1、 7 International Telecommunication Union ITU-T X.1194TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (04/2012) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Secure applications and services IPTV security Algorithm selection scheme for service and content protection descrambling Re
2、commendation ITU-T X.1194 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS X.1X.199 OPEN SYSTEMS INTERCONNECTION X.200X.299 INTERWORKING BETWEEN NETWORKS X.300X.399 MESSAGE HANDLING SYSTEMS X.400X.499 DIRECTORY X.500X.599 OSI NETWORKING AND S
3、YSTEM ASPECTS X.600X.699 OSI MANAGEMENT X.700X.799 SECURITY X.800X.849 OSI APPLICATIONS X.850X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 INFORMATION AND NETWORK SECURITY General security aspects X.1000X.1029 Network security X.1030X.1049 Security management X.1050X.1069 Telebiometrics X.1080X.1099
4、SECURE APPLICATIONS AND SERVICES Multicast security X.1100X.1109 Home network security X.1110X.1119 Mobile security X.1120X.1139 Web security X.1140X.1149 Security protocols X.1150X.1159 Peer-to-peer security X.1160X.1169 Networked ID security X.1170X.1179 IPTV security X.1180X.1199CYBERSPACE SECURI
5、TY Cybersecurity X.1200X.1229 Countering spam X.1230X.1249 Identity management X.1250X.1279 SECURE APPLICATIONS AND SERVICES Emergency communications X.1300X.1309 Ubiquitous sensor network security X.1310X.1339 CYBERSECURITY INFORMATION EXCHANGE Overview of cybersecurity X.1500X.1519 Vulnerability/s
6、tate exchange X.1520X.1539 Event/incident/heuristics exchange X.1540X.1549 Exchange of policies X.1550X.1559 Heuristics and information request X.1560X.1569 Identification and discovery X.1570X.1579 Assured exchange X.1580X.1589 For further details, please refer to the list of ITU-T Recommendations.
7、 Rec. ITU-T X.1194 (04/2012) i Recommendation ITU-T X.1194 Algorithm selection scheme for service and content protection descrambling Summary Recommendation ITU-T X.1194 develops an algorithm selection standard for descrambling in various terminal devices. This Recommendation provides the general se
8、rvice and contentprotection (SCP) architecture, security requirements and algorithm selection scheme (ASS). In particular, the algorithm selection scheme consists of the SCP control client function, ASS descrambler/demuxer control function and descrambler authentication function. History Edition Rec
9、ommendation Approval Study Group 1.0 ITU-T X.1194 2012-04-13 17 Keywords Conditional access, descrambling, multiple descrambling, SCP client, service protection, terminal device. ii Rec. ITU-T X.1194 (04/2012) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized
10、 agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a
11、view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommen
12、dations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conci
13、seness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure, e.g., interoperability or applicability) and compliance with the Recommenda
14、tion is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of any party.
15、INTELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Right
16、s, whether asserted by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had not received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementers
17、 are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2012 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permi
18、ssion of ITU. Rec. ITU-T X.1194 (04/2012) iii Table of Contents Page 1 Scope 1 2 References. 1 3 Definitions 1 3.1 Terms defined elsewhere 1 3.2 Terms defined in this Recommendation . 2 4 Abbreviations and acronyms 2 5 Conventions 3 6 Introduction 4 6.1 Internet Protocol television (IPTV) general ar
19、chitecture and content protection architecture 4 6.2 Service protection architecture . 5 6.3 General software architecture for terminal devices 6 6.4 Requirement for algorithm selection mechanism for service protection ITU-T X.1191 6 7 Algorithm selection scheme . 7 7.1 Overview 7 7.2 SCP control cl
20、ient function 10 8 Authentication functions for descrambling algorithm selection . 19 8.1 ASS descrambler authentication function 19 8.2 Generation and verification procedures for one-time ID . 23 9 Control functions for descrambling algorithm selection 24 9.1 ASS descrambler control functions 24 9.
21、2 ASS demuxer control functions 28 Annex A Descrambling algorithm and key delivery message 35 A.1 Contents key delivery messages . 35 A.2 ASS descrambling algorithm 37 Appendix I Descrambling-related standards . 39 I.1 ATIS IIF default scrambling algorithm (IDSA) . 39 I.2 ETSI TS 103 197 DVB SimulCr
22、ypt . 40 Appendix II Algorithm selection scheme-related use cases . 41 II.1 Definitions of the terms used in the diagram 41 II.2 Scenario 1: SCP update 41 II.3 Scenario 2: SCP downloads 42 II.4 Scenario 3: Multiple SCP . 43 Appendix III SCP messages in MPEG-2 TS 45 III.1 MPEG-2 TS PSI . 45 iv Rec. I
23、TU-T X.1194 (04/2012) Page Appendix IV Terminal device provisioning . 46 Appendix V Example of one-time ID generation . 48 Bibliography. 50 Rec. ITU-T X.1194 (04/2012) 1 Recommendation ITU-T X.1194 Algorithm selection scheme for service and content protection descrambling 1 Scope Recommendation ITU-
24、T X.1194 develops a set of algorithm selection functions from the existing descrambling algorithms to share terminal devices between service providers and security providers. The scope includes algorithm selection schemes (ASSs) and signalling for selection and interoperability issues and does not i
25、nclude any other schemes of Recommendation ITU-T X.1191. 2 References The following ITU-T Recommendations and other references contain provisions which, through reference in this text, constitute provisions of this Recommendation. At the time of publication, the editions indicated were valid. All Re
26、commendations and other references are subject to revision; users of this Recommendation are therefore encouraged to investigate the possibility of applying the most recent edition of the Recommendations and other references listed below. A list of the currently valid ITU-T Recommendations is regula
27、rly published. The reference to a document within this Recommendation does not give it, as a stand-alone document, the status of a Recommendation. ITU-T X.800 Recommendation ITU-T X.800 (1991), Security architecture for Open Systems Interconnection for CCITT applications. ITU-T X.1191 Recommendation
28、 ITU-T X.1191 (2009), Functional requirements and architecture for IPTV security aspects. 3 Definitions 3.1 Terms defined elsewhere This Recommendation uses the following terms defined elsewhere: 3.1.1 access control ITU-T X.800: The prevention of unauthorized use of a resource, including the preven
29、tion of use of a resource in an unauthorized manner. 3.1.2 authentication ITU-T X.800: See data origin authentication, and peer-entity authentication. 3.1.3 authorization ITU-T X.800: The granting of rights, which includes the granting of access based on access rights. 3.1.4 conditional access ITU-T
30、 X.1191: The function served by a conditional access system; often used as an abbreviation for conditional access system. 3.1.5 conditional access system ITU-T X.1191: A component of a Service and Content Protection system the purpose of which is to prevent unauthorized (unentitled) access to a serv
31、ice or to content. 3.1.6 confidentiality ITU-T X.800: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes. 3.1.7 data origin authentication ITU-T X.800: The corroboration that the source of data received is as claimed. 2 Rec. ITU-T X.1
32、194 (04/2012) 3.1.8 digital signature ITU-T X.800: Data appended to, or a cryptographic transformation (see cryptography) of a data unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect against forgery e.g., by the recipient. 3.1.9 integrity ITU
33、-T X.800: The property that data has not been altered or destroyed in an unauthorized manner. 3.1.10 key ITU-T X.800: A sequence of symbols that controls the operations of encipherment and decipherment. 3.1.11 key management ITU-T X.800: The generation, storage, distribution, deletion, archiving and
34、 application of keys in accordance with a security policy. 3.1.12 peer-entity authentication ITU-T X.800: The corroboration that a peer entity in an association in the one claimed. 3.1.13 scrambling algorithm ITU-T X.1191: An algorithm used in a scrambling (encryption) or descrambling (decryption) p
35、rocess. 3.1.14 service and content protection ITU-T X.1191: A combination of service protection and content protection, or a system or implementation thereof. 3.1.15 service protection ITU-T X.1191: Ensuring that an end user can only acquire a service, and, by extension, the content contained therei
36、n, that they are entitled to receive. 3.2 Terms defined in this Recommendation This Recommendation defines the following terms: 3.2.1 demuxer: Device that takes an input signal and selects one of the output-channels; the selected output channel is connected to the input signal. 3.2.2 descrambler: De
37、vice that transposes or decrypts encoded messages or video streams for the terminal or subscribers with privilege. 3.2.3 process: Instance of a computer program that is being executed; contains the program code and its current status. 3.2.4 virtual machine: Software implementation of a machine that
38、can execute programs just like a physical machine; supports separated operating systems. 4 Abbreviations and acronyms This Recommendation uses the following abbreviations and acronyms: A/V Audio/Video AAA Authentication, Authorization, and Accounting ASS Algorithm Selection Scheme CA Conditional Acc
39、ess CAS Conditional Access System CAT Conditional Access Table CBC Cipher Block Chaining CW Control Word DTCP Digital Transmission Content Protection ECM Entitlement Control Message EMM Entitlement Management Message Rec. ITU-T X.1194 (04/2012) 3 HMAC Hash-based Message Authentication Code IDSA IIF
40、Default Scrambling Algorithms IIF IPTV Interoperability Forum IPTV Internet Protocol Television MK Master Key MMS Multi-Mode Service MPEG Moving Picture Experts Group MPEG-2 TS MPEG-2 Transport Stream OTID One-Time Identifier PAT Program Association Table PES Packetized Elementary Stream PGP Pretty
41、Good Privacy PID Program Identifier PKI Public Key Infrastructure PMT Program Map Table RAL Resource Abstraction Layer SAC Secure Authenticated Channel SCP Service and Content Protection SIM Subscriber Identity Module SP Service Protection SSL Secure Socket Layer SVM Secure Virtual Machine TD Termin
42、al Device TK Terminals SAC Key TPS Triple Play Service TV Television USB Universal Serial Bus VM Virtual Machine VoD Video on Demand VPN Virtual Private Network 5 Conventions In this Recommendation: The keywords “is required to“ indicate a requirement which must be strictly followed and from which n
43、o deviation is permitted if conformance to this document is to be claimed. The keywords “is recommended“ indicate a requirement which is recommended but which is not absolutely required. Thus this requirement need not be present to claim conformance. 4 Rec. ITU-T X.1194 (04/2012) The keywords “is pr
44、ohibited from“ indicate a requirement which must be strictly followed and from which no deviation is permitted if conformance to this document is to be claimed. The keywords “can optionally“ indicate an optional requirement which is permissible, without implying any sense of being recommended. This
45、term is not intended to imply that the vendors implementation must provide the option and the feature can be optionally enabled by the network operator/service provider. Rather, it means the vendor may optionally provide the feature and still claim conformance with the specification. In the body of
46、this Recommendation and its annexes, the words shall, shall not, should, and may sometimes appear, in which case they are to be interpreted, respectively, as is required to, is prohibited from, is recommended, and can optionally. The appearance of such phrases or keywords in an appendix or in materi
47、al explicitly marked as informative are to be interpreted as having no normative intent. 6 Introduction In general, two or more SCPs are deployed on a single terminal device. The content acquired via one SCP system (e.g., from a network) can be accessed via another SCP residing on the same device ac
48、cording to the granted rights. There is a need to support SCP interoperability among multiple security systems that use different security mechanisms to support service and content protection interoperability, thereby maintaining transparency for users. The object of this Recommendation is to develo
49、p a set of functions of algorithm selection schemes from the existing algorithms for content descrambling. This includes the algorithm selection scheme, SCP function, RAL function, interoperability support function and message format. 6.1 Internet Protocol television (IPTV) general architecture and content protection architecture The general security architecture for IPTV is depicted in Figure 1 below. This general architecture is divided into two primary areas: one considered in-scop