1、 International Telecommunication Union ITU-T J.1002TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (03/2013) SERIES J: CABLE NETWORKS AND TRANSMISSION OF TELEVISION, SOUND PROGRAMME AND OTHER MULTIMEDIA SIGNALS Conditional access and protection Pairing protocol specification for renewable conditiona
2、l access system Recommendation ITU-T J.1002 Rec. ITU-T J.1002 (03/2013) i Recommendation ITU-T J.1002 Pairing protocol specification for renewable conditional access system Summary Recommendation ITU-T J.1002 specifies the pairing protocol that supports the conditional access module (CAM) and descra
3、mbler (DSC) pairing function, which is specified in Recommendation ITU-T J.1001. History Edition Recommendation Approval Study Group 1.0 ITU-T J.1002 2013-03-01 9 ii Rec. ITU-T J.1002 (03/2013) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the f
4、ield of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standard
5、izing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is cover
6、ed by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness to indica
7、te both a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure, e.g., interoperability or applicability) and compliance with the Recommendation is achieved
8、 when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of any party. INTELLECTUAL PRO
9、PERTY RIGHTS ITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asser
10、ted by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementers are cautioned that
11、this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2013 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. Rec. I
12、TU-T J.1002 (03/2013) iii Table of Contents Page 1 Scope 1 2 References. 1 3 Definitions 1 3.1 Terms defined elsewhere 1 3.2 Terms defined in this Recommendation . 1 3.3 Security symbols 2 3.4 Parameter definitions 2 3.5 Security function definitions 3 4 Abbreviations and acronyms 3 5 Conventions 3
13、6 Overview of RCAS pairing protocol 4 7 Details of RCAS pairing protocol. 5 7.1 Initialization 5 7.2 Pairing . 6 7.3 CWEK generation 10 8 CAM and DSC interface message format and encryption 12 8.1 DscCertReq message 13 8.2 DscCertRsp message 13 8.3 CWEKGenInfo message 14 8.4 CWEKGenInfoCnfm message
14、. 14 Appendix I The functional structures for the CAM and DSC 16 I.1 Functional structure for CAM 16 I.2 Functional structure for DSC 17 Bibliography. 18 iv Rec. ITU-T J.1002 (03/2013) Introduction Recommendation ITU-T J.1001 specifies the requirements for renewable conditional access system (RCAS),
15、 and it identifies the pairing protocol that is one of the functional requirements. The RCAS is a new paradigm technology for renewing conditional access (CA) client software by securely downloading the new version of software through the digital cable two-way environment. The benefit of RCAS is tha
16、t no additional budget is required for issuing a new security hardware module when the multiple systems operator (MSO) wants to upgrade the old CA client software to a new one. The pairing protocol is an authentication protocol between the conditional access module (CAM) and descrambler (DSC). The a
17、uthentication process between the CAM and DSC is one of the most important security requirements for the RCAS. If the pairing is not performed properly, it may cause a control word (CW) disclosure problem. For example, a hacked DSC could intercept CWs transferred from the CAM through impersonation a
18、ttack. As a result, a hacker could watch pay broadcasting programs without proper entitlement by taking advantage of the intercepted CW. If the pairing is not performed properly, this may cause another problem of managing paid-viewers. For example, a malicious user could remove the physically-implem
19、ented CAM from one set-top box that stores entitlement information, and connect the removed CAM to another set-top box. Then a malicious user could watch pay broadcasting programs on multiple set-top boxes with one CAM. As a result, MSO cannot properly manage pay subscribers, and undergoes unwanted
20、business losses. To prevent the above drawbacks, a pairing protocol is specified in this Recommendation, which can provide a mutual authentication and security channel establishment between the CAM and the DSC. Using the pairing protocol can efficiently prevent a hacked DSC from eavesdropping CWs, w
21、hich are transferred from the CAM to DSC, as well as unwanted usage of one CAM to multiple set-top boxes. Rec. ITU-T J.1002 (03/2013) 1 Recommendation ITU-T J.1002 Pairing protocol specification for renewable conditional access system 1 Scope This Recommendation specifies the pairing protocol that p
22、rovides the conditional access module (CAM) and descrambler (DSC) pairing function of renewable conditional access system (RCAS), which is specified in ITU-T J.1001. 2 References The following ITU-T Recommendations and other references contain provisions which, through reference in this text, consti
23、tute provisions of this Recommendation. At the time of publication, the editions indicated were valid. All Recommendations and other references are subject to revision; users of this Recommendation are therefore encouraged to investigate the possibility of applying the most recent edition of the Rec
24、ommendations and other references listed below. A list of the currently valid ITU-T Recommendations is regularly published. The reference to a document within this Recommendation does not give it, as a stand-alone document, the status of a Recommendation. ITU-T J.1001 Recommendation ITU-T J.1001 (20
25、12), Requirements for renewable conditional access system. ITU-T X.509 Recommendation ITU-T X.509 (2008) | ISO/IEC 9594-8:2008, Information technology Open Systems Interconnection The Directory: Public-key and attribute certificate frameworks. 3 Definitions 3.1 Terms defined elsewhere This Recommend
26、ation uses the following terms defined elsewhere: 3.1.1 conditional access (CA) b-ITU-T J.193: The conditional granting of access to cable services and content based upon what service suite has been purchased by the customer. 3.1.2 descrambling b-ITU-T J.93: The processes of reversing the scrambling
27、 function (see “scrambling“) to yield usable pictures, sound, and data services. 3.1.3 entitlement control messages (ECMs) b-ITU-T J.290: An ECM is an encrypted message that contains access criteria to various service tiers and a control word (CW). 3.1.4 entitlement management messages (EMMs) b-ITU-
28、T J.290: The EMM contains the actual authorization data and shall be sent in a secure method to each CPE device. 3.1.5 scrambling b-ITU-T J.93: The process of using an encryption function to render television and data signals unusable to unauthorized parties. 3.2 Terms defined in this Recommendation
29、 This Recommendation defines the following terms: 3.2.1 authorization centre (AC): An entity which issues identification information of CAM and performs authentication process when CAM requests renewing of CACS. 3.2.2 conditional access module (CAM): A cryptographic functional module which is locate
30、d in set-top boxes, whose main function is entitlement validation, key management and authentication. Set-top boxes can have one chip of secure hardware that includes the functions of CAM and 2 Rec. ITU-T J.1002 (03/2013) descrambler, or physically separated CAM in the form of a secure hardware IC o
31、r smart-card. The form of CAM can be determined by the policy of the MSO or CAS vendor. 3.2.3 conditional access client software (CACS): An image of conditional access client software code downloaded onto the CRS CAM. 3.2.4 control word (CW): The value which is used to scramble and descramble transp
32、ort streams; it is refreshed frequently during the service operation to enhance security. 3.3 Security symbols Security symbols Descriptions Pub(X) RSA public key of X Prv(X) RSA private key of X E(k,m) Encryption of a message m with key k. RSAES-OAEP is used to encrypt a message when the encryption
33、 key is a public key. AES-ECB is used to encrypt a message when the encryption key is a symmetric key S(k,m) Digital signature for a message m with signing key k. RSASSA-PSS is used for message signing H(m) SHA-256 hashing for a message m HMAC(k,m) HMAC-SHA1 for a message m with key k X|Y Concatenat
34、ion of X and Y Cert(X) ITU-T X.509 certificate of X PRF(X) Pseudo random function having a seed value of X Xmsb(Y)Y bits from MSB of X 3.4 Parameter definitions Parameter names Descriptions DSC_ID The value of identification of DSC having a size of 40 bytes CAM_ID The value of identification of CAM
35、having a size of 8 bytes KeyPairingID The value of concatenation with CAM_ID and DSC_ID, i.e., CAM_ID|DSC_ID CWEK The abbreviation of control words encryption key, and used to encrypt control words The CWEK generation method is CWEK = H(CWEK|CAM_ID|DSC_ID)msb(128)KPK The abbreviation of key pairing
36、key. The AC generates the KPK if KeyPairingID is valid HMAC_KEY An HMAC secret key. The CAM uses HMAC_KEY to generate an HMAC value for the message including control words The HMAC_KEY generation method is HMAC_KEY = H(RANDHMAC|CAM_ID|DSC_ID)msb(160), Here RANDHMACis achieved by PRF(X)msb(320)RAND A
37、 random number with 320 bits KiThe pre-shared key having the size of 128 bits. AC uniquely assigns three Kito each CAM Rec. ITU-T J.1002 (03/2013) 3 3.5 Security function definitions Security functions Requirements RSA digital signature (RSASSA-PSS) Modulus (n): 1024 bits Exponent: F4 (65537) Messag
38、e Encoding: RSASSA-PSS Hash algorithm (default): SHA-1 MGF (default): MGF1 with SHA-1 Trailer field: 1 (corresponds to 0xbc) Salt length: 160/8 = 20 bytes RSA encryption (RSAES-OAEP) Modules (n): 1024 bits Exponent: F4 (65537) MGF1 with SHA-1 for the mask generation function The empty string for the
39、 encoding parameter string AES encryption Block cipher mode: AES 128 ECB 4 Abbreviations and acronyms This Recommendation uses the following abbreviations and acronyms: AC Authorization Centre AES Advanced Encryption Standard CACS Conditional Access Client Software CAM Conditional Access Module CASS
40、 CAM Authentication Sub-System CW Control Word CWEK Control Words Encryption Key DSC Descrambler ECB Electric Code Block HMAC Hashed Message Authentication Code KPK Key Pairing Key MSO Multiple Systems Operator PSI Pairing Status Information RCAS Renewable Conditional Access System 5 Conventions In
41、this Recommendation: The keywords “is required to“ indicate a requirement which must be strictly followed and from which no deviation is permitted if conformance to this Recommendation is to be claimed. The keywords “is recommended“ indicate a requirement which is recommended but which is not absolu
42、tely required. Thus this requirement need not be present to claim conformance. The keywords “is prohibited from“ indicate a requirement which must be strictly followed and from which no deviation is permitted if conformance to this Recommendation is to be claimed. 4 Rec. ITU-T J.1002 (03/2013) The k
43、eywords “can optionally“ indicate an optional requirement which is permissible, without implying any sense of being recommended. This term is not intended to imply that the vendors implementation must provide the option and the feature can be optionally enabled by the network operator/service provid
44、er. Rather, it means the vendor may optionally provide the feature and still claim conformance with the specification. In the body of this Recommendation and its annexes, the words shall, shall not, should, and may sometimes appear, in which case they are to be interpreted, respectively, as is requi
45、red to, is prohibited from, is recommended, and can optionally. The appearance of such phrases or keywords in an appendix or in material explicitly marked as informative is to be interpreted as having no normative intent. 6 Overview of RCAS pairing protocol The components of RCAS that participate in
46、 the pairing protocol are the CAM authentication sub-system, authorization centre, CAM and descrambler of RCAS, as shown in Figure 1. J.1002(13)_F01CRS headendCAM authenticationsub-systemAuthorizationcentreSecure CACSdownloadsub-systemCASoperationblockContentsourcesBillingHeadendCAS system(including
47、 scrambler)Encrypted contentECM/EMMSecure channelCA client S/WAuthentication and CACSencryption key establishmentHeadendCustomer premisesClientCASblockCRS set-top boxCAMCWClearcontentoutputTVDescramblerCable network(two-waynetwork(e.g.,DOCSIS) for CRS)Figure 1 Reference architecture of the RCAS and
48、RCAS pairing protocol components The specification of RCAS pairing function includes: A pairing protocol that supports CAM and DSC pairing: The participants of the protocol should be authorization centre (AC), CAM authentication sub-system (CASS), CAM and DSC. A control words encryption key (CWEK) e
49、stablishment protocol: If the control words are delivered in plaintext from CAM to DSC, a malicious user could possibly watch pay programmes by using the disclosed control words for decrypting the scrambled video streams. Therefore, the CAM must provide confidentiality for the control words by encrypting them with the CWEK. AC participation in CWEK establishment: Since a successful CWEK establishment between CAM and DSC means that the CAM believes the DSC as its correct p
