CI Plus Overview - WikiLeaks/ci-plus...CI Plus - System Overview CA Conditional Access CC Content Control CI Common Interface CAM Conditional Access Module CI Plus LLP - file: ci-plus_overview.ppt,

CI Plus Limited Liability Partnership (LLP)www.ci-plus.com

CI Plus Overview

6th July 2009

CI Plus LLP - www.ci-plus.comfile: ci-plus_overview.ppt, v2009-07-06

2 / 24

Table of ContentPage:

• One Page Overview of CI Plus 3• History of Common Interface 4• Requirements & Scope with CI Plus 8• CI Plus System Overview 10• CI Plus Specification 11

- SAC (Secure Authenticated Channel)- Authentification - Protection of TS (Transport Stream)

with CC (Content Control)- URI (Usage Rules Information)- Revocation, Shunning- Interactivity with MHP CA API

• CI Plus Administration 19- CI+ LLP, Certificate Agent & Test Center- CI+ Documentation- Flow Chart of Certification & Licensing

• Summary 23

SC

PCMCIA

CI-CAM

CA

CI

CA Conditional AccessCAM CA ModuleCI Common InterfacePCMCIA Personal Computer Memory

Card International AssociationSC Smart Card


3 / 24

Issue with and Solution with• 1997-02 Quite old standard EN 50221 with unencrypted CAM output• 2006-09 Closed DVB TM-CIT group after missing consensus

• 2007-07 CI+ Forum founded by 6 companies • 2008-01 CI Plus Spec.v1.0 with encrypted output• 2008-11 CI+ forum replaced by CI Plus LLP• 2009-03 Appointment of

Plasma/LCD IDTV

additional Usage Rules for A/D output and storage

Encrypted TV Signal Encrypted Common Interface Module Smartcard

☺

Copy of originaldigital contentis impossible!

x

PCMCIA

Interface

x

One pageoverview

STB, Recorder, ...

http://www.trustcenter.de/index.htm

http://www.digitaltv-labs.com/


4 / 24

History of Common Interface (CI)1997-02: Standard DVB CI v1 (EN 50221)

(with unencrypted output of CAM) 1999-11: Extension ETSI TS 101 6992002-01: EU directive for CI in IDTV with > 30cm2006-09: Start of DVB TM-CIT group

(to close security gaps with new CI v2 ...) Closed after missing consensus on technology

2007-07: Founding CI+ Forum by 6 companies 2007-12 CI Plus Specification draft 2008-01 CI Plus Specification v1.0

(with encrypted CAM interface) 2008-11 Disbanding of CI+ Forum & creation of

CI Plus LLP (UK Limited Liability Partnership) 2009-02 CI Plus Specification v1.1

2009-02 TC TrustCenter GmbH appointed 2009-03 DTV Labs Ltd. appointed test facility

http://upload.wikimedia.org/wikipedia/de/8/82/DVB-Logo.svg




5 / 24

DVB-CI & CI Plus - Usage for SD/HDTV

Set-Top-Box withintegrated

Decrypton-System

(Only for few contentused or permitted)

SDTV

SDTV

SDTV

Smart Card with DVB-CI

Smart Card with CI+

Smart Card Displayor IDTV


6 / 24

DVB CI - Current Standard v1• CI-Module used with smartcard containing key-informationen• CI-Module remove the encryption of protected content• The output of CI-Module is unencrypted• Due to this, most content providers prefer integrated

solutions because of higher security

EncryptedTelevion Signal

CI-module

Smartcard

No

Encryption

Copy of original

digital contentis possible

Plasma / LCD IDTV

EncryptedTelevion Signal

PCMCIA Interface


7 / 24

CI Plus - Protection of Content• Based on existing DVB-CI Standard• Main requirement: achieving the same level of security as embedded solutions• CI Plus Module and Receiver

- Calculation & Usage of a secure key for content protection- Secure, authentificated channel for critical system messages

• The output of module is encrypted• Only certified devices are supported

Plasma / LCD IDTV

Smartcard

Local Encryption

EncryptedTelevision Signal

EncryptedTelevision Signal

Copy oforiginal

digital contentis not possible!

CI Plus Module

PCMCIA Interface


8 / 24

CI Plus - Scope of Protection

CA Conditional AccessCC Content Control


9 / 24

CI Plus - Scope of Compatibility

Host

CA Module (CAM)

DVB CI CI Plus

Host in DVB-CI mode

Module in DVB-CI mode*

Host & Module CI Plus mode

Host & Module DVB-CI mode

☺* DVB-CI mode operation defined by network operator


10 / 24

CI Plus - System Overview

CA Conditional AccessCC Content ControlCI Common InterfaceCAM Conditional Access Module


11 / 24

CI Plus - Specification v1.2Chapter: Pages:

1-3 Scope, References, Definitions, ... 174 System Overview 45 Theory of Operation 316 Authentication Mechanisms 167 Secure Authenticated Channel 128 Content Key Calculations 49 Public Key Infrastr. & Certificate Details 910 Host Service Shunning 411 Command Interface 1312 CI Plus Application Level MMI 1013 CI Plus MMI Resource 214 Other CI Extensions 1415 PVR Resource 8

Annex A...N 99Total: 243

file: ci_plus_specification_v1.2.pdf date: 2009-04-25


12 / 24

CI Plus - Protocols1. Compare CI+ versions supported by IDTV and CAM.2. If both sides have the same auth key, they have

performed a successful authentication with each other.3. CI+ CAM and IDTV authenticate each other to make sure

the opposite device is a valid CI+ device.4. The Secure Authenticated Channel (SAC) is used

for transmission of security-related messages between CAM and IDTV.

5. Usage Rules Information (URI) version negotiation to find a URI version that is supported on both sides.

6. URI transmission and acknowledgement used by CAM to send a set of usage rules information to the IDTV.

7. Content Control (CC) key calculation used by both sides to calculate keys for scrambling /descrambling of transport stream (TS).

8. System Renewability Message (SRM) transmission and acknowledgement is used from CI+ CAM to transfer SRM for HDCP and DTCP-IP to the IDTV.

Host Capability Evaluation

Auth Key Verification

Authentication

SAC Key Calculation

URI Version Negotiation

URI Acknowledgement

CC Key Calculation

SRM Acknowledgement

1.

2.

3.

4.

5.

6.

7.

8.


13 / 24

CI Plus - Transport Stream Output ProtectionHost and CICAM Capabilities:

• DES-56-ECB Data Encryption Standard, 56-bit key, Electronic Code Book (USA 1999-10, Federal Information Processing Standards, FIPS 46-3)

• AES-128-CBC Advanced Encryption Standard, 128-bit key, Cipher Block Chaining (USA 2000-10, National Institute of Standards and Technology, NIST, FIPS 197)


14 / 24

CI Plus - AuthenticationSupported Authentication Phases per Service Mode:

• Basic Service Mode• Registered Service Mode

- Requires upstream communication to HE (Head End)

example:

DH = Diffie-Hellman key exchange


15 / 24

CI Plus - Devices & external Interfaces

Analogue PAL / NTSC / SECAMRGB / YUV / S-Video

DigitalHDMI / HDCP

DTCP-IP

IDTV Signals

/ Interfaces

Devices

time shifted recording(optional)

STB/PVR

CI Plus

Display

Encrypted Content, paired to receiver: the content cannot be copied without authorization..


16 / 24

URI initial default value for host, e.g. after channel change:• protocol version = 0x01• emi_copy_control_info = 0b11 (Encryption Mode Indicator)• aps_copy_control_info = 0b00 (Analog copy Protection System)• ict_copy_control_info = 0b0 (Image Constraint Trigger/Token)• rct_copy_control_info = 0b0 (Redistribution Control Trigger)• rl_copy_control_info = 0b000000 (Retention Limit, default 90 min)• reserved bits = 0b0

URI Mapping Table:• Analog Output (MV, APS, CGMS, ICT) • Digital Output (HDCP, DTCP, SPDIF)• Digital Storage (AACS, CPRM, VCPS)

see e.g. Digital Transmission Content Protection (DTCP), www.dtcp.com• Specification 2007-10, rev 1.51

CI Plus - Usage Rules Information (URI)

URIURI

Analog Digital Digital Storage


17 / 24

Host Service Shunning• Host shunning state determined from Service Descriptor Table (SDT)• Shunning active: Service can only be descrambled by CI+ Module• Shunning non active: Service can be descrambled by DVB-CI or CI+ Module

Host Revocation• Certificate Revocation List (CRL) transmitted to CICAM black-lists a host• Certificate White List (CWL) can revert a previous revocation of a host• Level of revocation granularity:

1. Unique host2. Range of hosts3. Certain model4. Certain brand

Revocation by CAS• Possible, but out of CI Plus specification scope

CI Plus - Mechanisms of Revocation


18 / 24

CI Plus - Additional Interactivity with ConsumerCI Plus Browser

• Enables to CI Plus modules to display graphics with menues, pictures, logos, ... in a common method on all CI Plus receivers/displays Allows easy interaction with default remote control

Support of MHP CA API• Enables to the broadcasted MHP applikation to communicate

with a CA Smartcard inside the CI Plus module

Country- and Language Support• Enables CI Plus modules to use the same language in menues,

which is already defined by user in the receiver setting.


19 / 24

CI Plus - LLP, Certificate Agent & Test CenterCI Plus LLP contact details:

• CI Plus LLP, www.ci-plus.com• The Billings, Guildford, Surrey GU1 4YD, UK• Tel/Fax: +44.1483. 302264/-302254

CI Plus LLP authorized Certificate Agent: • TC TrustCenter GmbH, www.trustcenter.de• Sonninstrasse 24-28, 20097 Hamburg, Germany• Tel/Fax: +49.40.808026-0/-126• Mail: [email protected]

CI Plus LLP approved Test Center:• Digital TV Labs Ltd., www.digitaltv-labs.com • Venturers House, King Street, Bristol, BS1 4PB, UK• Tel/Fax: +44.117.915-4018/-4088• Mail: [email protected]

http://www.stevens-bolton.co.uk/Default.aspx




20 / 24

CI Plus - DocumentationDocuments on www.ci-plus.com:

• CI Plus Device Interim License Agreement- Compliance and Robustness Rule...

• CI Plus Specification v1.2- Detailed Specification for Receiver and Module

with change notices 001 and 002• Supplementary Specification v1.2

- Requirements for host revocation/shunning• Test Specification v1.0

- Definition of test- and registration process• Registration Application

- Application for test and registration of a device

Documents on www.trustcenter.de:• On-Boarding Guideline, CI Plus Specification• Interim License Agreement (ILA)

Certificate Supply Agreement (CSA)• Forms: Identification, Administrator Authorization

Brand On-Boarding, Registration Application• Robustness Certification Checklist

last update: 2009-04-25

.../solutions/consumer_electronics.htm


http://images.google.de/imgres?imgurl=http://img.photobucket.com/albums/v78/jt_lynn/keys01.jpg&imgrefurl=http://www.jtl.us/mtblog/general/&usg=__tAcvnplNaZL0bGpnPm13YkdtALU=&h=300&w=300&sz=32&hl=de&start=178&um=1&tbnid=WmmUiNfNvOGkzM:&tbnh=116&tbnw=116&prev=/images%3Fq%3Dkeys%2Bsecurity%2Bclipart%26start%3D162%26ndsp%3D18%26um%3D1%26hl%3Dde%26sa%3DN


21 / 24

CI Plus - License Agreement with Exhibits A-L

A: Device Type

B: Robustness Rules

C: Compliance Rules for Host Device

D: Compliance Rules for CICAM Device

E: URI Mapping Table

G: Robustness Rules Checklist

H: Confidentiality Agreement

I: Fee schedule

J: Registration Procedure

K: Change Procedure

L: Revocation Procedure

CICAM Device

Host Device

Robustness Rules

ComplianceRules

Confidentiality Agreement


22 / 24

CI Plus - Implementation

CI Plus LLP (Limited Liability Partnership)

Trust Authority

(TA)

Certification Authority (CA)

Test of Device

Device Manufacturer

of CI Plus Module / Host

TC Trust Center

Sign License Agreement€15,000 registration/yearlyReceive License specs and Test technologyAt Website

Public Specification, License Agreement (incl. Compliance and Robustness)

Order Certificates (keys) € 500/10.000 devices

Device Testing Result Robustness Checklist € 5,000/device type

Device RegistrationProduction Credentials

Test Partner

New deviceRobustness Checklist Device Testing

Result

or Self-Test-Registration(after registration of 2 different device types)

Deliver Certificates (keys)

...

http://www.stevens-bolton.co.uk/Default.aspx






23 / 24

CI Plus - Summary• CI Plus is based on DVB-CI standard and is downward compatible• Encrypted communication over the CI/CI+ interface

- Secure & authenticated channel for critical system messages- Encrypted transmission of digital content from CI+ module towards the host device

• Implementation- Licensing & administration of Certificates managed by independant Trust-Center- Certification of end user devices & CI+ modules in a digital TV laboratory

• Future proof with URI (Usage Rules Information) for UPnP, CPCM, CSA3, DTCP, DLNA, ...

STBPVR

LAN Internet

CI Plus Limited Liability Partnership (LLP)www.ci-plus.com

Thank you for your interest

CI Plus LLP www.ci-plus.comwww.ci-plus.com/forum

TC TrustCenter GmbH www.trustcenter.deDigital TV Labs Ltd www.digitaltv-labs.com