OCAS

1
OCAS
Open Conditional Access System By Menno de
Jong A DISSERTATION Submitted to The
University of Liverpool in partial fulfillment
of the requirements for the degree of MASTER OF
SCIENCE 6 March 2004
2
Sponsor

• EchoStar Communication Corporation with
• DISH Networks (10 mil. Customers).
• Delivering
• Direct Broadcast Satellite.
• The manager of the European Engineering team
  Peter Hillen, sponsor of the project with the
  request
• define a design of the next generation
• conditional access system.

3
Requirements

• Customer
• Trustworthy
• Low cost
• No CI module or smart card
• Easy exchangeable

• Broadcaster
• Secure
• Low cost
• Easy updates
• Killer application
• Fair competition

Goal Open Conditional Access System that is
downloaded and activated like a plug in and no
dedicated hardware is needed
4
Objectives

• Analyze standards, existing CA and DRM systems to
  learn their advantage and weakness.
• Identify/analyze existing encryption technique's
  and protocols to find their advantages to be used
  for OCAS.
• Design an secure environment based on use of a VM
  and back path to a server.
• Find an Open Source implementation for selected
  encryption technique and VM environment.
• Implement a prototype running on a satellite
  receiver and PC.

5
Research Standards

• DVB is the most used world wide standard.
• The DVB-CI interface creates exchangeable CA
  systems using a module.
• All cards can be hacked and become to expensive.
• Return channel is integrated in security model.
• Market is dominated by large actors.
• Future CA systems can be download like a plug-in.

6
Research Encryption
ECC Elliptic Curve Cryptography

• ECC creates the best ratio key size and level of
  security
• ECC creates less computation (time) for the same
  security.
• ECC supports public key encryption and signature
  checking
• Many different ECC security schema's are
  standardized

7
Analysis

• OpenSSL for EC BN functionality Apache-style
  license http//www.openssl.org/
• Christophe Devine's AES SHA-1 GNU General
  Public License http//www.cr0.net8040/code/crypto
  /
• There are no patents on use of elliptic curves,
  AES and SHA-1.
• Open-source licensed code can be used commercial
  purpose when this is explicit mentioned.
• Different patent exists for ECC schema's and
  standards.
• Patents on software implementation working
  reversed in relation to adoption of standards.

8
Key Challenges

• DSDM, iterative and (prototype) incremental.
• Design a DVB compliant CA system cope with all
  constrains.
• Port OpenSSL on satellite receiver.
• Replace BN assembler code.
• Find fast AES and SHA-1 source code.
• Select the best ECC algorithms.
• Research on IP.
• Create the final prototype supporting generating
  a public key , encrypt, decrypt, signature
  generate and verify.

9
Implementation OCAS

• Elliptic Curve Encryption Public Key generation
  (EC_CreatePubKey)
• Elliptic Curve Authentication Encryption Scheme
  (ECAES)Encrypt (EC_Encrypt_File)Decrypt
  (EC_Decrypt_File)
• Elliptic Curve Key Establishment Protocol
  (ECKEP)Generation (EC_SignatureGeneration)Valida
  tion (EC_SignatureVerify)
• Windows prototype (ECC)
• The total project (BN lib excluded) is analyzed
  using Understand for C.Project Metrics (Index).

10
ECC Examples

• The Windows prototype EXE (ecc.exe)Download the
  ecc.exe and open a command box to start ecc.

• display usage
• enter password 2X
• enter password
• enter password
• Signature OK?

• ECCltEntergt
• ECC p 512 my512ltEntergt
• ECC g my512 fileltEntergt
• ECC e my512 fileltEntergt
• ECC d my512 file.eccltEntergt
• ECC v my512 fileltEntergt
• Test performance
• Same commands but with -t
• ECC p -t 512 my512ltEntergt

11
Conclusions

• ECC and AES encryption can support all CA
  functionalities and satisfy all constrains
  inflicted by use of a satellite receiver as
  operating system.
• ECC algorithms provides a secure exchange of data
  and together with key management design it
  replace the need for extra hardware and/or a
  smart card.
• High security (requirement) All of the security
  elements are exchangeable and exists only in RAM.
• low cost (requirement) Smart card and or
  expensive CI connectors are not required.
• Interchange(requirement) The entire CA/security
  system can be exchanged/add and so alternate CA
  supplier can be introduced by only a new download
  of Byte Code

12
Recommendations

• ECC, although in development, can already support
  high level of encryption security.
• Care must be taken adopting a standard because
  not all standards are royalty free.
• When decide about using public source evaluate
  also the supported documentation.
• Improve security of DVB CA systems for broadcast
  content by balance timing, synchronize and create
  a method to insert and skip fake Control Words.

13
Downloads (on-line)

• OCAS DISSERTATIONOCAS_dissertation.pdf
• OCAS Source code (ecc_103.zip)Windows based
  LCC-win32
• OCAS executable Windows version 1.03 ecc.exe
  ecc.exe.sig
• This presentationOCAS_presentation / .pdf / .sxi
  / .ppt
• My public key