-07-23 Nagravision S.A. Method and apparatus for decrypting encrypted content
EP2393293A1 (en) * 2010-06-01 2011-12-07 Nagravision S.A. A method and apparatus for decrypting encrypted content
EP2393292A1 (en) * 2010-06-01 2011-12-07 Nagravision S.A. A method and apparatus for decrypting encrypted content
KR101803974B1 (en) 2010-06-01 2017-12-01 나그라비젼 에스에이 A method and apparatus for decrypting encrypted content
US20140079216A1 (en) * 2012-09-20 2014-03-20 Cisco Technology Inc. Method and System for Prevention of Control Word Sharing
GB2506219A (en) * 2012-09-20 2014-03-26 Nds Ltd Prevention of control word (CW) sharing by CW and security element identifier (ID) combination and temporal key encryption
US9124770B2 (en) 2012-09-20 2015-09-01 Cisco Technology Inc. Method and system for prevention of control word sharing
GB2506219B (en) * 2012-09-20 2016-06-29 Nds Ltd Method and system for prevention of control word sharing

Also Published As

Publication number Publication date
WO2007116390A3 (en) 2009-05-07

Similar Documents

Publication Publication Date Title
US20130262869A1 (en) Control word protection
KR101620246B1 (en) Secure distribution of content
US9608804B2 (en) Secure key authentication and ladder system
EP1562318B1 (en) System and method for key transmission with strong pairing to destination client
CA2737413C (en) Simulcrypt key sharing with hashed keys
CN105247883B (en) For to media content watermarking method and the system of realizing this method
US20070180464A1 (en) Method and system for restricting use of data in a circuit
CN101282456B (en) Method and apparatus for receiving digital television condition
JPH10271105A (en) Method for protecting information item transmitted from security element to decoder and protection system using such method
US8594330B2 (en) Personalized whitebox descramblers
KR20110096056A (en) Content decryption device and encryption system using an additional key layer
WO2007116390A2 (en) Fingerprinting descrambling keys
KR20150064042A (en) Method and device for digital data blocks encryption and decryption
US10411900B2 (en) Control word protection method for conditional access system
Eskicioglu et al. A key transport protocol based on secret sharing applications to information security
EP3610652A1 (en) Receiving audio and/or video content
FR3072848B1 (en) METHOD FOR RECEIVING AND DETECTING, BY AN ELECTRONIC SECURITY PROCESSOR, A CRYPTOGRAM OF A CONTROL WORD
JP2009089243A (en) Digital broadcast receiving device and method
WO2014154236A1 (en) Obtaining or providing key data
US9847984B2 (en) System for efficient generation and distribution of challenge-response pairs
JP2005191847A (en) Broadcast equipment and receiver
KR20180007286A (en) Protection of Control Words in Conditional Access System

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 06728273

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase in:

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 06728273

Country of ref document: EP

Kind code of ref document: A2