CI Plus Overview Presentation

advertisement
CI Plus Overview
11th November 2011
www.ci-plus.com
CI Plus Limited Liability Partnership (LLP)
Table of Content
Page:
•
•
•
•
•
One Page Overview of CI Plus
History of Common Interface
Requirements & Scope with CI Plus
CI Plus System Overview
CI Plus Specification
3
4
8
10
11
PCMCIA
CI
CA
- SAC (Secure Authenticated Channel)
- Authentification
- Protection of TS (Transport Stream)
with CC (Content Control)
- URI (Usage Rules Information)
- Revocation, Shunning
- Interactivity with MHP CA API
• CI Plus Administration
-
SC
CA
Conditional Access
CAM
CA Module
CI
Common Interface
PCMCIA Personal Computer Memory
Card International Association
SC
Smart Card
21
CI+ LLP, Certificate Agent & Test Center
CI+ Documentation
Flow Chart of Certification & Licensing
Licensee Overview
• Summary
• Document History
• Abbreviations
2 / 29
CI-CAM
file: ci-plus_overview.ppt
26
27
28
Disclaimer:
All text and images that are presented herein are just for illustration
purposes about the principles of CI Plus. The presentation may
contain inaccuracies or errors. It does not necessarily reflect the most
recent status of technical and licence relevant documents of CI Plus.
www.ci-plus.com - CI Plus LLP
Issue with
v1 and Solution with
One P
age O
v er v i
• 1997-02 Quite old standard EN 50221 (DVB-CI v1) with unencrypted CAM output
• 2006-09 Closed DVB TM-CIT group after missing consensus
•
•
•
•
2007-07
2008-01
2008-11
2009-03
ew
CI+ Forum founded by 6 companies
CI Plus Spec v1.0 with encrypted CAM output
CI+ forum replaced by CI Plus LLP
Appointment of Trustcenter & Test facility
• 2011-04 DVB adopts future development of CI Plus specification
• 2011-05 SMiT becomes 7th partner in CI Plus LLP
Encrypted
PCMCIA Interface
Encrypted
TV Signal
not encrypted
IDTV
additional Usage Rules for A/D output and storage
x


Copy of original
digital content
is impossible!
x
encrypted
STB, Recorder, ...
3 / 29
file: ci-plus_overview.ppt
www.ci-plus.com - CI Plus LLP
History of Common Interface (CI)
1997-02:
1999-11:
2002-01:
2006-09:
Standard DVB CI v1 (EN 50221)
Extension ETSI TS 101 699
EU directive for CI in IDTV with > 30cm
Start of DVB TM-CIT group (to close security gaps with new CI v2 ...)
Closed after missing consensus on technology
2007-07:
2007-12
2008-01
2008-11
2009-02
2009-02
2009-03
2009-05
2010-12
2011-01
Founding CI+ Forum by 6 companies
CI Plus Specification draft
CI Plus Specification v1.0
Disbanding of CI+ Forum & creation of
CI Plus LLP (UK Limited Liability Partnership)
CI Plus Specification v1.1
TC TrustCenter GmbH appointed
DTV Labs Ltd. appointed test facility
CI Plus Specification v1.2
Negotiations about continuation of specification under DVB
CI Plus Specification v1.3
2011-04
2011-05
DVB adopts development of CI Plus spec beyond v1.3
SMiT becomes 7th partner in CI Plus LLP
4 / 29
file: ci-plus_overview.ppt
www.ci-plus.com - CI Plus LLP
DVB-CI & CI Plus - Usage for SD/HDTV
Set-Top-Box with
integrated Decrypton-System
SDTV
Smart Card
Display
or IDTV
SDTV
(Only for few content
used or permitted) Smart Card with DVB-CI
SDTV
5 / 29
file: ci-plus_overview.ppt
Smart Card with CI+
www.ci-plus.com - CI Plus LLP
DVB CI - First Generation Standard v1
•
•
•
•
CI-Module used with smartcard containing key-informationen
CI-Module remove the encryption of protected content
The output of CI-Module is unencrypted
Due to this, most content providers prefer integrated
solutions because of higher security
Encrypted
Televion Signal
Encrypted
Televion Signal
Smartcard
CI-Module
PCMCIA Interface
Copy
of original
digital content
is possible
No Encryption
Plasma / LCD IDTV
6 / 29
file: ci-plus_overview.ppt
www.ci-plus.com - CI Plus LLP
CI Plus - Protection of Content
• Based on existing DVB-CI Standard
• Main requirement: achieving the same level of security as embedded solutions
• CI Plus Modul and Receiver
- Calculation & Usage of a secure key for content protection
- Secure, authentificated channel for critical system messages
• The output of modul is encrypted
• Only certified devices are supported
Encrypted
Television Signal
Smartcard
Encrypted
Television Signal
CI Plus Module
PCMCIA Interface
Copy of
original
digital content
is not possible!
Local
Encryption
Plasma / LCD IDTV
7 / 29
file: ci-plus_overview.ppt
www.ci-plus.com - CI Plus LLP
CI Plus - Scope of Protection
CA Conditional Access
CC Content Control
8 / 29
file: ci-plus_overview.ppt
www.ci-plus.com - CI Plus LLP
CI Plus - Scope of Compatibility
CA Module
(CAM)
DVB CI
CI Plus
Host




Host & Module
DVB-CI mode
Host in
DVB-CI mode
9 / 29
file: ci-plus_overview.ppt




Module in
DVB-CI mode*
* DVB-CI mode operation
permitted by network operator
Host & Module
CI Plus mode
www.ci-plus.com - CI Plus LLP
CI Plus - System Overview
CA
CC
CI
CAM
10 / 29
Conditional Access
Content Control
Common Interface
Conditional Access Module
file: ci-plus_overview.ppt
www.ci-plus.com - CI Plus LLP
CI Plus - Specification History
2007-12
2008-01
2009-02
2009-05
Specification Draft
Specification v1.0
Specification v1.1
Specification v1.2
• Change number 002, effective 2009-04-23 (Security Extension)
- Summary: Errata of v1.1, CICAM CIS CI Plus compatibility advertisement
• Change number 005, effective 2011-03-01 (Security Extension)
- Summary: Security fix for CI Plus Host to check for “Brand ID” in a CI Plus CICAM device certificate during authentication.
2011-01 Specification v1.3
• Change number 007, effective 2012-08-01
- Summary: Extensions of PVR related functionality, CAS protected recording removed, Parental Control Clarifications,
Low Speed Communication Resource, Extended CI Tuning Resource, Operator Profile
2011-10 Specification v1.3.1
• Change number 013, effective 2012-08-01
- Summary: Errata of v1.3, implementation guidelines
11 / 29
file: ci-plus_overview.ppt
www.ci-plus.com - CI Plus LLP
CI Plus - Specification v1.3
Chapter:
1-3
4
5
6
7
8
9
10
11
12
13
14
12 / 29
Pages:
Scope, References, Definitions, ...
19
System Overview
4
Theory of Operation
47
Authentication Mechanisms
16
Secure Authenticated Channel
12
Content Key Calculations
5
Public Key Infrastr. & Certificate Details 9
Host Service Shunning
5
Command Interface
22
CI Plus Application Level MMI
12
CI Plus MMI Resource
4
Other CI Extensions
52
Annex A...N
109
Total:
316
file: ci-plus_overview.ppt
file: ci_plus_specification_v1.3.pdf
date: 2011-01-14
www.ci-plus.com - CI Plus LLP
CI Plus - Specification v1.3 Change
Key changes of v1.3 compared to v1.2
•
•
•
•
•
•
Extensions to PVR related functionality.
CAS protected recording removed.
Parental Control Extensions & Clarifications.
Optimization of Low Speed Communication Resource & IP support.
Extension to CI Tuning Resource to support Cable VOD Applications.
Introduction of an Operator Profile.
Change Notice with References
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
prng_seed per manufacturer [5.3]
URI version 2 [5.7.5.2]
Digital Only Token [5.7.5.3]
Content license [5.10]
Parental Control [5.11]
Recording and Storage [5.12]
Host Authentication [Table 6.3, step 13, item d]
Certificates, Service operator ID [9.3.6]
Host shunning, SDT absent [10.4]
Version 2 of CC resource [11.3]
SAS APDU clarifications [11.4, Annex M.2.1]
MHEG profile extensions [12.8]
Low Speed Communications v3 [14.1]
IP connection by name [14.2.1.2]
Application MMI clarifications [14.4]
Application MMI File Caching [14.5]
Host Control v2 [14.6]
Operator Profile [14.7, Annex N]
APDU clarifications [Annex E]
CIS Feature Identification [G.3.2]
Removal of PVR Resource [v1.2, 15]
13 / 29
file: ci-plus_overview.ppt
Details of changes:
file: ciplus_change_notice_007.pdf
date: 2011-01-21
file: 2011-03-10_ci-plus_specification_v1.3_diff_v1.2.pdf
date: 2011-03-10
www.ci-plus.com - CI Plus LLP
CI Plus - Protocols
1.
2.
3.
4.
Compare CI+ versions supported by IDTV and CAM.
If both sides have the same auth key, they have
performed a successful authentication with each other.
CI+ CAM and IDTV authenticate each other to make sure
the opposite device is a valid CI+ device.
The Secure Authenticated Channel (SAC) is used
for transmission of security-related messages
between CAM and IDTV.
1. Host Capability Evaluation
2.
Auth Key Verification
3.
Authentication
4.
SAC Key Calculation
5. URI Version Negotiation
6.
5.
6.
7.
8.
URI Acknowledgement
Usage Rules Information (URI) version negotiation
7.
CC Key Calculation
to find a URI version that is supported on both sides.
URI transmission and acknowledgement used by CAM
to send a set of usage rules information to the IDTV.
8. SRM Acknowledgement
Content Control (CC) key calculation used by both sides
to calculate keys for scrambling /descrambling of transport stream (TS).
System Renewability Message (SRM) transmission and acknowledgement
is used from CI+ CAM to transfer SRM for HDCP and DTCP-IP to the IDTV.
14 / 29
file: ci-plus_overview.ppt
www.ci-plus.com - CI Plus LLP
CI Plus - Transport Stream Output Protection
Host and CICAM Capabilities:
• DES-56-ECB
Data Encryption Standard, 56-bit key, Electronic Code Book
(USA 1999-10, Federal Information Processing Standards, FIPS 46-3)
• AES-128-CBC
Advanced Encryption Standard, 128-bit key, Cipher Block Chaining
(USA 2000-10, National Institute of Standards and Technology, NIST, FIPS 197)
15 / 29
file: ci-plus_overview.ppt
www.ci-plus.com - CI Plus LLP
CI Plus - Authentication
Supported Authentication Phases per Service Mode:
• Basic Service Mode
• Registered Service Mode
example:
- Requires upstream communication
to HE (Head End)
DH = Diffie-Hellman key exchange
16 / 29
file: ci-plus_overview.ppt
www.ci-plus.com - CI Plus LLP
CI Plus - Devices & external Interfaces
CI Plus
IDTV
Signals / Interfaces
Devices
STB/PVR
time shifted recording
(optional)
Analogue
PAL / NTSC / SECAM
RGB / YUV / S-Video
Display
Digital
HDMI / HDCP
DTCP-IP
Encrypted Content, paired to receiver:
the content cannot be copied without authorization..
17 / 29
file: ci-plus_overview.ppt
www.ci-plus.com - CI Plus LLP
CI Plus - Usage Rules Information (URI)
URI initial default value for host, e.g. after channel change:
•
•
•
•
•
•
•
protocol version
emi_copy_control_info
aps_copy_control_info
ict_copy_control_info
rct_copy_control_info
rl_copy_control_info
reserved bits
= 0x01
= 0b11
= 0b00
= 0b0
= 0b0
= 0b000000
= 0b0
URI Mapping Table:
• Analog Output (MV, APS, CGMS, ICT)
• Digital Output (HDCP, DTCP, SPDIF)
• Digital Storage (AACS, CPRM, VCPS)
(Encryption Mode Indicator)
(Analog copy Protection System)
(Image Constraint Trigger/Token)
(Redistribution Control Trigger)
(Retention Limit, default 90 min)
Analog Digital Digital Storage
URI
see e.g. Digital Transmission Content Protection, www.dtcp.com
• Specification 2007-10, rev 1.51
18 / 29
file: ci-plus_overview.ppt
www.ci-plus.com - CI Plus LLP
CI Plus - Mechanisms of Revocation
Host Service Shunning
• Host shunning state determined from Service Descriptor Table (SDT)
• Shunning active: Service can only be descrambled by CI+ Module
• Shunning non active: Service can be descrambled by DVB-CI or CI+ Module
Host Revocation
• Certificate Revocation List (CRL) transmitted to CICAM black-lists a host
• Certificate White List (CWL) can revert a previous revocation of a host
• Level of revocation granularity:
1. Unique host
2. Range of hosts
3. Certain model
4. Certain brand
Revocation by CAS
• Possible, but out of CI Plus specification scope
19 / 29
file: ci-plus_overview.ppt
www.ci-plus.com - CI Plus LLP
CI Plus - Additional Interactivity with Consumer
CI Plus Browser
• Enables to CI Plus modules to display graphics
with menues, pictures, logos, ... in a common method
on all CI Plus receivers/displays
Allows easy interaction with default remote control
Support of MHP CA API
• Enables to the broadcasted MHP applikation to communicate
with a CA Smartcard inside the CI Plus module
Country- and Language Support
• Enables CI Plus modules to use the same language in menues,
which is already defined by user in the receiver setting.
20 / 29
file: ci-plus_overview.ppt
www.ci-plus.com - CI Plus LLP
CI Plus - LLP, Certificate Agent & Test Center
CI Plus LLP contact details:
• CI Plus LLP, www.ci-plus.com,
• Pannell House, Park Street, Guildford, Surrey GU1 4HN, UK
• CI Plus LLP registered (no OC341596) in England & Wales
CI Plus LLP authorized Certificate Agent:
• TC TrustCenter GmbH, www.trustcenter.de
• Sonninstrasse 24-28, 20097 Hamburg, Germany
Tel/Fax: +49.40.808026-0/-126
Mail: ciplus@trustcenter.de
CI Plus LLP approved Test Facility:
• Digital TV Labs Ltd., www.digitaltv-labs.com
• Venturers House, King Street, Bristol, BS1 4PB, UK
Tel/Fax: +44.117.915-4018/-4088
Mail: info@digitaltv-labs.com
21 / 29
file: ci-plus_overview.ppt
www.ci-plus.com - CI Plus LLP
CI Plus - Documentation
Documents on www.ci-plus.com
• CI Plus Specification v1.3
- Detailed Specification for Receiver and Module
with change notes 002, 005 & 007
www.ci-plus.com/index.php?page=download
• Supplementary Specification v1.3
- Requirements for host revocation/shunning
• Implementations Guidelines v1.0
• Registration Application
- Application for test and registration of a device
• CI Plus Logo Guidelines & Archive
• Test Specification v1.0
-
Definition of test- and registration process
Documents on www.trustcenter.de
• On-Boarding Guideline
• Interim License Agreement (ILA)
www.trustcenter.de/solutions/consumer_electronics.htm
- Compliance and Robustness Rule...
• Certificate Supply Agreement (CSA)
• Forms: Identification, Administrator Authorization, Brand On-Boarding, Registration Application
• Robustness Certification Checklist
22 / 29
file: ci-plus_overview.ppt
www.ci-plus.com - CI Plus LLP
CI Plus - License Agreement with Exhibits A-L
23 / 29
A:
Device Type
B:
Robustness Rules
C:
Compliance Rules for Host Device
D:
Compliance Rules for CICAM Device
E:
URI Mapping Table
G:
Robustness Rules Checklist
H:
Confidentiality Agreement
I:
Fee schedule
J:
Registration Procedure
K:
Change Procedure
L:
Revocation Procedure
file: ci-plus_overview.ppt
Host
Device
CICAM
Device
Robustness
Rules
Compliance
Rules
Confidentiality
Agreement
www.ci-plus.com - CI Plus LLP
CI Plus - Implementation
...
CI Plus LLP
(Limited Liability Partnership)
At Website
Public Specification,
License Agreement
(incl. Compliance
and Robustness)


Test Partner
Sign License Agreement
€15,000 registration/yearly
Receive License specs
and Test technology
New device
Robustness Checklist
Device Testing Result
Robustness Checklist
€ 5,000/device type

Trust
Authority
(TA)

Device
Manufacturer
of CI Plus
Module / Host
Device Registration
Production Credentials

Device Testing
Result
Test of Device
or Self-Test-Registration
(after registration of
2 different device types)

Certification
Authority (CA)
TC
Trust Center
24 / 29
file: ci-plus_overview.ppt
Order Certificates (keys)
€ 500/10.000 devices

Deliver Certificates (keys)
www.ci-plus.com - CI Plus LLP
CI Plus - Licensees
Publication
- 29 Components Licensees
- 54 Hosts Licensees
- 6 Modules Licensees
www.trustcenter.de/consumer_electronics_licensees_module.htm
www.trustcenter.de/consumer_electronics_licensees_host.htm
25 / 29
file: ci-plus_overview.ppt
www.trustcenter.de/consumer_electronics_licensees_host_module.htm
• Licensees of CI Plus are published with homepage URL on website of TrustCenter
• 89 Licensees on 2011-10-10
www.ci-plus.com - CI Plus LLP
CI Plus - Summary
• CI Plus is based on DVB-CI standard and is downward compatible
• Encrypted communication over the CI/CI+ interface
- Secure & authenticated channel for critical system messages
- Encrypted transmission of digital content from CI+ modul towards the host device
• Implementation
- Licensing & administration of Certificates managed by independant Trust-Center
- Certification of end user devices & CI+ modules in a digital TV laboratory
• Future proof with URI (Usage Rules Information) für UPnP, CPCM, CSA3, DTCP, DLNA, ...
Internet
LAN
PVR
26 / 29
file: ci-plus_overview.ppt
STB
www.ci-plus.com - CI Plus LLP
Document History
2009-07-06
2011-11-11
27 / 29
Creation and first publication on www.ci-plus.com
Specification v1.3, DVB resumption, SMiT membership, updated CIP contact detail,
licensee overview, reformatting to 16:9
file: ci-plus_overview.ppt
www.ci-plus.com - CI Plus LLP
Abbreviations
AACS
AES
API
CA
CAM
CAS
CC
CDA
CE
CGMS
CI
CIP
CIv1
CI Plus
CM
CPRM
CRL
CWL
CSA
DES
DLNA
DOT
DVB
DRM
DTCP
DTVL
EU
FFW
28 / 29
Advanced Access Content System
aacsla.com
Advanced Encryption Standard
Application Programming Interface
Conditional Access
Conditional Access Module (DVB-CI or CI Plus)
Conditional Access System
Content Control
Content Distributor Agreement (contract with CI Plus)
Consumer Electronics
Copy Generation Management System
Common Interface
CI Plus LLP
ci-plus.com
DVB CI version 1.0
dvb.org
Common Interface Plus
ci-plus.com
Commercial Module (of DVB)
Content Protection for Recordable Media
4centity.com
Certificate Revocation List
Certificate White List
Certificate Supply Agreement
Data Encryption Standard
Digital Living Network Alliance
dlna.org
Digital Only Token
Digital Video Broadcasting
dvb.org
Digital Rights Management
Digital Transmission Content Protection
dtcp.com
Digital TV Labs (CI Plus)
digitaltv-labs.com
Europe
europa.eu
Fast Forward (PVR function)
file: ci-plus_overview.ppt
HDCP
HDD
HDMI
ICT
IDTV
ILA
LCD
LLP
MHP
MPAA
PCMCIA
PVR
SAC
SC
SDT
SOC
SMiT
SPDIF
STB
TA
TC
TM
TS
USB
URI
VCPS
High-bandwidth Digital Content Protection
Hard Disk Drive
High Definition Multimedia Interface
hdmi.org
Image Constraint Token
Integrated Digital tuner Television
Interim License Agreement
Liquid Crystal Display
Limited Liability Partnership
Multimedia Home Platform
Motion Picture Association of America
mpaa.org
Personal Computer Memory Card International Association
Personal Video Recorder
Secure Authenticated Channel
Smart Card
Service Descriptor Table
Selectable Output Control
Shenzen State Micro Technology Co. Ltd.
Sony/Philips Digital Interconnect Format
Set Top Box
Trust Authority (e.g TC for CI Plus)
TrustCenter GmbH
trustcenter.de
Technical Module (of DVB)
Transport Stream
Universal Serial Bus
Usage Rules Information
Video Content Protection System
Version: 2011-11-11
www.ci-plus.com - CI Plus LLP
Thank you
for your
interest
www.ci-plus.com
CI Plus LLP www.ci-plus.com
DVB www.dvb.org
TC TrustCenter GmbH www.trustcenter.de
Digital TV Labs Ltd. www.digitaltv-labs.com
CI Plus Limited Liability Partnership (LLP)
Download