CI Plus Overview Presentation - Common Interface

CI Plus Overview 11th November 2011

www.ci-plus.com

CI Plus Limited Liability Partnership (LLP)

Table of Content Page:

• • • • •

One Page Overview of CI Plus History of Common Interface Requirements & Scope with CI Plus CI Plus System Overview CI Plus Specification

3 4 8 10 11

PCMCIA CI CA

- SAC (Secure Authenticated Channel) - Authentification - Protection of TS (Transport Stream) with CC (Content Control) - URI (Usage Rules Information) - Revocation, Shunning - Interactivity with MHP CA API

• CI Plus Administration -

SC CA Conditional Access CAM CA Module CI Common Interface PCMCIA Personal Computer Memory Card International Association SC Smart Card

21

CI+ LLP, Certificate Agent & Test Center CI+ Documentation Flow Chart of Certification & Licensing Licensee Overview

• Summary • Document History • Abbreviations 2 / 29

CI-CAM

file: ci-plus_overview.ppt

26 27 28

Disclaimer:

All text and images that are presented herein are just for illustration purposes about the principles of CI Plus. The presentation may contain inaccuracies or errors. It does not necessarily reflect the most recent status of technical and licence relevant documents of CI Plus.

www.ci-plus.com - CI Plus LLP

Issue with

v1 and Solution with

One P age O v er v i

• 1997-02 Quite old standard EN 50221 (DVB-CI v1) with unencrypted CAM output • 2006-09 Closed DVB TM-CIT group after missing consensus • • • •

2007-07 2008-01 2008-11 2009-03

ew

CI+ Forum founded by 6 companies CI Plus Spec v1.0 with encrypted CAM output CI+ forum replaced by CI Plus LLP Appointment of Trustcenter & Test facility

• 2011-04 DVB adopts future development of CI Plus specification • 2011-05 SMiT becomes 7th partner in CI Plus LLP Encrypted PCMCIA Interface

Encrypted TV Signal

not encrypted

IDTV

additional Usage Rules for A/D output and storage

x

 

Copy of original digital content is impossible!

x encrypted

STB, Recorder, ... 3 / 29



History of Common Interface (CI) 1997-02: 1999-11: 2002-01: 2006-09:

Standard DVB CI v1 (EN 50221) Extension ETSI TS 101 699 EU directive for CI in IDTV with > 30cm Start of DVB TM-CIT group (to close security gaps with new CI v2 ...) Closed after missing consensus on technology

2007-07: 2007-12 2008-01 2008-11 2009-02 2009-02 2009-03 2009-05 2010-12 2011-01

Founding CI+ Forum by 6 companies CI Plus Specification draft CI Plus Specification v1.0 Disbanding of CI+ Forum & creation of CI Plus LLP (UK Limited Liability Partnership) CI Plus Specification v1.1 TC TrustCenter GmbH appointed DTV Labs Ltd. appointed test facility CI Plus Specification v1.2 Negotiations about continuation of specification under DVB CI Plus Specification v1.3

2011-04 2011-05

DVB adopts development of CI Plus spec beyond v1.3 SMiT becomes 7th partner in CI Plus LLP

4 / 29



DVB-CI & CI Plus - Usage for SD/HDTV Set-Top-Box with integrated Decrypton-System

SDTV Smart Card

Display or IDTV

SDTV (Only for few content used or permitted) Smart Card with DVB-CI

SDTV

5 / 29


Smart Card with CI+


DVB CI - First Generation Standard v1 • • • •

CI-Module used with smartcard containing key-informationen CI-Module remove the encryption of protected content The output of CI-Module is unencrypted Due to this, most content providers prefer integrated solutions because of higher security Encrypted Televion Signal

Encrypted Televion Signal

Smartcard

CI-Module

PCMCIA Interface

Copy of original digital content is possible

No Encryption

Plasma / LCD IDTV

6 / 29



CI Plus - Protection of Content • Based on existing DVB-CI Standard • Main requirement: achieving the same level of security as embedded solutions • CI Plus Modul and Receiver - Calculation & Usage of a secure key for content protection - Secure, authentificated channel for critical system messages

• The output of modul is encrypted • Only certified devices are supported Encrypted Television Signal

Smartcard

Encrypted Television Signal

CI Plus Module

PCMCIA Interface

Copy of original digital content is not possible!

Local Encryption

Plasma / LCD IDTV 7 / 29



CI Plus - Scope of Protection

CA Conditional Access CC Content Control

8 / 29



CI Plus - Scope of Compatibility CA Module (CAM)

DVB CI

CI Plus

Host

   

Host & Module DVB-CI mode

Host in DVB-CI mode

9 / 29


   

Module in DVB-CI mode*

* DVB-CI mode operation permitted by network operator

Host & Module CI Plus mode


CI Plus - System Overview

CA CC CI CAM

10 / 29

Conditional Access Content Control Common Interface Conditional Access Module



CI Plus - Specification History 2007-12 2008-01 2009-02 2009-05

Specification Draft Specification v1.0 Specification v1.1 Specification v1.2

• Change number 002, effective 2009-04-23 (Security Extension) - Summary: Errata of v1.1, CICAM CIS CI Plus compatibility advertisement

• Change number 005, effective 2011-03-01 (Security Extension) - Summary: Security fix for CI Plus Host to check for “Brand ID” in a CI Plus CICAM device certificate during authentication.

2011-01 Specification v1.3 • Change number 007, effective 2012-08-01 - Summary: Extensions of PVR related functionality, CAS protected recording removed, Parental Control Clarifications, Low Speed Communication Resource, Extended CI Tuning Resource, Operator Profile

2011-10 Specification v1.3.1 • Change number 013, effective 2012-08-01 - Summary: Errata of v1.3, implementation guidelines

11 / 29



CI Plus - Specification v1.3 Chapter:

1-3 4 5 6 7 8 9 10 11 12 13 14

12 / 29

Pages:

Scope, References, Definitions, ... 19 System Overview 4 Theory of Operation 47 Authentication Mechanisms 16 Secure Authenticated Channel 12 Content Key Calculations 5 Public Key Infrastr. & Certificate Details 9 Host Service Shunning 5 Command Interface 22 CI Plus Application Level MMI 12 CI Plus MMI Resource 4 Other CI Extensions 52 Annex A...N 109 Total: 316


file: ci_plus_specification_v1.3.pdf date: 2011-01-14


CI Plus - Specification v1.3 Change Key changes of v1.3 compared to v1.2 • • • • • •

Extensions to PVR related functionality. CAS protected recording removed. Parental Control Extensions & Clarifications. Optimization of Low Speed Communication Resource & IP support. Extension to CI Tuning Resource to support Cable VOD Applications. Introduction of an Operator Profile.

Change Notice with References • • • • • • • • • • • • • • • • • • • • •

prng_seed per manufacturer [5.3] URI version 2 [5.7.5.2] Digital Only Token [5.7.5.3] Content license [5.10] Parental Control [5.11] Recording and Storage [5.12] Host Authentication [Table 6.3, step 13, item d] Certificates, Service operator ID [9.3.6] Host shunning, SDT absent [10.4] Version 2 of CC resource [11.3] SAS APDU clarifications [11.4, Annex M.2.1] MHEG profile extensions [12.8] Low Speed Communications v3 [14.1] IP connection by name [14.2.1.2] Application MMI clarifications [14.4] Application MMI File Caching [14.5] Host Control v2 [14.6] Operator Profile [14.7, Annex N] APDU clarifications [Annex E] CIS Feature Identification [G.3.2] Removal of PVR Resource [v1.2, 15]

13 / 29


Details of changes: file: ciplus_change_notice_007.pdf date: 2011-01-21 file: 2011-03-10_ci-plus_specification_v1.3_diff_v1.2.pdf date: 2011-03-10


CI Plus - Protocols 1. 2. 3. 4.

Compare CI+ versions supported by IDTV and CAM. If both sides have the same auth key, they have performed a successful authentication with each other. CI+ CAM and IDTV authenticate each other to make sure the opposite device is a valid CI+ device. The Secure Authenticated Channel (SAC) is used for transmission of security-related messages between CAM and IDTV.

1. Host Capability Evaluation 2.

Auth Key Verification

3.

Authentication

4.

SAC Key Calculation

5. URI Version Negotiation 6. 5. 6. 7. 8.

URI Acknowledgement

Usage Rules Information (URI) version negotiation 7. CC Key Calculation to find a URI version that is supported on both sides. URI transmission and acknowledgement used by CAM to send a set of usage rules information to the IDTV. 8. SRM Acknowledgement Content Control (CC) key calculation used by both sides to calculate keys for scrambling /descrambling of transport stream (TS). System Renewability Message (SRM) transmission and acknowledgement is used from CI+ CAM to transfer SRM for HDCP and DTCP-IP to the IDTV.

14 / 29



CI Plus - Transport Stream Output Protection Host and CICAM Capabilities:

• DES-56-ECB Data Encryption Standard, 56-bit key, Electronic Code Book (USA 1999-10, Federal Information Processing Standards, FIPS 46-3) • AES-128-CBC Advanced Encryption Standard, 128-bit key, Cipher Block Chaining (USA 2000-10, National Institute of Standards and Technology, NIST, FIPS 197)

15 / 29



CI Plus - Authentication Supported Authentication Phases per Service Mode: • Basic Service Mode • Registered Service Mode

example:

- Requires upstream communication to HE (Head End)

DH = Diffie-Hellman key exchange

16 / 29



CI Plus - Devices & external Interfaces CI Plus

IDTV

Signals / Interfaces

Devices

STB/PVR

time shifted recording (optional)

Analogue PAL / NTSC / SECAM RGB / YUV / S-Video

Display Digital HDMI / HDCP DTCP-IP Encrypted Content, paired to receiver: the content cannot be copied without authorization..

17 / 29



CI Plus - Usage Rules Information (URI) URI initial default value for host, e.g. after channel change: • • • • • • •

protocol version emi_copy_control_info aps_copy_control_info ict_copy_control_info rct_copy_control_info rl_copy_control_info reserved bits

= 0x01 = 0b11 = 0b00 = 0b0 = 0b0 = 0b000000 = 0b0

URI Mapping Table: • Analog Output (MV, APS, CGMS, ICT) • Digital Output (HDCP, DTCP, SPDIF) • Digital Storage (AACS, CPRM, VCPS)

(Encryption Mode Indicator) (Analog copy Protection System) (Image Constraint Trigger/Token) (Redistribution Control Trigger) (Retention Limit, default 90 min) Analog Digital Digital Storage

URI

see e.g. Digital Transmission Content Protection, www.dtcp.com • Specification 2007-10, rev 1.51 18 / 29



CI Plus - Mechanisms of Revocation

Host Service Shunning • Host shunning state determined from Service Descriptor Table (SDT) • Shunning active: Service can only be descrambled by CI+ Module • Shunning non active: Service can be descrambled by DVB-CI or CI+ Module

Host Revocation • Certificate Revocation List (CRL) transmitted to CICAM black-lists a host • Certificate White List (CWL) can revert a previous revocation of a host • Level of revocation granularity: 1. Unique host 2. Range of hosts 3. Certain model 4. Certain brand

Revocation by CAS • Possible, but out of CI Plus specification scope 19 / 29



CI Plus - Additional Interactivity with Consumer CI Plus Browser • Enables to CI Plus modules to display graphics with menues, pictures, logos, ... in a common method on all CI Plus receivers/displays Allows easy interaction with default remote control

Support of MHP CA API • Enables to the broadcasted MHP applikation to communicate with a CA Smartcard inside the CI Plus module

Country- and Language Support • Enables CI Plus modules to use the same language in menues, which is already defined by user in the receiver setting.

20 / 29



CI Plus - LLP, Certificate Agent & Test Center CI Plus LLP contact details: • CI Plus LLP, www.ci-plus.com, • Pannell House, Park Street, Guildford, Surrey GU1 4HN, UK • CI Plus LLP registered (no OC341596) in England & Wales

CI Plus LLP authorized Certificate Agent: • TC TrustCenter GmbH, www.trustcenter.de • Sonninstrasse 24-28, 20097 Hamburg, Germany Tel/Fax: +49.40.808026-0/-126 Mail: [email protected]

CI Plus LLP approved Test Facility: • Digital TV Labs Ltd., www.digitaltv-labs.com • Venturers House, King Street, Bristol, BS1 4PB, UK Tel/Fax: +44.117.915-4018/-4088 Mail: [email protected]

21 / 29



CI Plus - Documentation Documents on www.ci-plus.com • CI Plus Specification v1.3 - Detailed Specification for Receiver and Module with change notes 002, 005 & 007

www.ci-plus.com/index.php?page=download

• Supplementary Specification v1.3 - Requirements for host revocation/shunning

• Implementations Guidelines v1.0 • Registration Application - Application for test and registration of a device

• CI Plus Logo Guidelines & Archive • Test Specification v1.0 -

Definition of test- and registration process

Documents on www.trustcenter.de • On-Boarding Guideline • Interim License Agreement (ILA)

www.trustcenter.de/solutions/consumer_electronics.htm

- Compliance and Robustness Rule...

• Certificate Supply Agreement (CSA) • Forms: Identification, Administrator Authorization, Brand On-Boarding, Registration Application • Robustness Certification Checklist 22 / 29



CI Plus - License Agreement with Exhibits A-L

23 / 29

A:

Device Type

B:

Robustness Rules

C:

Compliance Rules for Host Device

D:

Compliance Rules for CICAM Device

E:

URI Mapping Table

G:

Robustness Rules Checklist

H:

Confidentiality Agreement

I:

Fee schedule

J:

Registration Procedure

K:

Change Procedure

L:

Revocation Procedure


Host Device

CICAM Device Robustness Rules

Compliance Rules

Confidentiality Agreement


CI Plus - Implementation

...

CI Plus LLP (Limited Liability Partnership)

At Website Public Specification, License Agreement (incl. Compliance and Robustness)





Test Partner

Sign License Agreement €15,000 registration/yearly Receive License specs and Test technology

New device Robustness Checklist Device Testing Result Robustness Checklist € 5,000/device type



Trust Authority (TA)



Device Manufacturer of CI Plus Module / Host

Device Registration Production Credentials



Device Testing Result

Test of Device or Self-Test-Registration (after registration of 2 different device types)

 Certification Authority (CA) TC Trust Center

24 / 29


Order Certificates (keys) € 500/10.000 devices



Deliver Certificates (keys)


CI Plus - Licensees Publication

- 29 Components Licensees - 54 Hosts Licensees - 6 Modules Licensees

www.trustcenter.de/consumer_electronics_licensees_module.htm

www.trustcenter.de/consumer_electronics_licensees_host.htm 25 / 29


www.trustcenter.de/consumer_electronics_licensees_host_module.htm

• Licensees of CI Plus are published with homepage URL on website of TrustCenter • 89 Licensees on 2011-10-10


CI Plus - Summary • CI Plus is based on DVB-CI standard and is downward compatible • Encrypted communication over the CI/CI+ interface - Secure & authenticated channel for critical system messages - Encrypted transmission of digital content from CI+ modul towards the host device

• Implementation - Licensing & administration of Certificates managed by independant Trust-Center - Certification of end user devices & CI+ modules in a digital TV laboratory

• Future proof with URI (Usage Rules Information) für UPnP, CPCM, CSA3, DTCP, DLNA, ...

Internet

LAN

PVR

26 / 29


STB


Document History 2009-07-06 2011-11-11

27 / 29

Creation and first publication on www.ci-plus.com Specification v1.3, DVB resumption, SMiT membership, updated CIP contact detail, licensee overview, reformatting to 16:9



Abbreviations AACS AES API CA CAM CAS CC CDA CE CGMS CI CIP CIv1 CI Plus CM CPRM CRL CWL CSA DES DLNA DOT DVB DRM DTCP DTVL EU FFW

28 / 29

Advanced Access Content System aacsla.com Advanced Encryption Standard Application Programming Interface Conditional Access Conditional Access Module (DVB-CI or CI Plus) Conditional Access System Content Control Content Distributor Agreement (contract with CI Plus) Consumer Electronics Copy Generation Management System Common Interface CI Plus LLP ci-plus.com DVB CI version 1.0 dvb.org Common Interface Plus ci-plus.com Commercial Module (of DVB) Content Protection for Recordable Media 4centity.com Certificate Revocation List Certificate White List Certificate Supply Agreement Data Encryption Standard Digital Living Network Alliance dlna.org Digital Only Token Digital Video Broadcasting dvb.org Digital Rights Management Digital Transmission Content Protection dtcp.com Digital TV Labs (CI Plus) digitaltv-labs.com Europe europa.eu Fast Forward (PVR function)


HDCP HDD HDMI ICT IDTV ILA LCD LLP MHP MPAA PCMCIA PVR SAC SC SDT SOC SMiT SPDIF STB TA TC TM TS USB URI VCPS

High-bandwidth Digital Content Protection Hard Disk Drive High Definition Multimedia Interface hdmi.org Image Constraint Token Integrated Digital tuner Television Interim License Agreement Liquid Crystal Display Limited Liability Partnership Multimedia Home Platform Motion Picture Association of America mpaa.org Personal Computer Memory Card International Association Personal Video Recorder Secure Authenticated Channel Smart Card Service Descriptor Table Selectable Output Control Shenzen State Micro Technology Co. Ltd. Sony/Philips Digital Interconnect Format Set Top Box Trust Authority (e.g TC for CI Plus) TrustCenter GmbH trustcenter.de Technical Module (of DVB) Transport Stream Universal Serial Bus Usage Rules Information Video Content Protection System Version: 2011-11-11


Thank you for your interest www.ci-plus.com

CI Plus LLP www.ci-plus.com DVB www.dvb.org TC TrustCenter GmbH www.trustcenter.de Digital TV Labs Ltd. www.digitaltv-labs.com

CI Plus Limited Liability Partnership (LLP)

CI Plus Overview Presentation - Common Interface

Recommend Documents