ITU-T J 1004-2015 Specifications of authorization centre interfaces for renewable conditional access system (Study Group 9)《为再生条件访问系统的授权中心接口规范(研究组9)》.pdf

1、 I n t e r n a t i o n a l T e l e c o m m u n i c a t i o n U n i o n ITU-T J.1004 TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (08/2015) SERIES J: CABLE NETWORKS AND TRANSMISSION OF TELEVISION, SOUND PROGRAMME AND OTHER MULTIMEDIA SIGNALS Conditional access and protection Renewable conditional

2、access system Specifications of authorization centre interfaces for renewable conditional access system Recommendation ITU-T J.1004 Rec. ITU-T J.1004 (08/2015) i Recommendation ITU-T J.1004 Specifications of authorization centre interfaces for renewable conditional access system Summary Recommendati

3、on ITU-T J.1004 specifies the authorization centre (AC) interfaces for a renewable conditional access system (RCAS) within the scope of ITU-T J.1001 that specifies the requirements of an RCAS. AC interfaces are the interfaces between a central authorization centre (CAC) and a conditional access modu

4、le authentication subsystem (CASS) and between a distributed authorization centre (DAC) and a CASS. History Edition Recommendation Approval Study Group Unique ID* 1.0 ITU-T J.1004 2015-08-13 9 11.1002/1000/12569 _ * To access the Recommendation, type the URL http:/handle.itu.int/ in the address fiel

5、d of your web browser, followed by the Recommendations unique ID. For example, http:/handle.itu.int/11.1002/1000/11830-en. ii Rec. ITU-T J.1004 (08/2015) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information

6、and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide

7、basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Re

8、solution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness to indicate both a telecommunication administrati

9、on and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure, e.g., interoperability or applicability) and compliance with the Recommendation is achieved when all of these mandatory provisions

10、are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTSITU draws attention to the p

11、ossibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of t

12、he Recommendation development process. As of the date of approval of this Recommendation, ITU had received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementers are cautioned that this may not represent the latest informa

13、tion and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2015 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. Rec. ITU-T J.1004 (08/2015) iii Table of Conten

14、ts Page 1 Scope . 1 2 References . 1 3 Definitions 1 3.1 Terms defined elsewhere 1 3.2 Terms defined in this Recommendation . 2 4 Abbreviations and acronyms 2 5 Conventions 2 6 Overview of RCAS authorization centre interfaces . 3 7 Specifications DAC-CASS interface 4 7.1 AMFB_TRANS_INFO 4 7.2 AMFB_A

15、UTH_INFO_RECV 5 8 Specifications for a CAC-DAC interface . 6 8.1 JOIN_INFO_REPORT . 6 8.2 ACK_JOIN_INFO_REPORT 7 8.3 LEAVE_INFO_REPORT 7 8.4 ACK_LEAVE_INFO_REPORT 8 8.5 CERTIFICATE_STATE_UPDATE 8 8.6 ACK_CERTIFICATE_STATE_UPDATE 9 8.7 CERTIFICATE_ISSUE_TRANSFER . 9 8.8 ACK_CERTIFICATE_ISSUE_TRANSFER

16、 . 10 Bibliography. 11 Rec. ITU-T J.1004 (08/2015) 1 Recommendation ITU-T J.1004 Specifications of authorization centre interfaces for renewable conditional access system 1 Scope This Recommendation specifies authorization centre (AC) interfaces for a renewable conditional access system (RCAS). AC i

17、nterfaces are the interfaces between a central authorization centre (CAC) and a conditional access module authentication subsystem (CASS) and between a distributed authorization centre (DAC) and a CASS. 2 References The following ITU-T Recommendations and other references contain provisions which, t

18、hrough reference in this text, constitute provisions of this Recommendation. At the time of publication, the editions indicated were valid. All Recommendations and other references are subject to revision; users of this Recommendation are therefore encouraged to investigate the possibility of applyi

19、ng the most recent edition of the Recommendations and other references listed below. A list of the currently valid ITU-T Recommendations is regularly published. The reference to a document within this Recommendation does not give it, as a stand-alone document, the status of a Recommendation. ITU-T J

20、.1001 Recommendation ITU-T J.1001 (2012), Requirements for renewable conditional access system. ITU-T J.1002 Recommendation ITU-T J.1002 (2013), Pairing protocol specification for renewable conditional access system. ITU-T J.1003 Recommendation ITU-T J.1003 (2014), Specification of network protocol

21、for renewable conditional access system. ITU-T X.509 Recommendation ITU-T X.509 (2008) | ISO/IEC 9594-8:2008, Information technology Open Systems Interconnection The Directory: Public-key and attribute certificate frameworks. ITU-T X.690 Recommendation ITU-T X.690 (2008) | ISO/IEC 8825-1:2008, Infor

22、mation technology ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER). 3 Definitions 3.1 Terms defined elsewhere This Recommendation uses the following terms defined elsewhere: 3.1.1 conditional access (CA) b-ITU-T

23、J.193: The conditional granting of access to cable services and content based upon what service suite has been purchased by the customer. 3.1.2 descrambling b-ITU-T J.93: The process of reversing the scrambling function (see “scrambling“) to yield usable pictures, sound, and data services. 3.1.3 ent

24、itlement control messages (ECMs) b-ITU-T J.290: An ECM is an encrypted message that contains access criteria to various service tiers and a control word (CW). 3.1.4 entitlement management messages (EMMs) b-ITU-T J.290: The EMM contains the actual authorization data and shall be sent in a secure meth

25、od to each CPE device. 2 Rec. ITU-T J.1004 (08/2015) 3.1.5 scrambling b-ITU-T J.93: The process of using an encryption function to render television and data signals unusable to unauthorized parties. 3.2 Terms defined in this Recommendation This Recommendation defines the following terms: 3.2.1 DSC_

26、ID: The identification value of the descrambler (DSC) having a size of 40 bytes. 3.2.2 CAM_ID: The identification value of the conditional access module (CAM) having a size of 8 bytes. 3.2.3 KeyPairingID: The value of the concatenation of CAM_ID and DSC_ID, i.e., CAM_ID|DSC_ID. 3.2.4 KPK: Key pairin

27、g key (KPK). The authorization centre (AC) generates the KPK if the KeyPairingID is valid. 3.2.5 RAND: A random number with 320 bits. 3.2.6 Ki: The pre-shared key having a size of 128 bits. The AC uniquely assigns three Ki to each CAM. Ki should be a generated random generation function. 4 Abbreviat

28、ions and acronyms This Recommendation uses the following abbreviations and acronyms: AC Authorization Centre ASN Abstract Syntax Notation BER Basic Encoding Rules CACS Conditional Access Client Software CAM Conditional Access Module CASS CAM Authentication Subsystem CPE Customer Premise Equipment DA

29、C Distributed Authorization Centre DOCSIS Data Over Cable Service Interface Specification DSC Descrambler HMAC Hash-based Message Authentication Code KPK Key Pairing Key MSB Most Significant Bit PRF Pseudo Random number generation Function PRNG Pseudo Random Number Generator RCAS Renewable Condition

30、al Access System STB Set Top Box 5 Conventions In this Recommendation: The keywords “is required to“ indicate a requirement which must be strictly followed and from which no deviation is permitted if conformance to this document is to be claimed. Rec. ITU-T J.1004 (08/2015) 3 The keywords “is recomm

31、ended“ indicate a requirement which is recommended but which is not absolutely required. Thus this requirement need not be present to claim conformance. The keywords “is prohibited from“ indicate a requirement which must be strictly followed and from which no deviation is permitted if conformance to

32、 this document is to be claimed. The keywords “can optionally“ indicate an optional requirement which is permissible, without implying any sense of being recommended. This term is not intended to imply that the vendors implementation must provide the option and the feature can be optionally enabled

33、by the network operator/service provider. Rather, it means the vendor may optionally provide the feature and still claim conformance with the specification. In the body of this Recommendation and its annexes, the words shall, shall not, should, and may sometimes appear, in which case they are to be

34、interpreted, respectively, as is required to, is prohibited from, is recommended, and can optionally. The appearance of such phrases or keywords in an appendix or in material explicitly marked as informative are to be interpreted as having no normative intent. 6 Overview of RCAS authorization centre

35、 interfaces Figure 1 CAC-DAC and DAC-CASS interfaces in RCAS Renewable conditional access system (RCAS) is a new paradigm technology for renewing conditional access client software (CACS) by securely downloading a new CACS through the digital cable two-way environment. There are three relevant Recom

36、mendations for RCAS: ITU-T J.1001, ITU-T J.1002 and ITU-T J.1003. ITU-T J.1001 contains architectural, functional and security requirements of RCAS. ITU-T J.1002 and ITU-T J.1003 are Recommendations for the RCAS pairing specification and the RCAS network specification, respectively. One of the impor

37、tant architectural subsystems in RCAS is the authorization centre (AC) as described in ITU-T J.1001. The AC plays a very important role for mutual authentication between the RCAS head end and the conditional access module (CAM) in the RCAS set-top box (STB). Typically a multiple service operator (MS

38、O) has multiple RCAS head ends since one RCAS head end cannot cover all service areas which are distant from each other. Therefore the RCAS AC should be separated with a centralized authorization centre (CAC) and a distributed authorization centre 4 Rec. ITU-T J.1004 (08/2015) (DAC) as shown in Figu

39、re 1 to efficiently manage the authentication process of the RCAS STBs including the CAM. As shown in Figure 1, an MSO has only one CAC and locates one DAC in each of the RCAS head end. Therefore the interface architecture of a CAC and a DAC is 1:N, and that of a DAC and a CASS is 1:1. 7 Specificati

40、ons DAC-CASS interface The basic role of the DAC is issuing ITU-T X.509 certificates of RCAS headend servers but it also includes more specific functions as follows: Generating a unique identification number for each RCAS headend server Validating pairing between the CAM and the descrambler ITU-T J.

41、1002 Managing parameters needed for authentication of RCAS STBs Join/leave processing for retail and leased RCAS STBs. There are two types of messages for the interface between the DAC and the CASS, these are the AMFB_TRANS_INFO and AMFB_AUTH_INFO_RECV messages. The sequence diagram for these two me

42、ssage types is shown in Figure 2. Figure 2 Sequence diagram for DAC-CASS interface messages The message format for the DAC-CASS interface is shown in Figure 3. The messages are encoded as ASN.1 data and the most significant bit (MSB) is transmitted first. Figure 3 AC interface message format 7.1 AMF

43、B_TRANS_INFO The function of AMFB_TRANS_INFO is used for delivering a JOIN request from a CASS to a DAC after the JOIN request is received from the RCAS STB to the CASS as shown in Figure 2. The message type value for AMFB_TRANS_INFO is 0x0401. The ASN.1 syntax notation for AMFB_TRANS_INFO is shown

44、below: Rec. ITU-T J.1004 (08/2015) 5 cASSID : The value of ID for the CASS keyPairingID: This is the key pairing ID which is sent from the CAM and generated by concatenating Descrambler ID and CAM ID. 7.2 AMFB_AUTH_INFO_RECV The function of AMFB_TRANS_INFO_RECV is used for delivering security parame

45、ters from the DAC to the CASS as shown in Figure 2. These security parameters are generated by utilizing Ki and the operator variant algorithm configuration field (OP) values of the RCAS STB, see ITU-T J.1003. The message type value for AMFB_AUTH_INFO_RECV is 0x0400. The ASN.1 syntax notation for AM

46、FB_AUTH_INFO_RECV is shown below: Auth-Rst: The authentication result for RCAS STB. If the authentication process is successful, the value is TRUE. Otherwise the value should be FALSE. 6 Rec. ITU-T J.1004 (08/2015) rAND-DAC: This is the RAND-DAC which is used for one of the input parameters of the s

47、ession key generation function. The DAC randomly generates a RAND-DAC per RCAS STB and the RCAS STB manufacturer inserts the value of the RAND-DAC into the CAM of the RCAS STB. kC: This is the Kc which is used for one of the input parameters of the session key generation function. The Kc is generate

48、d with the random number generation function using the Ki and RAND-DAC as input parameters. The CAC randomly generates a Ki per RCAS STB and the RCAS STB manufacturer inserts a Ki into the CAM of the RCAS STB, see ITU-T J.1003. kPK: This is the key pairing key (KPK). For a definition of the KPK, see

49、 ITU-T J.1003. sign-KPK: This is the value of the digital signature of the KPK ITU-T J.1003. 8 Specifications for a CAC-DAC interface The message types for a CAC-DAC interface are defined as shown the below: Direction Message name Message type DAC CAC JOIN_ INFO_REPORT 0X0501 CAC DAC ACK_JOIN_ INFO_REPORT 0X0502 DAC CAC LEAVE_ INFO_REPORT 0X0504 CAC DAC ACK_LEAVE_ INFO_REPORT 0X0505 DAC CAC CERTIFICATE_STATE_UPDATE 0X0521 CAC DAC ACK_CERTIFICATE_STATE_UPDATE