This application is the National Stage of International Application No. PCT/EP2011/057066, filed on May 3, 2011, which claims the benefit of the priority date of French Application No. 1053467, filed on May 4, 2010. The content of these applications is hereby incorporated by reference in its entirety.
The invention pertains to a method for decrypting control words for terminals that are mechanically and electronically independent of one another. The invention also pertains to a method for transmitting and receiving control words to implement the method for decrypting. The invention also pertains to an information-recording medium and to a control word server to implement this method.
There are methods for enciphering control words in which:
The term “multimedia content” designates an audio and/or visual content to be rendered in a form directly perceptible and comprehensible to a human being. Typically, a multimedia content corresponds to a succession of images forming a film, a television show or advertising material. A multimedia content can also be an interactive content such as a game.
There are known ways of broadcasting several multimedia contents at the same time. To this end, each item of multimedia content is broadcast on its own channel. The channel used to transmit a multimedia content is also known as a “station”. A channel typically corresponds to a television station. This enables a user to choose simply the multimedia content that he wishes to view by changing channels.
To secure and subject the viewing of multimedia contents to certain conditions, such as the payment of a subscription for example, the multimedia contents are broadcast in scrambled form and not in plain or unencrypted form. More specifically, each multimedia content is divided into a sequence of cryptoperiods. Throughout the duration of a cryptoperiod, the conditions of access to the scrambled multimedia content remain unchanged. In particular, throughout the duration of a cryptoperiod, the multimedia content is scrambled with the same control word. Generally, the control word varies from one cryptoperiod to another. Furthermore, the control word is generally specific to a multimedia content. Thus if, at a given instant, N multimedia contents are broadcast simultaneously on N channels, then there are N different and independent control words each used to scramble one of these multimedia contents.
Here, the terms “scramble”/“descramble” and “encrypt”/“decrypt” are considered to be synonyms.
The plain or unencrypted multimedia content corresponds to the multimedia content before it is scrambled. This content can be made directly comprehensible to a human being without recourse to descrambling operations and without dictating certain conditions on the viewing of this content.
The control words needed to descramble the multimedia contents are transmitted synchronizedly with the multimedia contents. For example, the control words needed to descramble the tth cryptoperiod are received by each terminal during the (t−1)th cryptoperiod. To this end, for example, the control words are multiplexed with the scrambled multimedia content.
To secure the transmission of the control words, these words are transmitted to the terminals in the form of cryptograms. The term “cryptogram” herein designates a piece of information that is not sufficient by itself to retrieve the control word in plain form. Thus, if the transmission of the control word is intercepted, knowledge of the control word cryptogram alone does not make it possible to retrieve the control word by which the multimedia content can be descrambled. To retrieve the plain control word, i.e. the control word used to directly descramble the multimedia content, it must be combined with a piece of secret information. For example, the cryptogram of the control word is obtained by encrypting the plain control word with a cryptographic key. In this case, the secret information and the cryptographic key are the ones used to decrypt this cryptogram. The cryptogram of the control word can also be a reference to a control word stored in a table containing a multitude of possible control words. In this case, the secret information is the table associating a plain control word with each reference.
The secret information should be kept in a secure place. To this end, it has already been proposed to store the secret information:
In the latter case, the terminals are devoid of chip cards. These terminals are then called cardless terminals.
The control-word server is connected to each of the terminals by a long-distance information-transmission network such as the Internet. When a control-word server is used, the cryptograms of the control words are first of all transmitted to the different terminals and then forwarded by these terminals to the control-word server. This procedure has several advantages. In particular, the information-transmission network used to broadcast the multimedia contents and the cryptograms of the control words can be different from the one used to connect the terminals to the control-word server. For example, the network for broadcasting multimedia content and cryptograms of the control words is a one-way network with a large bandwidth, for example a satellite network. Conversely, the network connecting the terminals to the control-word server is a two-way network with a bandwidth that may be smaller.
Then, this simplifies the time synchronization between the broadcasting of the multimedia contents and the broadcasting of the cryptograms of the corresponding control words.
The control-word server has the function of decrypting the cryptograms of the control words transmitted by the terminals and then sending the decrypted control word back to each of these terminals. Thus, in a way, the control-word server plays the role of a chip card common to several terminals that are mechanically and electrically independent of one another. Terminals that are electronically independent of one another are terminals that can work autonomously and have no shared electronic part or software.
When a terminal needs a control word to descramble a multimedia content, it sends the control-word server a request containing the cryptogram of the control word. In response, the control-word server decrypts this cryptogram and then sends the decrypted control word to the terminal which can then descramble the desired multimedia content.
The multimedia contents broadcast over the different channels are temporally coordinated with one another. For example, the multimedia content broadcasting times are set so as to comply with the broadcasting times indicated in a pre-established program schedule. Each terminal on a given channel therefore receives substantially the same multimedia content at the same time. These multimedia contents are then said to be “live” or “linearized” because the user does not control their instant of transmission.
Conversely, certain multimedia contents are transmitted on demand. This is for example the case with services such as video on demand services. This is also the case when the multimedia contents are recorded locally from the terminal or remotely from the network and when the activation and running of the display are controlled by the user. A service of this kind is known for example by the acronym NPVR (Network Private Video Recorder). It may also be a service by which it is possible to go back in time or postpone the display as in the service known as NTS (Network Time Shifting). In these latter cases, the multimedia content is called a “delinearized” content because it is the user who decides the moment at which the terminal will play this content.
In general, the number of encrypted control words contained in a request is limited to one or two to increase the security of the cryptographic system. Indeed, if the number of encrypted control words contained in a request increases, then the number of plain control words stored in each terminal to descramble a same multimedia content increases. Now, the greater the number of plain control words stored in the terminals, the greater the risk that the security of the system might be compromised. For example, a large number of control words stored in each terminal facilitates attacks such as those involving the sharing of control words. In this form of attack, the plain control words obtained by a terminal that has paid a subscription to decrypt these control words are sent illicitly to the other terminals that have not paid a corresponding subscription.
Each terminal thus sends the control word server a request at each cryptoperiod or at every two cryptoperiods.
The processing of a request by the control word server takes a certain amount of time and the greater the number of requests to be treated the greater the workload of this server. The greater the workload, the greater the computing power needed for the control word server.
It is therefore desirable to be able to reduce the workload of the control word server to use servers having a more restricted computation power.
The invention is aimed at meeting this aim by proposing a decrypting method in which the control word server:
The fact of sending additional control words in addition to the absent control words increases the number of control words present in the terminal and therefore reduces the frequency of the requests transmitted by this terminal to the control word server. This reduction in frequency results in a reduction in the work load of the control word server.
Furthermore, this increase in the number of control words stored in the terminal is not done to the detriment of the security of the cryptographic system since this increase is implemented only for certain selectively chosen terminals where the risk of the stored control words being compromised is low.
An object of the invention is also a method for transmitting control words to terminals that are mechanically and electronically independent of one another to implement the above method, this method comprising:
The embodiments of this method of transmission of control words may comprise one or more of the following characteristics:
These embodiments of the method for transmitting control words furthermore have the following advantages:
An object of the invention is also a method for receiving control words by means of a terminal to implement the above method, wherein:
An object of the invention is also an information-recording medium comprising instructions to implement the above methods when these instructions are executed by an electronic computer.
Finally, an object of the invention is also a control word server for transmitting control words towards terminals that are mechanically and electronically independent of one another, to implement the above method, this server being capable of:
The invention will be understood more clearly from the following description, given purely by way of a non-restrictive example and made with reference to the appended drawings, of which:
In these figures, the same references are used to designate the same elements.
Here below in this description, the characteristics and functions well known to those skilled in the art shall not be described in detail. Furthermore, the terminology used is that of systems of conditional access to multimedia contents. For further information on this terminology, the reader may refer to the following document:
Here below in this description, the system 2 is described in the particular case in which the multimedia contents are linearized.
The plain multimedia contents are generated by one or more sources 4 and transmitted to a broadcasting device 6. The device 6 broadcasts the multimedia contents simultaneously to a multitude of reception terminals through an information-transmission network 8. The multimedia contents broadcast are time-synchronized with one another so as to comply for example with a pre-established program schedule.
The network 8 is typically a long-distance information-transmission network such as the Internet or a satellite network or any other broadcasting network such as the one used to transmit digital terrestrial television (DTTV).
To simplify
The device 6 includes an encoder 16 which compresses the multimedia contents that it receives. The encoder 16 processes digital multimedia contents. For example, this encoder works in compliance with the MPEG2 (Moving Picture Expert Group-2) standard or the UIT-T H264.
The compressed multimedia contents are directed towards an input 20 of a scrambler 22. The scrambler 22 scrambles each compressed multimedia content to make its viewing conditional on certain terms such as the purchase of a title of access by the users of the reception terminals. The scrambled multimedia contents are rendered at an output 24 connected to the input of a multiplexer 26
The scrambler 22 scrambles each compressed multimedia content using a control word CWi,t given to it as well as to a condition access system 28 by a key generator 32. The system 28 is better known by the acronym CAS (Conditional Access System). The index i is an identifier of the channel on which the scrambled multimedia content is broadcast and the index t is an identifier of the cryptoperiod scrambled with this control word. Here below in this description, the cryptoperiod currently descrambled by the terminals is the cryptoperiod t−1.
Typically, this scrambling is compliant with a standard such as the DVB-CSA (Digital Video Broadcasting-Common Scrambling Algorithm), ISMA Cryp (Internet Streaming Media Alliance Cryp), SRTP (Secure Real-time Transport Protocol), or other such standards.
The system 28 generates ECMs (Entitlement Control Messages) containing at least the cryptogram CW*i,t of the control word CWi,t generated by the generator 32 and used by the scrambler 22 to scramble the cryptoperiod t of channel i. These messages and the scrambled multimedia contents are multiplexed by the multiplexer 26, these messages and scrambled multimedia contents being respectively given by the conditional access system 28 and the scrambler 22 and then transmitted on the network 8.
The system 28 also inserts into each ECM:
The timestamps are defined in relation either to an absolute origin independent of the broadcast multimedia content or in relation to a relative origin pertaining to a broadcast multimedia content. For example, a relative origin may be the start of the film when the multimedia content is a film.
The same identifier i is inserted in all the ECMs containing a cryptogram CW*i,t to descramble the multimedia contents broadcast on a same channel.
By way of an illustration here, the scrambling and the multiplexing of the multimedia contents is compliant with the DVB-Simulcrypt (ETSI TS 103 197) protocol. In this case, the identifier i may correspond to a unique “channel ID/stream ID” pair on which all the requests for the generation of ECM messages for this channel are sent.
For example, the reception terminals 10 to 12 are identical and only the terminal 10 is described in greater detail.
The reception terminal 10 includes a receiver 70 of broadcast multimedia contents. This receiver 70 is connected to the input of a demultiplexer 72 which transmits on the one hand the multimedia content to a descrambler 74 and on the other hand the ECM and EMM (Entitlement Management Message) messages to a processor 76. The processor 76 processes confidential information such as cryptographic keys. In order that the confidentiality of this information may be preserved, it is designed to be as robust as possible against attempted attacks by computer hackers. It is therefore more robust against these attacks than the other components of the terminal 10. This robustness is obtained for example by implementing a software module dedicated to the protection of secret information.
The processor 76 is made for example by means of programmable electronic computers capable of executing instructions recorded on an information-recording medium. To this end, the processor 76 is connected to a memory 78 containing the instructions needed to execute the methods of
The memory 78 also contains:
The descrambler 74 descrambles the scrambled multimedia content using the control word transmitted by the processor 76. The descrambled multimedia content is transmitted to a decoder 80 which decodes it. The decompressed or decoded multimedia content is transmitted to a graphic card 82 which drives the display of this multimedia content on a display unit 84 equipped with a screen 86.
The display unit 84 provides a plain display of the multimedia content on the screen 86.
The terminal 10 also has a sending unit 88 used to set up a secured connection with a headend 90 by means of an information-transmission network 92. For example, the network 92 is a long-distance information-transmission network and more specifically a packet-switching network such as the Internet. The secured connection is for example a tunnel secured by means of a cryptographic certificate.
The headend 90 has a module 100 for managing the access entitlements of the different users of the system 2. This module 100 is better known as a “subscriber authorization system” This module 100 generates a database 102 and keeps it up to date. With each user identifier, the database 102 associates the access entitlements acquired by this user. This database 102 is stored in a memory 104.
The headend 90 also has a control word server 106 connected to an access-right checking module 108 and a memory 110. The memory 110 contains:
The working of the error counters C1 to C4 is described in greater detail with reference to
Typically, the server 106 is made out of programmable electronic computers capable of executing instructions recorded in an information-recording medium. To this end, the memory 110 also has instructions to execute the methods of
An example of a structure of the table 112 is shown in greater detail in
The structure of the table 79 is identical for example to the structure of the table 112.
Here, the index ICT represents the probability that the hardware means implemented in this terminal are withstanding a hacking attempt. It therefore represents the level of difficulty in illicitly obtaining and using the control words stored in this terminal.
For example, the table 114 is provided by the operator of the system 2.
By way of an illustration, the value of the index ICT for each terminal is the sum of the rating points obtained by this terminal for several different security criteria.
The following table gives an example of a rating scale:
The value of the index ICT for a given terminal is the sum of the rating points obtained for each of the security criteria indicated in the above table. For example, if a terminal uses a security processor and has an execution code for cryptographic processing encrypted in a non-volatile memory, then the index ICT of this terminal is equal to 65. The index ICT is associated with each identifier of the terminal stored in a database and accessible to the control word server.
Here, the table 116 has two columns. Each row of this table 116 has a field containing the identifier i and a field associating an index value ICc with this identifier i. The table 116 is provided for example by an operator of the system 2.
The working of the system 2 shall now be described in greater detail with reference to the method of
Initially, at a step 120, the device 6 broadcasts several different multimedia contents simultaneously on different channels. On each channel, the cryptoperiod t and the next cryptoperiod t+1 are scrambled with the control words, respectively CWi,t and CWi,t+1. The ECMs containing the cryptograms CW*i,t and CW*i,t+1 are multiplexed with the broadcast multimedia contents. This multiplexing enables the broadcasting of the control words to be synchronized with the broadcasting of the multimedia contents. Here, the cryptograms CW*i,t and CW*i,t+1 are transmitted to the terminals during the cryptoperiod t−1 preceding the cryptoperiod t.
Typically, the ECMs are repeated several times within a same cryptoperiod. For example, the ECMs are repeated every 0.1 second to 0.5 second. The duration of a cryptoperiod is greater than 5 seconds and preferably ranges from 5 seconds to 10 minutes.
The scrambled multimedia contents are received appreciably at the same time by each of the terminals 10 to 12. The next steps are therefore executed appreciably in parallel for each of these terminals. The next steps are described in the particular case of the terminal 10.
At a step 122, the scrambled multimedia contents with the ECM messages are received by the terminal 10.
Then, at a step 124, the demultiplexer 72 extracts the scrambled multimedia content corresponding to the channel i, the descrambling of which is currently being requested by the user. At the step 124, the demultiplexer 72 also extracts the ECM messages containing the cryptograms of the control words used to descramble this same channel. The multiplexer 72 transmits the extracted multimedia content towards the descrambler 74. The ECM messages extracted for their part are sent to the processor 76.
At a step 126, the processor 76 makes a search in the table 79 to see if it already contains the control word CWi,t of the next cryptoperiod to be descrambled of the channel i.
If the search gives a positive result, then the processor 76 carries out a phase 127 for descrambling the cryptoperiod t broadcast on the channel i.
More specifically, at a step 128, the processor 76 sends the descrambler 74 the control words CWi,t found in the table 79. No request to decrypt the cryptograms CW*i,t and CW*i,t+1 is then transmitted to the server 106.
Then, at a step 130, the descrambler 74 descrambles the cryptoperiod t of the multimedia content received by means of this control word CWi,t.
Then, at a step 132, the descrambled multimedia content is decoded by the decoder 80 and then transmitted to the video card 82.
Finally, at a step 134, the video card 82 transmits the video signal to the display unit 84 so that the multimedia content is displayed on the screen 86 so as to be directly perceptible and comprehensible to a human being.
If the control word CWi,t is not contained in the table 79, then during a step 140 the terminal 10, during the cryptoperiod t−1, sends a request to the server 106 to decrypt the cryptograms CW*i,t and CW*i,t+1 contained in the received ECM. For example, this request contains:
This request is transmitted to the server 106 by means of the sender 88 and the network 92. All the information exchanges between the terminal 10 and the server 106 are done by means of a secured tunnel set up through the network 92. The setting up of the tunnel requires the authentication and identification of the terminal by the server 106, for example by a means of the cryptographic certificate contained in the memory 78. Thus, the server 106 has, at its disposal, the identifier IdT of the terminal that has sent it a request.
At a step 142, in response to the reception of this request, the module 108 extracts the access entitlements associated with the identifier Idu and contained within this request from the base 102. Then, the module 108 compares the access entitlements extracted with the access conditions CA contained in the request.
If the user's access entitlements do not correspond to the conditions of access CA then the server 106 performs a step 144 for inhibiting the descrambling of the channel i by the terminal 10. For example, to this end, the server 106 transmits no control word to the terminal 10.
If not, the server 106 performs a step 146 for updating a profile of the user. The user's profile contains information to determine the probable duration for which the user of the terminal 10 will continue to descramble the same channel i. This user profile therefore makes it possible to determine the probable number of successive cryptoperiods of the channel i which will be descrambled.
This probability depends especially on the habits of the user of the terminal 10. To this end, at the step 146, the server 106 checks to see if the received request is asking for the descrambling of the control words for a new channel. If the answer is yes, it means that the user has changed channels. In this case, it records in a data base the instant at which the user has left the old channel and the instant at which the user has switched to the new channel in a database. The serve 106 also records the identifier i of the new channel to which the user has switched. The information recorded in this data base therefore enables an estimation of the number of successive cryptoperiods that the user of the terminal 10 will view.
Preferably, the data recorded in this data base is preserved for a very great duration so as to refine the computed probability on the basis of the data recorded in this data base.
Furthermore, at the step 146, the server 106 builds an index of reliability of this user profile. This index of reliability indicates the degree of trust that can be placed in the currently registered user profile. For example, to this end, the server 106 computes the differences between the same probabilities computed by means of the current user profile and by means of the information contained in this same data base some time earlier. The greater this difference, the lower the trust index. Indeed, this means that the user profile is not stable and that it is therefore not possible to give a great degree of trust to this profile.
Then, at a step 148, the server 106 builds the index ICT of the terminal 10. To this end, it extracts the value of this index ICT from the table 114 on the basis of the identifier IdT of the terminal 10 received, for example at the authentication of the terminal during the phase for setting up the secured tunnel.
At a step 150, the server 106 builds a trust index ICu on the use of the terminal. This index ICu represents the probability that the terminal is presently undergoing a hacking attack designed to compromise the security of the control words stored in it. This index ICu therefore also represents the probability that the security of the control words stored in this terminal is compromised.
The value of this index ICu for a given terminal is built from the values of the error counters C1 to C4.
More specifically, during an operation 152, whenever a request is transmitted by the terminal 10, the error counters C1 to C4 are updated.
Here, the counter C1 represents the number of channel changes per hour.
The counter C2 represents the number of identical requests sent by the terminal 10 to the server 106 per minute. Indeed, during normal operation, each request transmitted by the terminal 10 to the server 106 must be different to the previous one. Thus, the reception of several identical requests raises suspicion of an abnormal use of the terminal 10 and therefore of a possible attempt to compromise the security of the control words stored in this terminal.
The counter C3 enumerates the number of times in which the integrity of the ECM received in the request was not verified for 24 hours. The integrity of the ECM of a request is verified when the signature applied to the different fields of the ECM makes it possible to retrieve the MAC signature contained in this message. If not, it means the ECM has been corrupted.
Finally, the counter C4 counts the number of ECMs having an incorrect syntax transmitted by the terminal 10 to the server 106 per 24 hours.
Then, at an operation 154, the value of each of these counters C1 to C4 is converted into a rating which is all the lower as the current working of the terminal is abnormal. For example, tables for converting the values of the counters into rating values are used. By way of an illustration, the following tables are used.
In an operation 156, the value of the index ICu is computed as a function of the counter C1 to C4 converted into a rating. For example, the value of the index ICu is determined by means of the following relationship:
ICu=min{NBZ_Rating,NBZ_Rating,NBA_Rating,NBE_Rating}
where “min” is the function which returns the minimum of the different values contained between the brackets.
The value of the indicator ICu can possibly be computed by means of other relationships. For example, the following relationship can also be used;
ICu=(rating—NBZ+rating—NBR+rating—NBA+rating—NBE)/4
At a step 160, the server 106 builds the index ICc associated with the channel i currently descrambled by the terminal 10. To this end, it extracts the index ICc associated with this identifier i in the table 116.
At the step 164, the server 106 determines a number NbCP of control words to be transmitted to the terminal 10 in response to its request. This number NbCP can be greater than two which means that, in addition to the absent control words CWi,t and CWi,t+1 required by the terminal 10, the server 106 itself can also transmit additional control words CWs used to descramble additional cryptoperiods of the channel i without the terminal 10 having even transmitted cryptograms to the server 106 that correspond to these additional control words CWs.
The number NbCP is chosen to be all the greater as the probability is low that the security of the additional control words transmitted to this terminal 10 is compromised. To this end, the number NbCP is determined as a function of the previously built trust indices ICT, ICu and ICc.
For example, at an operation 166, a maximum number NbMaxCP of control words to be transmitted to the terminal 10 is first of all computed as a function of the indices ICT, ICu and ICc. Here, the value of this maximum number NbMaxCP is computed by means of the following table:
The value of the number NbMaxCP chosen is the maximum value in the right-hand column of the above table for which the indices ICT, ICu and ICc each exceed the value of a respective threshold indicated on the same row. For example, if the built values of the indices ICT, ICu and ICc are respectively 70, 54 and 100, the value of the number NbMaxCP is equal to 10.
Then, during an operation 168, the number NbMaxCP is adjusted to the user's profile determined at the step 146. Typically, the value of the number NbMaxCP is diminished if the probability of the user remaining on the channel i during successive NbMaxCP cryptoperiods is below a predetermined threshold.
Then, in an operation 170, the value of the number NbMaxCP is compared with 0. If the value of this number is null, then the server 106 inhibits the descrambling of the following cryptoperiods of the channel i. To this end, it carries out the step 144.
If not, the number NbCP is temporarily taken to be equal to the number NbMaxCP.
Then, in an operation 172, the number NbCP is adjusted so as to distribute the workload of the server 106 as uniformly as possible over each of the following cryptoperiods. To this end, the server 106 adjusts the value of the number NbCP as a function of:
Here, the workload of the server 106 is measured by the probable number of requests to be processed by this server 106 during a same cryptoperiod.
As an illustration, the estimations of the workload for the ten next coming cryptoperiods are stored in a workload table. An example of such a table is given here below.
Here, the law that delivers the final value of the number NbCP is built to optimize the following two criteria:
1) NbCP should be equal to or as close as possible to its maximum value NbMaxCP, and
2) the value of the number NbCP should enable the distribution of the workload of the server 106 more uniformly over each of the next ten coming cryptoperiods.
For example, the law used is the following:
NbCP=Min{Loadi(j)*K(NbMaxCP−j)}
where:
For example, using this law and using the values contained in the previous table, when the channel i is the second channel, the value NbCP is equal to 8 if the constant K is equal to 1.1 and NbMaxCP is equal to 10.
Finally, the closer the constant K is to 1, the greater the extent to which the adjusted number NbCP is allowed to be distant from the value of the number NbMaxCP.
Once the number NbCP has been determined, the estimation of the workload of the server 106 is updated in the step 174. To this end, the following two assumptions are made:
1) the user does not change any channel, and
2) the next request is transmitted by the terminal during the cryptoperiod that precedes the cryptoperiod for which no control word has been transmitted to it.
Consequently, with these assumptions, the next request transmitted by the terminal 10 is situated during the cryptoperiod t+NbCp−2. The value of the estimation of the workload of the server 106 for the channel i is therefore incremented during the cryptoperiod t+NbCP−2 by a determined step value. For example, the step value is typically equal to one. This value is stored in the workload table described here above.
At the step 174, at the end of the current cryptoperiod t−1, the column corresponding to the cryptoperiod t is erased from the workload table and the columns corresponding to the cryptoperiods t+1 to t+9 are shifted leftward by one column. This releases a blank column for the new cryptoperiod t+9.
Then, at a step 176, the control words needed to descramble the successive cryptoperiods t to t+NbCP−1 are extracted from the table 112.
At the step 178, the NbCP extracted control words are transmitted to the terminal 10 so that it can descramble the next NbCP cryptoperiods of the channel i without having to send a request to the server 106. This therefore diminishes the workload of the server 106 since the frequency of the request diminishes at least for certain terminals. However, the security of the system 2 is not compromised since only the terminals where the probability is low that the security of the control words transmitted is compromised will benefit from the reception of additional control words.
At the step 178, possibly the server 106 also transmits control words for channels other than the channel i. This makes it possible especially to accelerate the descrambling of the new channel after the switching from the previous channel to the new channel. This also diminishes the workload of the server 106 since, in response to a change in channel, the terminal does not necessarily send a new request to the control word server. The number of control words for the channels other than the channel i transmitted during the step 178 is determined for example in the same way as is described for the channel i or by another method.
Finally, at a step 180, the terminal 10 receives the new control words and records them in the table 79 to enable their use to descramble the following cryptoperiods of the channel i.
To implement the method of
At a step 192, these control words are transmitted to the server 106 which records them in the table 112 so that this table still contains the control words needed to descramble the cryptoperiods t, t+1, t+2, etc. For example, these control words are transmitted to the server 106 by means of a secured link directly connecting the device 6 to the headend 90.
At a step 194, the server 106 updates the table 112 by means of the additional control words received. So as to enable the display of delinearized multimedia contents, the server 106 also keeps the recordings corresponding to past cryptoperiods in the table 112.
Many other embodiments are possible. For example, trust indices other than those described here can be used to estimate the probability that the security of the control words stored in a given terminal is compromised. Similarly, other modes of computing trust indices ICT, ICu and ICc can be implemented. For example, the value of the index ICc may be computed as a function of the measurement of the current audience of the channel i descrambled by the terminal and not, as described previously, from predetermined values recorded in the table 116.
The number NbCP can be determined on the basis of one or only two of the indices ICT, ICu and ICc.
Similarly, other modes of computing the number NbCP are possible. For example, the number NbMaxCP can be obtained from other formula such as for example by means of the following relationship:
NbMaxCP=E(10×(ICT+ICu+ICc)/300)
where E is the integer part function or floor function.
In another embodiment, the user profile is not used to determine the number NbCP.
There are also other methods for adjusting the number NbCP to distribute the workload of the server 106. For example, to distribute the workload over different cryptoperiods, it is not necessary to estimate the workload on each of these cryptoperiods. For example, adjusting the number NbCP consists in randomly or pseudo-randomly drawing a number ranging from 1 to NbMaxCP.
The estimation of the workload taken into account for the adjustment of the number NbCP can be the estimation of an overall workload for all the channels and not, as described here above, a channel-by-channel estimation. For example, the overall load during a cryptoperiod is obtained by summing up the workloads of the server 106 for each of the channels i during the same cryptoperiod.
The cryptogram of the control word or control words contained in the request transmitted to the server 106 by the terminal can be the identifier of the channel to be descrambled as well as the number or timestamp of the next cryptoperiod on this channel to be descrambled. In such an embodiment, it is then not necessary for the transmitted request to contain, in addition, a cryptogram of the control word CWi,t obtained by encrypting this control word by means of a secret key. Indeed, the identifier of the channel and the number of the next cryptoperiod are sufficient on their own for the server 106 to retrieve, in the table 112, the control word to be sent to the terminal in response to this request.
The updating of the profile of the user can be done differently. In particular, in another embodiment, it is the terminal that detects the changes in channels, and, at each channel change, sends a corresponding piece of information to the server 106 so that it can update the profile of the user of this terminal. In this case, it is possible to take account of the channel changes even if they are not associated with the immediate transmission of a new request to the server 106. Indeed, the control word used to descramble the new channel can already have been received in advance and can be stored in the table 79.
Here, the tables 112, 114 and 116 as well as the counters C1 to C4 have been represented as being contained in the memory 110. However, these tables can be contained elsewhere in the system 2 and for example in a memory that can be interrogated remotely by the server 106.
In another embodiment, the control words transmitted from the server to the terminal are transmitted in an encrypted form so that only the destination terminal of this control word can decipher these control words. In such a case, the implementation of a secured tunnel can be omitted.
In one variant of the system 2, the control word CWi,t is transmitted during the cryptoperiod t and not during the cryptoperiod t−1.
The above description can be applied as much to linearized multimedia contents as to delinearized multimedia contents.
Number | Date | Country | Kind |
---|---|---|---|
10 53467 | May 2010 | FR | national |
Filing Document | Filing Date | Country | Kind | 371c Date |
---|---|---|---|---|
PCT/EP2011/057066 | 5/3/2011 | WO | 00 | 11/2/2012 |
Publishing Document | Publishing Date | Country | Kind |
---|---|---|---|
WO2011/138333 | 11/10/2011 | WO | A |
Number | Name | Date | Kind |
---|---|---|---|
20040083177 | Chen et al. | Apr 2004 | A1 |
20080137850 | Mamidwar | Jun 2008 | A1 |
20080192927 | Stransky | Aug 2008 | A1 |
20080301437 | Chevallier et al. | Dec 2008 | A1 |
20090323949 | Chieze et al. | Dec 2009 | A1 |
Number | Date | Country |
---|---|---|
WO 0195613 | Dec 2001 | WO |
WO 2009112966 | Sep 2009 | WO |
WO 2009112966 | Dec 2009 | WO |
Entry |
---|
Menezes A. et al., “Handbook of Applied Cryptography, Chapter 13 (Key Management Techniques)”, Jan. 1, 1997, Handbook of Applied Cryptography, CRC Press, Boca Raton Fl., pp. 547-555. |
Francis et al., “Countermeasures for attacks on satellite TV cards using open receivers,” Australasian Information Security Workshop.: Digital Rights Management, Nov. 6, 2004, pp. 1-6. |
Number | Date | Country | |
---|---|---|---|
20130046969 A1 | Feb 2013 | US |