verimatrix_verimatrix 30/09/2013 07:12 Page 1
s the volume of set-top
boxes (STBs)
shipped increases, hacking STBs
remains a primary
activity for pirates.
While the last 25
years have shown
advances in content
protection technology, many consider the
necessary next step in
STB-based pay TV to be
hardware security cores,
which serve as vaults inside
the STB chipsets/system-onchips (SoCs) performing
highly sensitive content
protection functions.
Concentrating all security
sensitive functions of the STB
chipsets in a hardware
security core nucleus makes
it very hard for pirates to
accomplish their nefarious
mission. In this article, we
will explore the benefits of a
hardware security core
solution, and offer operators
guidance on how to incorporate such a solution into their
content protection strategies.
operators attempt to differentiate
their services by offering
compelling content, having inadequate STB security results in
higher content acquisition
costs, lost revenue and/or
less compelling content.
A
Exploring the benefits
As the sophistication of STB
chipset technology has evolved, all
major chip manufacturers have
introduced some form of security
hardware subsystem to provide
Control Word (CW) encryption
and other protection techniques in
the security logic of their products.
The varying levels of sophistication offered, and the increasing
challenge of parallel integration
efforts, have created an opportunity for a specialised hardware core
that provides a common approach
and state-of-the-art protection
across device families.
The hardware security core
approach brings significant security and architectural advantages.
Integrated software
A hardware security core that
includes strong countermeasures
against glitching, SPA, DPA, and
other invasive and non-invasive
attacks, can help achieve a hardware security level on the STB
chipset that improves on today’s
most advanced smart card chips.
As a part of advancing the overall
management protection integrated
with the hardware security core, it
becomes very hard for pirates to
follow or modify the device security processing. In an increasingly
hybrid network environment
where entitlement decisions can
be migrated to secure head-end
environments, the hardware secu-
industry approach, focusing hardening effort on the STB chipset
rather than a separate security
module removes the obvious physical and electrical attack points
inherent in removable hardware
and the buses that interface this
hardware to the STB itself.
With careful design of the STB
security software in conjunction
with the hardware security cores,
the content decryption keys (CWs)
and other critical security data do
not pass through external card
interfaces or through easily
probed register interfaces. Instead,
the CWs are passed directly inside
the chipset to the descramblers.
With security processing tightly
integrated with the video decryption and decoding processes, the
resulting security against CW
sharing and related attacks is
greatly improved compared with
traditional approaches.
Furthermore, by providing key
rity core provides a strong environment in which to process
device and message authentication, including challenge-response
functions to help improve the
integrity of runtime tamper resistance.
Two additional advantages are
achieved by the separation of the
hardware security core from the
rest of the STB environment:
Less scope for malicious or
compromised software/firmware
in the STB to be able to interfere
with content protection - and;
Any update to the STB software
or firmware would not require the
STB maker, operator, etc. to
re-certify the overall STB security.
The former improves security
and allows for open platforms
such as Android and third-party
apps, while the latter saves time
and effort thus improving time to
market.
Moreover, in a world where
Integrated software and
hardware security
Ben Jun, vice president and CTO of Cryptography Research,
and Petr Peterka, CTO, Verimatrix, describe the next step in
set-top box content and revenue protection.
14 Content Security Special
While a hardware security
core provides the silicon-level
capabilities to enable effective
security, it needs to be combined
with software capabilities to provide an end-to-end system of highly resistant key management. A
hardware security core is therefore
an essential element of a conditional (CA) solution, not a replacement for one.
One particularly compelling
approach is cardless CA systems
for broadcast networks – an
approach that is increasingly a
standard requirement. The
approach here is to maximise the
utilisation of hardware within the
STB chipset by the security/CA
subsystem. This potent combination delivers the cost-effectiveness
and flexibility of software combined with the highest levels of
security offered by hardware.
Additionally, in IP video
delivery networks, where STB
clients have long been based on
cardless architectures, utilisation
of a hardware security core in the
STB chipset can address concerns
regarding potential CW sharing
and cloning attacks. In such
architectures the security software
is responsible for requesting keys,
receiving and storing incoming
messages, synchronising descrambling, and managing the user
interface, but removed from direct
handling of the video decryption
keys themselves or the decrypted
media stream.
Cardless security
scenarios
Example 1: Software-based
security for one-way networks – Using a pure software
CA for one-way broadcast operation is intriguing. Compared with
external devices like smart cards,
software is cost efficient to deploy
in the field and to update over
time.
However, the logic of pay-TV
content security is well-known to