The present application claims priority under 35 U.S.C. §119(a) to European Patent Application No. EP 08165670.4 dated Oct. 2, 2008, the contents of which are hereby incorporated by reference herein.
The present invention concerns the prepaid service distribution field, particularly toll or pay television services.
Audio-visual services are transmitted in the form of a data stream bound for receivers, either fixed receivers (set-top-box) or mobile. As an example of such a data stream, we include services for stock market information, weather, general television, a sporting event, and so on. This content may be broadcast to user units such as a pay-TV decoder, a computer, a portable telephone, a “palm-top”, a PDA, a radio, a television, a multimedia terminal.
The digital data stream is encrypted in order to manage the use and define the conditions for such use. This encryption is accomplished thanks to control words that are changed at regular intervals (between 5 and 30 seconds) in order to deter any attack aimed at discovering a control word.
In order for the user unit to be able to decrypt the data, stream encrypted by a control word, this control word is sent separate from the data stream in a control message (ECM) encrypted by a key unique to the transmission system between the administration center (CAS) and the security module for the user unit. Indeed, the security operations are done in a security module (SC) that is generally in the form of a smartcard, reputed to be tamper-proof. This module is removable from the user unit and treats the signals relating to the receiver rights.
Upon decryption of the control message (ECM), verification takes place in the security module (SC) as to the presence of a right to access a particular data stream. The control word is only returned in the decrypted form to the user unit if the comparison is positive.
This right may be managed by authorization messages (EMM) that load such a right into the unit (SC). Other possibilities are equally possible such as the sending of the decryption keys.
Nowadays, the accounting related to the use of such content is done on a subscription basis, a basis of purchase by event or a basis of payment per unit of time.
Subscription allows for the definition of a right associated with one or more broadcast channels and allows the user to receive these decrypted channels if the right is present in his security module.
Likewise, it is possible to define the particular rights for a content, such as a movie or a soccer game. The user can obtain this right (purchase, for example) and the content will be specifically managed by this right. This method is known under the name of “pay-per-view” (PPV).
Concerning payment per unit of time, the security module includes a credit which is debited according to the actual consumption by the user. Thus, for example, a unit will be debited each minute from this credit regardless of which channel is watched. It is possible, according to the technical implementations, to vary the counting unit, either in the length or in the value of the time allocated, or by combining these two parameters to adapt the billing to the type of product transmitted.
Concerning value cards, that is, those which include, in addition to the access control functions, a credit that may be freely attributed to a content selected by the user. For reasons of security and financial management, these value cards have an expiry date after which they no longer function.
Thus, after the expiry date, these cards may still have a non-negligible credit for which the user may claim a reimbursement, either in the form of cash or credit on a new card.
The fact that reimbursement is possible with these value cards makes them very attractive for malicious third parties looking to eliminate any debits from the card in order to obtain a reimbursement for all or part of the audio/video content already consumed.
The goal of the present invention is to secure a prepaid device for access to audio/video content having the possibility of reimbursement of the unused balance upon presentation of the aforementioned device to a control center.
This goal is achieved by a method for managing a debit value (V1) in a prepaid device and comprising an identifier (UA) specific to each device and a control value (CT), this method comprising the following steps:
Of course, this method is applied in addition to the verification of the current debit value to be sure that the amount of the purchase (M) is sufficient for the requested operation and in addition to the verification to check that the debit value has not been modified.
Regarding the verification for sufficient funds: the debit value (V1) represents the current debit of the device and before modifying the control value, the remaining credit (V0−V1+M) is verified to make sure it will cover the purchase (the current debit increasing with each purchase to arrive at the initial credit value). The right associated with the amount (M) is refused if the remaining credit is insufficient and the prepaid device will refuse to restore the keys necessary for access to the associated audio/video contents.
Thus, the present invention suggests using characteristics of a one-way function to change a control value in such a way as to make any return to a previous control value impossible. At each new calculation of this control value, the old value is replaced by the new one.
In the framework of the invention, this one-way function is a mathematical mapping H of a source subset towards an object subset in which each element x of the source subset is mapped to a target H(x). These functions are particularly useful when they are of type known as Hash functions, such as defined on page 27 of the work RSA Laboratories' Frequently Asked Questions About Today's Cryptography, v4.0. The element x can be any length but H(x) is always a fixed-length string. Such functions are difficult to reverse, that is to say that knowing H(x) does not in general allow for the deduction of x. Additionally, as a one-to-one function it is collision-free, that is if H(y)=H(x), then necessarily, y=x, and if H(y)≠H(x), then necessarily, y≠x.
By function expressing the modification of the new value relative to its previous state, we include a function that divides the entire initial credit value (V0) into a plurality of steps according to a linear or non-linear function, or even an arbitrary defined via a table, and thereby defining an interval. At each passing of an interval during the change of the debit value (V1), at least one one-way function is applied to the control value (CT).
We can arbitrarily decide to make more than one iteration on the control value (CT) at each loop. We can thus make two iterations for each loop passed.
An important point is the principle of verification a posteriori by an administration center. This center will read the unique number (UA) and, from this number, will be able to find in its database the initialization parameters for the prepaid device. These initialization parameters are at least the initial value (V0) of device and the initial control value (CT0). Other parameters such as the interval function can be determined in the case where the devices would have different functions. The other important parameter is the value (V1) which represents the current debit and which must be verified. The predefined function (F) allows the administration center to determine how many intervals have been crossed, or steps (N), to arrive at the value of the current debit (V1) and that corresponds to the total number of one-way functions applied to the control value (CT). Knowing the initial control value, the administration center can calculate the final control value which should be associated with this value (V1) and compare it with the control value that is stored in the prepaid device.
The term “debit value” or “credit value” can be interpreted as monetary values or can also encompass other forms of credit or debit units such as, by way of example, each unit representing an authorization to watch a broadcast event during a predefined time. A broadcast event can consume 10 units although another event needs 15 units. The viewing of broadcast event can be managed according to a payment per time unit, e.g. 1 unit for 10 minutes, each time the 10 minutes is over, another unit is decremented allowing a further 10 minutes of authorization.
The invention will be better understood thanks to the detailed description that follows and to which the annexed drawings refer, these being given as a non-limiting example, namely:
Each card or prepaid device can be supplied to the client in different forms. Although the most known form is the ISO 7816 smartcard, this device may take other forms such as PCMCIA card, RFID or USB dongle, the interface to which may be electrical or contactless.
At the time of initialization of such a device, different values are stored, namely an identification number (UA), a control value (CT) and an initial credit value (V0). The current debit value (V1) is initialized at zero. The device is now ready to use.
When it is inserted in a decoder, this device receives security messages coming from an administration center. These messages can come via a DVB-T, DVB-H data stream or via the mobile GSM network by SMS. The credit contained in the device can be used in different ways, either by consumption according to time or by purchase for one or several contents.
The audio/video data stream is accompanied by control messages (ECM) that describe the right or rights necessary for access to the mentioned data streams. In the case of a data stream accessed per unit of time, the prepaid device consumes a unit of time (which can vary from one content to another) thus opening an authorization period. We are now speaking about temporary right linked to a time unit. According to the implementation of the invention, this temporary right may be specific to a channel or to several channels. In the first case, a change of channel terminates the authorization to the content and a new temporary right, specific to the new channel must be acquired.
The user can also buy content suggested via the electronic program guide, this purchase, on one hand decreases the credit in the device and, on the other hand, creates a right stored in the mentioned device, a right relative to the mentioned content. This content may be an event (movie, game, etc.), a series of events (a soccer season, a television series) or one (or several) television channels for a given duration (“Discovery” channel for 2 months, a package of “Sports” channels).
The fact that the right is present in the device authorizes the latter to transmit the key or keys to the decoder to which it is connected.
Two methods are used for credit management in such a device, either by subtraction or by addition.
In the first case, a device containing a credit of 200 Euros will see this value decrease for each consumption. The initial credit is the debit value, the value that will be decreased at each purchase. Once the debit value is at zero, no right is created and the device ceases to transmit the keys to the decoder.
In the second case, an initial credit value of 200 Euros is stored as well as a debit value. This debit value is initially at zero and increases with each purchase. Once the debit value reaches the value of the initial credit, the device ceases to return the keys to the decoder.
The term “account value” will be used herein to refer to a value that is modified as a result of a purchase. Thus, “account value” encompasses both a credit that is decremented as purchases are made as well as a debit that is incremented as purchases are made regardless of whether the credit or debit represents a monetary value or some other unit such as time.
It is known that such a device is identified by a unique number (UA). An administration center stores the identification (UA) for each device with the initial credit value.
In addition to that, such a device will contain a control value (CT) that, preferably, is specific to each device. The administration center will also store this value with the device identification. Thanks to this control value (CT), the remaining credit value will be verifiable in a reliable manner.
The process is the following, taking the example of a fixed credit value (initial credit) and an increasing debit value (see example above).
According to our example, the initial credit value is 200 Euros and the debit value (V1) before the purchase is 10.5 Euros. The purchase initiated by the user is an amount M of 2.8 Euros for a televised event.
The function is, for example, a logarithmic function:
Y=10 log(x)+3
Absolute Difference in Values N: 1 i.e. └Y1′┘−└Y1┘
The absolute difference in values (N) is known as the number of steps.
Consequently, the control value will be subject to only one one-way function. In the case that the difference is zero, no modification is made to the control value (CT).
Other functions, such as division may be used. The flow chart from
In the example illustrated in the flowchart it was arranged for the interval causing a modification of the control value, or the granularity (G), to be 1 Euro.
We only keep the whole part of the result of the division (quotient) (i.e., each result is truncated) to calculate the difference between these two divisions.
Thus, the control value will be modified 3 times by a one-way function CT=Hash (Hash (Hash (CT))). Three iterations of this one-way function will be performed, the following one-way function being applied to the result of the preceding one-way function.
The final control value (CT) will be stored with the new debit value, which is 13.3.
According to an alternative execution mode, the quotient for the division └13.3/1┘ representing the total number of times that the one-way function has been applied is kept in memory with the control value in order to not redo this calculation at the time of the next debit.
We can thus consider that each value V=└V1/G┘ is associated with a control value (CT), which is specific by device, i.e. each device contains a different control value or a control value that is repeated only rarely in the population of prepaid devices.
The
During verification of the device by the administration center VC, for example, for a reimbursement request of the unused value of the credit, the device transmits at least its identification number (UA), the debit value (V1) and the control value (CT). Thanks to the device's identifier, (UA) the center will search for the initial control value (CT0) in its database DB. On the basis of the debit value, in this case 13.3 Euros, the administration center simply has to perform the one-way function 13 times on the initial control value (CT0). The comparison between the value thus calculated and the control value received from the device makes it possible to determine with certainty if the debit value indicated by the device is correct (for the absolute part which is 13 Euros). In the case that the calculated control value does not correspond to the value received by the device, this device is considered as corrupted and measures will be taken according to the operator's policy.
It should be noted that the change in the state of the debit value that triggers the modification of the control value (CT) may be different according to the implementation of the invention. It is possible to modify the control value with each change of 0.5 Euros with represents the granularity G, for example. In this case, at the time of verification, the debit value will be divided by the granularity (G) and the quotient will indicate the number of times that the one-way function has been applied to the control value (CT).
Another method of calculating the number of steps (N) to be performed is based on the purchase amount (M). A remainder (R) is initialized at zero at the time of initialization of the prepaid device.
The value of the number of steps (N) is equal to: N=└(M+R)/G┘G being the chosen granularity. The remainder resulting from the division is memorized in R.
The entire part of the division gives the number of steps (N), the remainder being used at the time of the next operation modifying the value of the prepaid device.
If a purchase is made for 2.30, the granularity being fixed at 0.5 and the remainder value being zero, the number of steps N=└(2.3+0)/0.5┘=4, the remainder being 0.3. A new purchase with a value of 2.3 gives us: N=└(2.3+0.3)/0.5┘=5, the remainder being 0.1.
In an alternative mode for the invention, a marker (MK) is initialized in the prepaid device with the other data mentioned above. The marker is initialized at the value of the granularity G. The value of this marker corresponds to the first modification threshold for the control value (CT).
In our example of a credit value of 200 and a debit value at zero, if the granularity is 1, the marker value will be 1. The marker (MK) will serve as a comparison value with the debit value and if this value is greater than or equal to the marker value, an iteration on the control value (CT) is performed (CT′=Hash (CT)). The new control value (CT′) replaces the old value (CT).
Once done, the marker is increased by the value of the granularity (G) and will be equal to 2.
The comparison step with the debit value is re-done and if the marker is less than the debit value, a new iteration on the control value (CT) is performed, followed by the increase of the marker value by the granularity.
This loop stops when the marker value is greater than the debit value. This has the effect that a number of iterations on the control value have been performed, that number corresponding to the number of times that the granularity (G) is contained in the difference between the marker value at the beginning of the processing and the final debit value.
In a particular mode specific of the invention, the marker value (MK) is not used for the comparison with the debit value, but rather a value extracted from a table (TB) by the marker (MK). This makes it possible to define any function in its progression. The values in the table can be anything, but preferably adhering to the definition of increasing monotonic.
The table positions are referenced P1 to P6. The marker (MK) makes it possible to point to the first position at the time of the initialization (MK=1) and for each time that an iteration on the control value is performed, the marker is updated to point to the next position (MK=MK+1).
The value indicated “1” for the first position is compared to the debit value. Once this value “1” is reached by the debit value, an iteration is performed on the control value and the marker is updated to point at position P2.
If the indicated value in the table is always less than the debit value, a new iteration is performed with the updating of the marker until this value contained in the table is greater than the debit value.
We see here that it is not forbidden to place a value in the table that will not be increasing. We use the example of the position P5 that would have a value of “3”. This has the effect that as soon as the debit value exceeds “7”, we will perform at least 2 iterations because the test on the following pointed value, will inevitably be less and will thus directly increase the marker to position P6. It suffices that the function for the table is known to the administration center for the verification to be achievable.
We can imagine that the table would be different according to the prepaid device. This would be one of the initialization variables for such a device. The result is that the number of iterations can be different between one device and another according to the table values even though the debit value would be the same for the two devices.
It is equally conceivable that the device initializes the table values itself. An average graduation of 2 is defined, for example, and the device will generate a random number between 0 and 4, the result being added to the previous table value. This operation is repeated until the table is filled. At the time of verification, the table is transmitted to the administration center that could reproduce the verification operation and establish the number of iterations that the control value has been performed upon.
The prepaid device can also contain some verification mechanisms to forbid the modification of the debit value by glitch attack or power supply variation for example. Regarding the verification of the authenticity of the debit value: the following description is given by way of example of how such a verification is commonly carried out in the state of the art. On one hand, the debit value encrypted under a first key is stored in the prepaid device. On the other hand a modified version of the debit value is encrypted under a second key and stored in the prepaid card. By modified version it is meant any of several operations performed on the debit value such as an EXOR of the debit value, resulting for example in an inversion or convenient complement of the credit value. The first and second keys are stored in the prepaid card and each time a debit is to be executed, the prepaid card decrypts both values, applies the inverse function on the decrypted value by the second key and compares the results. In case that the results are not equal, the debit value is considered compromised and the operation is stopped.
Instead of encrypting the debit value, a signature on this value can be calculated and stored in the prepaid device. The signature is verified each time an attempt to modify the debit value is received.
According to a simplified invention mode, and insomuch as the products to purchase by the credit contained in the device would be within a limited range, it is possible to perform a modification of the control value at the time of each purchase. Let us take the example of a product offer to purchase consisting of between 2.5 and 5 Euros. The administration center, at the time of verification, would be able to calculate the number of one-way functions between the initial value (CT0) and the value (CT) read from the device. For each one-way operation, the center compares the result with the control value (CT). When the two values are identical, the number X of performed functions is therefore equal to X purchases minimum and therefore we can determine the minimal value of the debit value by multiplying X by 2.5 (minimal price). If the debit value shown is less, the device is corrupted and the center would be able to take the necessary measures.
In this execution mode, the lower the price range for the offers, the more the verification is reliable.
The same verification principle can be applied to a date. The device receives information about the current date in the messages addressed to it. An authorization message, in addition to the right that it contains, or even a price, contains a field indicating the time, which can take one of numerous forms. For example, the most known is in the format of day/month/year, or simply, as a counter unique to the broadcast system and varying in a linear fashion. The device will contain, at the time of the initialization, an initial date and a second control value (CTD0). This second control value, like the first, is preferably unique to each device.
In the same way as for the debit value, we decide on a unit of change or a graduation (for instance, the time) which triggers the execution of the unique function. At the time the message is received, the device calculates a second whole number of steps (P) corresponding to the number of graduations crossed between the current date and the previously memorized date. At the same time as the storing of the new date, it performs a number of one-way functions on the second control value equal to the number of steps (P) previously determined. This second control value will be able to serve to authenticate transactions.
During a transaction, for instance, the purchase of a televised event, we save the date of the purchase in the value card, an identifier for the event and a verification value. This verification value is the result of a second one-way function from the second control value (CTD). It should be noted that this second one-way function is a different type (for example, initialized by a specific key) that the one-way function applied to the second control value (CTD) during the date change.
Thus, if an authentication must be made for the purchase of such an event a posteriori, the administration center will be able to read the date of purchase for the event and calculate the second control value (CTD′). This thanks to the identifier from the value card which allows it to find the second initial control value (CTD0) and the initial date in its database. Thanks to the event date, the number of one-way functions is calculated and applied to the second control value (CTD). Once this control value (CTD′) is calculated, it applies the second one-way function to obtain the reference value which will be compared with that CTD which is in the value card. If the comparison is positive, this means that the date is authentic.
Number | Date | Country | Kind |
---|---|---|---|
08165670.4 | Oct 2008 | EP | regional |