Group Key Distribution Scheme in Digital Pay-TV Systems Adviser: Min-Shiang Hwang Reporter: Chun-Ta...

Group Key Distribution Scheme in Digital Pay-TV Systems

Adviser: Min-Shiang HwangReporter: Chun-Ta Li ( 李俊達 )Date: 2006/06/13

2

Outline Introduction Requirements Huang et al.’s scheme[1] Sun et al.’s scheme[2] Comparisons Comments References

3

Introduction

Pay-TV system Conditional Access System (CAS) Two classes of pay-TV system

The subscription (pay-per-channel, PPC) channels Pay for a period of time, e.g. weekly or monthly Disadvantage: not allowed to unsubscribe the channels

The pay-per-view (PPV) channels Pay for each single program Disadvantage: can only be applied on small scale

4

Introduction (cont.) Group key distribution

Four-level key hierarchy [3] Control Word: CW scrambling of video programs Authorization Key: AK encrypt the CW Distribution Key: DK consists of a Private Key

(PK) and a Group Key (GK)

Master Private Key: MPK encrypt the entitlement management message and DK and is stored in a smart card-based device

uniquely for each subscriberused as a group key for each group of channels

C1

C2

C3

C1

C2

C3

C1 C2

C1 C3

C2 C3

C1 C2 C3

m=3

# of groups = 2m-1

5

Requirements Functionality

Subscribers can freely choose the channels and Pay-TV modes

Suitable for large scale environment with lots of subscribers and channels (scalability)

Group key distribution: groups of subscribed channels and groups of subscribed channels of subscribers (subscriber leaves)

Computation load and transmission cost (efficiency) Storage requirement

6

Requirements (cont.) Security

Only the authorized subscribers can receive the program (unsubscribed users can’t watch the Pay-TV programs)

The conspiracy of subscribers should not compromise the system

7

Huang et al.’s scheme Notations in group-oriented scheme Four-level key hierarchy

CW : scramble/descramble programs on channels (updated frequently, e.g., 5-20 s)

AK : encrypt/decrypt CW (updated periodically, e.g., daily)

DK : used to derive AK (updated monthly)

SK : secret key held by the subscriber, is used to encrypt and decrypt the DK (stored in smart card)

8

Huang et al.’s scheme (cont.) Group-Oriented Key Distribution Scheme

[Initial Phase] For service provider (SP):1) SP randomly generate <DKSP>, where <DKSP> = [dk1,dk2,…,dkm]2) SP derive new <AKSP> by the following procedures:

ak1 = D ⊕ dk1, where D is a random number. (A.1) akj = akj-1 ⊕ dkj, 2 < j < m. (A.2)

[Initial Phase] For each subscriber (Si):1) SP generate the vector <DKi>, for each subscriber Si,

dkij is randomly generated, for Gj SGi.

dkij = (dk1 … ⊕ ⊕ dkj) (⊕ dki

j … ⊕ ⊕ dkij-1), for Gj SGi (A.3)

2) SP encrypts <DKi> using the secret key Ski of Si.3) SP transmits {<DKi>, D}ski

to Si

4) Si derives new <AKi> by following procedures: aki

j = D ⊕ dkij (A.4)

akij = aki

j-1 ⊕ dkij, 2 < j < m. (A.5)

9


Example of the initial phase of group-oriented key distribution scheme: Four groups: G1, G2, G3, and G4

Subscriber S1 subscribes subscription channel groups, G1, G3, and G4

//

10


[Update Phase] For service provider (SP):1) SP generates a random number R 2) SP derives new <AKSP> by the following procedures:

ak1 = R ⊕ dk1, where D is a random number. (A.6) akj = akj-1 ⊕ dkj, 2 < j < m. (A.7)

SP broadcasts (R, h(R)) to all subscribers. [Update Phase] For each subscriber (Si):

1) After receiving (R, h(R)), Si checks h(R)2) Si derives new <AKi> by following procedures:

aki1 = R ⊕ dki

1. (A.8) aki

j = akij-1 ⊕ dki

j, 2 < j < m. (A.9)

11

Huang et al.’s scheme (cont.) Rating-Oriented Key Distribution Scheme

interdiction

permission

12


[Initial Phase] For service provider (SP):1) SP generate <DKSP> = [dk1,dk2,…,dkm], where

dk1 is randomly generated. (B.1)dkj = f(dkj-1), where 2 < j < m and m is the lowest rating (B.2)

SP then derives the authorization keys by performing the formula (A.1) and (A.2)

[Initial Phase] For subscriber (Si):1) SP transmits {<DKi>}Ski

to subscriber Si, where<DKi> = [dkk], for SRi = RK (B.3)

2) Si derives [dkk+1,…,dkm], where dkj = f(dkj-1), k+1 < j < m (B.4)AK ?

13


[Update Phase] For service provider (SP):1) ak1 is randomly generated. (B.5)2) akj = {dkj-1}dkj-1

, 2 < j < m. (B.6)3) SP broadcasts the only one message which is the encrypted AK of the lo

wer rating channel, is broadcast to all subscriber Si

SP broadcasts (M, h(M)) to all subscribers [Update Phase] For subscriber (Si):

1) After receiving message, Si uses his vector <DKi> to derive the new vector <AKi>

2) Si derives new <AKi> = [akk,akk+1,…,akm], where akm = {M}-1

dkm. (B.7)

akj = {akj+1}-1dkj+1

, k < j < m. (B.8)

14

Huang et al.’s scheme (cont.) Example of rating-oriented key distribution scheme:

Four ratings: R1, R2, R3, and R4

Subscriber S1 subscribes channel rating, R2

[Initial Phase] [Update Phase]

15

Huang et al.’s scheme (cont.) Key distribution scheme for PPV channel protection

Three-level key hierarchy: CW, AK and SK

[Join] [Leave]

protect channel

16

Huang et al.’s scheme (cont.) Example of key distribution scheme for PPV channel protection

1. S1 join 2. S2,S3 join 3. S4 join

SP(GP1)

SP(GP1)

SP(GP1, GP2)

S1S1 S2 S3 S1 S2 S3 S4

UG1 UG1 UG1UG2

{akcurrent}sk1 {akcurrent}sk2 {akcurrent}sk3 {GP2}akcurrent{GP1,akcurrent}sk3

4. S5,S6,S7 join

SP(GP1, GP2,GP3)

S1 S2 S3 S4

UG1 UG2

{GP3}akcurrent {GP3,akcurrent}sk5

S5 S6

{GP3,akcurrent}sk6

UG3

S7

5. S4 leave

SP(GP1, GP2,GP3)

S1 S2 S3 S4

UG1 UG2

{Si in UG2 leaves} {aknew}sk5

S5 S6

{aknew}sk6

UG3

S7

{GP1,GP2,akcurrent}sk7 {Si in UG2 leaves}

GP2 GP2 GP2 GP1

GP2,GP3 GP2,GP3 GP2,GP3 GP1,GP3 GP1,GP3 GP1,GP3GP1,GP2 GP2,GP3 GP2,GP3 GP2,GP3

GP1,GP3 GP1,GP3 GP1,GP3GP1,GP2

//{aknew}=H(akcurrent,GP2)

1.Max # subscribers in a UG: 3

2.GPi: group secret of UGi

GP1

GP1

17

Sun et al.’s scheme Key management scheme for user revocation [3][4]

Notations

．Member m3 (Rmi is utilize to update the group key K)

．Member m3 leave the group: Server broadcasts a message {LEAVE, m3} then the server and all members but m3 calculate the new group key K’

Group key K

K

Im6({Rv1, Rv3, Rv4, Rv6, Rm1, Rm2, Rm3, Rm4, Rm5, Rm7, Rm8})

K’

18

Sun et al.’s scheme (cont.) Key management scheme for user revocation[3][4]

Storage problem The required storage for Imi is |Imi| = 2M – logM – 2, where M is members in t

he system

Solution: HL(Rvi) and HR(Rvi

)

m3:

Rv0

Rv4Rv5 Rv6

= HR(Rv2)

Rv1 = HL(Rv0

)m3:

19

Sun et al.’s scheme (cont.) Key management scheme for user revocation [3][4]

Extension process (n-level tree) If M is less than 2n assign the new member to a vacant leave directly

If M is equals to 2n the server should perform an extension process

n=2

20

Sun et al.’s scheme System overview (PPC)

Roles: One service provider and many subscribers Four-level hierarchy: CW, AK, RGK and MPK Notations every channel

every group

secret key of subscriber

21

Sun et al.’s scheme (cont.) Motivation To distribute AK securely and updated AK wh

en any subscriber leaves

Initial phase: Server AKi Tchi

(generate a tree Tchi)

Server RGKj Gj (generate a key tree TGj)

User registration phase: Service provider assign uk a unique MPKk (secure channel)

stored in uk’s register card

22

Sun et al.’s scheme (cont.) Subscribing phase: when uk subscribes some channels

Service provider transmits four secret information: RGKj All AKs of CHGj

All Ichi,Gj for each chi CHGj

IGj,uk to uk

RGK updating phase: when uk leave Gj

Service provider broadcasts the message {LEAVE, uk} All subscribers but uk in Gj can obtain the new receiving group key

RGKj’ = RGKj⊕RGj,uk

E(MPKk)

E(MPKk)

E(RGKj)

E(RGKj)

23

Sun et al.’s scheme (cont.) AK updating phase:

uk is suspended from the system (Step1) Service provider broadcasts the {LEAVE, Gj, uk} (Step2) Subscribers who subscribe chi and are not classified i

nto Gj calculate the new AKi’=AKi⊕Rchi,Gj

(Step3) Subscribers classified into Gj first perform RGK updating phase to obtain new RGKj’. Since they don’t know Rchi,Gj

,

the service provider broadcasts the AKi’ encrypted by RGKj’ to obtain new AKi’

24

Sun et al.’s scheme (cont.) AK updating phase:

uk changes subscribed channels and it must be re-classified into an appropriate Gl from original Gj The RGKj of Gj sould be updated through RGK updating phase All the channels in CHGj

∪CHGl can be categorized into followin

g cases: Case1: CHGj

– CHGl: The channels in this case are un-subscribed by uk.

The AKi of these channels must be updated through AK updating phase Case2: CHGl

– CHGj: The channels in this case are impending subscribe

d by uk. System will perform the subscribing phase to assign uk all the necessary information of each channel

Case3: CHGj∩CHGl

: The channels chi in this case are both belong to Gj and Gl, so Gj and Gl are two leaves in Tchi

25

Sun et al.’s scheme (cont.) The problem of the update of one single secre

t number causes the update of whole Tchi

For every node vn in Tchi public counter Cchi,n

v0

TchiRchi,v0

v1 v2

G5 G2 G6 G4

Rchi,v1 = HL(Rchi,vparent_n

,Cc

hi,n)

Rchi,v2 = HR(Rchi,vparent_n

,Cc

hi,n)

Rchi,G5 = HL(Rchi,v1

,Cchi,G5) Rchi,G4

= HR(Rchi,v2,Cchi,G4

)

// If a node vn is on the path from Gl to the root and already known by uk

Cchi,n becomes Cchi,n

+1 and Rchi,vn is re-calculated with the same method

Example of changing subscribed channels RGK2 update: all users in G2 but u3 know RG2,u3

ch3: SP transmits four kinds of messages to u3

ch2: AK2 must be updated through the AK updating phase

◙

◙

◙◙

◙◙

◙

Example of changing subscribed channels ch5:

◙

◙

◙

◙

◙

(counter +1)

28

Comparisons

The number of transmitted messages Extra storageSubscription Un-

subscription

Sun 2+log(sj)+log(ni) 2 log(ni)

Huang m (ni) k (sj) ni-1

S The number of subscribers

sj The number of subscribers in group j

ni The number of groups which contain chi

sni The number of subscribers subscribing chi

29

Comments Huang et al.’s scheme

collusion problem update phase in group-oriented key distribution scheme enc

rypted (R, h(R)) How to compute AK for subscriber in initial phase of rating-o

riented key distribution scheme leak of DK update phase in both two proposed schemes

Sun et al.’s scheme collusion problem barter time for space omit the two hashing functions in space requirement leak of reduction process in the tree

30

References [1] Yu-Lun Huang, Shiuhpying Shieh, Fu-Shen Ho, and Jian-Chyuan Wang,

“Efficient Key Distribution Schemes for Secure Media Delivery in Pay-TV Systems” IEEE Transactions on Multimedia, 6(5), pp. 760-769, 2004.

[2] Hung-Min Sun, Cheng-Zong Shieh, and Chien-Ming Chen, “An Efficient and Flexible Key Distribution Scheme for Conditional Access System in Pay-TV Systems” in 16th Information Security Conference, Taichung, Taiwan, June 2006.

[3] A. Fiat and M. Naor, “Broadcast Encryption,” Advances in Cryptology – CRYPTO ’93, Lecture Notes in Computer Science 733, Springer, pp. 480-491, 1994.

[4] D. Naor, M. Naor and J. Lotspiech, “Revocation and Tracing Schemes for Stateless Receivers,” In Proc. Crypto 2001, Lecture Notes in Computer Science, pp. 41-62, 2001.

31

References (cont.) Motion Picture Association of America (MPAA)

普遍級 (G ； GENERAL AUDIENCES) ：任何年齡階段的觀眾皆可觀賞。該電影片不含過份的色情、犯罪、殘暴、恐怖、血腥、暴力與打鬥等鏡頭，列為「普」級電影片。保護級 (PG ； PARENTAL GUIDANCE SUGGESTED) ：未滿六歲之兒童不得觀賞，六歲以上十二歲未滿之兒童須父母、師長或成年親友陪伴輔導觀賞。電影片涉及性問題、恐怖情節或混淆道德秩序觀，須父母、師長或成年親友陪同予以輔導，以免對兒童心理產生不良影響者，列為「護」級。輔導級 (PG-13 ； PARENTS STRONGLY CAUTONED) ：未滿十三歲之兒童不得觀賞，十三歲以上十八歲未滿之少年需父母或師長注意輔導觀賞。「輔」級電影片不含有性之問題，犯罪、暴力、打鬥事件，離奇怪異或反映社會。也不涉及畸型現象、不涉及褻瀆字眼或對白有不良引喻者對於兒童心理有不良影響之虞者。約束級 (R ； RESTRICTED) ：未滿十七歲之少年需父母或師長約束和陪伴輔導觀賞。該電影片含有不良成份的意識，如色情、犯罪、暴力、打鬥，涉及褻瀆字眼或對白有不良引喻者對於少年心理有不良影響，未滿十七歲之少年需要父母、師長或成年親友約束或陪伴輔導觀賞。限制級 (NC-17 ； NO ONE 17 AND UNDER ADMITTED) ：未滿十八歲之人不得觀賞。「限」級電影片描述賭技、吸毒、過份的色情、狎妓、搶劫、綁架、竊盜、走私、幫派或其他犯罪行為情節細密，有誘發擬作用者。「限」級電影片也包含了恐怖、血腥、殘暴、變態，淫穢等鏡頭。

參考資料http://www.chinesepyp.com/infohome/link/usafilm.htm

Group Key Distribution Scheme in Digital Pay-TV Systems Adviser: Min-Shiang Hwang Reporter: Chun-Ta...

Documents

Transcript of Group Key Distribution Scheme in Digital Pay-TV Systems Adviser: Min-Shiang Hwang Reporter: Chun-Ta...