Field of the invention

The present invention relates to a method for secure descrambling an audio / video data stream by a receiver which is locally connected to a security module. The method is applicable to the Pay-TV domain, in which conditional access content is transmitted by a head end in form of an encrypted data stream. The decryption of the stream is authorized according to a set of pre-determined rights stored in the security module.

Technical background In pay-TV systems, digital audio / video data, representing a particular program or event such as a film or a game, or a program application, is usually broadcast in a digital data stream, often referred to as a transport stream, scrambled under control word s, to a nu mber of su bscri bers, each of wh ich possesses a decod er or receiver/decoder capable of descrambling the transport stream for subsequent viewing of the contained program or event or to be able to run the application program contained therein. For additional security, the control words are regularly updated. Entitlement Control Messages ECM containing the control words encrypted under a transm ission key are transm itted as part of the transport stream and received by a decoder having access to an equivalent of the transmission key usually stored in the security module. The control words are thus determined in order to descramble the program data or application data.

In another configuration the ECMs do not d irectly contain the encrypted control words but contain information allowing the control words to be determined . In this case the decryption of the ECM does not lead directly to the ECM but leads to a data block which contains the control word i.e. the control word has to be further extracted from the data block. For example, the data block could contain the control word as well as a value defining the access conditions to the content. Another operation allowing for the control word to be determined could involve a one-way function of data block for example. Such a configuration is well described in several publications such as "Functional Model of a Conditional Access System", by EBU Project Group B/CA in EBU Technical Review, Winter 1995 or W099/18729, entitled "Method and Apparatus for Encrypted Data Stream Transmission".

In general the security operations are carried out in a security module associated with a receiver or multi-media unit. Such security modules can be implemented in a variety of manners such as on a m icroprocessor card , on a smartcard or any electron ic module in the form of a badge or key. These modules are generally portable and detachable from the receiver. The most commonly used form has electrical contacts but contactless versions of type ISO 14443 also exist. Another implementation of the security module exists where it is directly soldered inside the receiver, a variation of this being a circuit on a socket or connector such as a SIM module. Yet another implementation is to have the security module integrated on a chip wh ich has another function e.g . on the d e-scrambling module or on the microprocessor module of the receiver. The security module can also be implemented in software. Document EP1023795B1 discloses a method for distributing by a local cable head end operator programming service data while controlling access by his subscribers to the data. An encryption control system processes an input transport data stream into an output transport data stream based on the input transport data stream with second entitlement management messages data substituted for first entitlement management messages data. Entitlement management messages EMM and entitlement control messages ECM are multiplexed into the transport data stream. The EMM messages are addressed to a specific decoder or group of decoders while the ECM messages are broadcast to all decoders. Seed data encrypted under a multi-session key is included in the data transmitted in the ECM message. The multi- session key, encrypted under a secret serial number, is included in entitlement management message EMM . The EMM message is addressed to the decoder that has stored in it the secret serial number used to encrypt the multi-session key. Subscribers of the cable head-end operator will require a decoder with a decryptor for decrypting the multi-session key that has an algorithm compatible with the encryptor of the head end encryption control system. The decoders will also have stored in them secret serial numbers that correspond to the secret serial numbers stored in memory of the head end control system. The cable head end operator can thus securely provide the multi-session key to the decoders of his subscribers. However, because of the encryption algorithm unique to the cable head-end operator and the unique list of secret serial numbers stored in memory, the decoder provided to the subscriber of the cable head-end operator is not useable to receive national encrypted services from either the satellite repeater station or any other cable headend operator. In this way, the cable head-end operator may deny access to the national services when, for example, the subscriber does not pay his bill.

The digital audio / video data transport stream comprises usually scrambled data and control messages. The control messages are transmitted to the security module which decrypts entitlement management messages EMM to verify if the user owns the necessary rights for descrambling the audio / video data . If so, the security module decrypts entitlement control messages ECM in order to extract control words which are forwarded to a decrypting module for descrambling the audio / video data of the stream. The descrambled data are transferred to a decompression module which converts them in an appropriate format to be viewed on a display.

Such a system has been hacked so that information transmitted in the stream is used by third parties who did not purchased any access rights. Once the control words have been decrypted by an authorized user, they may be distributed to other users having no rights to access the audio / video data. These control words may thus be used to descramble data without carrying out a verification of the rights.

The main countermeasures for preventing access to data by non authorized users are for example the ciphering of the control messages either to render their decryption much more difficult or to make them unusable for more than one user. In spite of these countermeasures, some components or modules of the decoder may be replaced by fakes so that the access rights are no more properly verified and that each user is considered as having acquired the rights to access the audio / video data.

Another drawback of the standard system is that the entitlement control messages ECM carrying the control words are transmitted in the transport stream as a stream of a much lower bandwidth than the scrambled audio / video data. This configuration leads to make easier the capture of the ECM message by the hackers for obtaining the control words which are further shared with non authorized users. Contrarily, the scrambled audio / video data cannot be shared in an efficient way because of their large bandwidth and high throughput.

Document XP010755781 , Mitsuyama Y. et al. "Embedded architecture of IEEE802.1 1 i cipher algorithm" discloses a WEP/TKIP (Wired Equivalent Privacy / Temporal Key Integrity Protocol) algorithm, which is divided into two parts, i.e. key generation unit and RC4 unit. In WEP, an RC4 key is produced from an Initialization Vector (IV) in MAC (Media Access Control) header and an encryption/decryption key. As for TKI P, the key mixing function produces an RC4 key from an IV, a MAC address, and an encryption/decryption key. In RC4 unit, shuffling of an RC4 key is performed for each MAC frame, which generates 256-byte initial pseudo random bytes. After then, a sequence of pseudo random numbers is produced by the byte substitution, each of which is to be XORed with plaintext / ciphertext to generate ciphertext / plaintext. Document XP031 564764, Pardeep Kumar et al . "A secure data mechanism for ubiquitous sensor network with Dragon cipher" discloses a network where sensors are communicating wirelessly in a secure way. The data exchanged in the network are ciphered with an algorithm based on Dragon algorithm. This particular algorithm can be initialized in two steps: firstly, the state is mixed with the key and then the initialization vector is attached with the key bearing state and mixed again. Secondly Dragon internal states (1024 bits) are divided into 8 bocks of 128 bits.

Document XP031 1 76362, Newman R et al . "HomePlug AV security mechanisms" discloses med ia access controlled data streams comprising fixed length blocks having a header, a body and a check sequence. A network encryption key encrypts on ly the body, the header and the check sequence being not encrypted. The initialization vector of the encryption algorithm is generated from fields of the header and the start of the frame which packages a plurality of blocks.

Document XP022024796 Baronti et al. "Wireless sensor networks : a survey on the state of the art and the 802.1 5.4 and ZigBee standards" mentions a mode of authenticated encryption called "TinySec-AE" where the payload data is encrypted and a MAC (Message Authentication Code) is used to authenticate the packet. The MAC is calculated over the encrypted data payload and the packet header. In this encryption mode, two new fields are added to the packet header: the source address and a 1 6 bit counter. The packet header is used as the initial ization vector for encrypting the payload. Thus the data confidentiality, integrity and authenticity are achieved by encrypting the payload and authentication the whole packet.

Document XP002605140 Menezes, Oorschot, Vanstone, "Handbook of applied cryptography", chapter 13.3 "Techniques for distributing confidential keys" describes principles of encrypting short term information using short term keys such as session keys valid for a single communication session. Summary of the invention

In order to reinforce the security of the descrambling process of the scrambled audio / video data, it becomes advantageous to increase the bandwidth of the control words stream transmitted between the security module and the decoder so as to be equivalent or higher than the bandwidth of the scrambled audio / video data. Such increase is made possible thanks to a new generation of security modules having fast processors, fast encryption / decryption mod ules and a h igh throug hput communication channel for data transmission towards the processor chip set of the decoder.

The present invention aims to prevent control word sharing by using advanced features of the security module rendering fastidious the capture of control words by hackers.

This aims are achi eved by a method for secure descrambling a scrambled audio/video stream by a receiver provided with a chip set connected to a security module, the security module receiving seed data encrypted by a transport key, the scrambled audio/video stream being organized in packets having a packet header and a payload, the method is characterized in that it comprises steps of

- receiving and buffering by the chip set all or part of the packet payload,

- extracting the packet header from the packet and forwarding said packet header to the security module, - generating by a generator implemented in the security module a key stream from the seed data and the packet header,

- forwarding the key stream from the security module to the chip set via a high data throughput channel, - return ing by the security module to the chip set the packet header used for generating the key stream.

- applying by the chip set a mixing function combining the key stream and the packet payload by synchronizing the returned packet header with the packet header initially received by the chip set and obtaining a descrambled packet payload, - outputting a descrambled audio/video stream by assembling the packet header and the descrambled packet payload.

In a pay TV system where the access to a transmission is to be restricted, conditional access data may be included in a table or a section broadcast in the transport stream as seed data encrypted by a transport key. This seed data is filtered by the receiver and passed to the security module. The seed data is then decrypted and processed by the security module in order to generate the key stream includ ing the packet header previously extracted from the received packet.

This key stream is generated in such a way that its bandwidth is equivalent or larger than the bandwidth of the input scrambled audio/video data transport stream. The processor chip set applies a mixing function to the key stream and to the packet payload identified by the packet header in order to obtain a descrambled payload packet. The header is then added to th is descrambled payload packet before outputting from the chip set towards a MPEG decompression module.

I n the documents XP010755781 , XP031564764 and XP031 176362 the key- scheduling algorithm transforms a secret key into an initial state that is used later. Then, the pseudo-random generation algorithm outputs bytes of a key stream and modifies the initial state. Finally, the key stream is mixed to the plaintext. According to the method of the present invention, the key stream generation and the ciphertext deciphering (payload descrambling) are spl it in two different devices, namely the chipset and the security module. Furthermore, the synchron ization of these two devices is carried out thanks to the packet headers.

In document XP022024796, the packet header is used only as initialization vector for the encryption algorithm without any function of devices synchronization. In practice, for execution speed reasons, a stream cipher or key stream deciphering is not split in two devices, but as the method of the present invention aims to prevent control word (payload descrambling key) sharing, the solution is directed to increase the bandwidth of the communication between the chipset and the security module through the high data throughput channel . Brief description of the drawings

The invention will be better understood thanks to the following detailed description which refers to the enclosed drawings given as non limitative examples.

Figure 1 shows a block d iagram of a first embod iment of the invention where a packet is processed when entering into the chip set of the receiver. Figure 2 shows a block diagram of a second embodiment of the invention where the chip set includes a random access memory for storing the input packet data and the key stream for processing and descrambling the packet data before output.

Detailed description of the invention

A head end of a digital television broadcast system transmits scrambled audio / video data in the form of discrete transport stream packets or transport packets, each packet P being of a predeterm ined length and contain ing a header H and a scrambled payload SCP section. It has to be noted that the length of the packets in clear or descrambled form as well as the length of the sections (header and payload) are preserved when encryption or scrambling operations are performed. The MPEG (Moving Picture Experts Group) standard is the preferred standard in this domain and sets out, among other things, a predetermined format for such packets. According to the standard ISO/IEC 13818-1 , Second edition. 2000-12-01 , a packet is the basic unit of data in a transport stream . It consists of a synchronization byte, followed by three one-bit flags and a 13-bit Packet Identifier (PID). This is followed by a 4-bit continuity counter. Additional optional transport fields, as signaled in the optional adaptation field, may follow. The rest of the packet consists of payload . Packets are 188 bytes in length, but the communication medium may add some error correction bytes to the packet. For example, DVB-T/C/S uses 204 bytes and ATSC 8-VSB, 208 bytes as the size of emission packets (transport stream packet + forward error correction data). ATSC transmission adds 20 bytes of Reed-Solomon forward error correction to create a packet that is 208 bytes long.

The packet header H comprises general descriptive data regarding the packet P, while the payload comprises the data to be processed at the receiver / decoder. The packet header H includes at least a packet ID or PID identifying the packet P. The payload SCP of the packet may contain aud io, video or other data such as application data or, in particular, conditional access system data. An input data stream is filtered by the receiver according to the PID of each packet P. Audio / video data requiring immediate processing is forwarded to an appropriate processor in the form of packetized elementary stream or PES. This continuous data stream, which is formed by assembling the payloads of the transport packets, itself, comprises a sequence of packets, each PES packet comprising a packet header and payload data. A multimedia receiver such as a pay TV set top box or decoder comprises among other modules a chipset CS connected to a security module SM via an appropriate interface. The chipset CS which is housed in general on one chip provides the buses and electronics to allow the processor, memory and input/output modules to interact.

As illustrated by figure 1 , the chipset CS receives scrambled packets P from an input transport stream TS comprising seed data SD defining access conditions to the scrambled payload data SCP of the packets P. The seed data SD may be defined as data blocks allowing the security module to determine a control word CW or a key by combination with other data blocks, this control word CW or key being used for descrambling the scrambled payload data. In some systems, the seed data may form an entitlement control message ECM carrying one or several control words CW or specific data to be used for ca l cu lati ng the control word(s) CW. In further implementations the control word(s) CW itself or themselves form the seed data. The seed data SD preferably encrypted by a transport key TK is forwarded to the security module SM for decryption with the transport key TK stored by the security module SM . At the same time a packet P is processed by the ch ipset CS which sends the header H to the security module SM, the scrambled payload data SCP pass through a buffer until data for descrambling are made available. The security module SM is provided with a generator G using the decrypted seed data SD and the received header H extracted from the packet P to form a data stream called key stream KS. The generator G is provided with a cryptograph ic function able to produce a large amount of data even the input data (header H and seed data SD) may represent a relative small amount of data. This key stream KS is transmitted to the chipset CS via a secure high speed channel linking the security module to the receiver while the encrypted seed data and the header are transmitted to the security module through a low speed or standard throughput channel .

Accord ing to an option, the generator G may also be configured for adding predefined data such as fill ing data or padding data to the output key stream to increase its data volume amount.

The chipset CS is provided with a calculation module which applies a mathematical mixing function F between the key stream KS and the scrambled payload data SCP of the packet P identified by the header H previously sent to the security module SM. The result thus obtained represents the payload data in a descrambled form DCP to which the header H is added by the calculation module.

The m ixing function F may represent an XOR operation or any other log ical operation. Other mathematical function or cryptograph ic fu nction can also be envisaged. According to a preferred embodiment, the processing of the packets P received by the chip set CS by using the key stream KS generated by the security module SM may be carried out in parallel. This performance is made possible thanks to the high throughput of the key stream KS which is at least equivalent to the input packet stream throughput. The payload data SCP of an input packet P is immediately descrambled by the key stream KS produced by the security module. The header H of the packet used for the key stream KS generation returns along the key stream KS to the calculation module via the high speed channel and is synchronized with the header H of the scrambled packet P initially received by the chip set CS. In this way each input scrambled packet is descrambled "on the fly" with a minimized time shift between reception of the scrambled packets and the output of the correspond ing descrambled packets.

It has to be noted that the payload data SCP of an input packet P may start to descramble at reception of only a part of the packet P, the packet header H being sent to the security module SM. The chip set CS does not necessarily wait until the complete packet P is received before starting descrambling operation. According to the configuration of the input of the receiver and the size of the buffer, packets may be descrambled as soon payload data SCP is received, or after a predefined number of bytes of the payload data or after one or a predefined number of packets.

One advantage of this method is that the access control data in form of the seed data SD cannot be easily extracted from the key stream KS flowing between the security module SM and the ch ipset CS because of the high throughput. This transmission mode which throughput is equivalent or larger than the one of the input scrambled audio/video data transport stream TS renders capture of these control words or data much more difficult than in standard transmission mode at low throughput. According to a further preferred implementation and for improving data transmission security, data entering into the security module i .e. the packet header H and the encrypted seed data [SD]TK is preferably encrypted with a first pairing key Kp1 using a first algorithm. Such a pairing or matching mechanism involving identifiers of the receiver or the ch ip set and the security module is described for example in the document EP1 078524B1 . The key stream KS may be encrypted with a second pairing key Kp2 using a second algorithm specially adapted for a channel configured for high data throughput. The pairing keys Kp1 , Kp2 are calculated and stored in the security module and in the receiver or in the chip set at a set up phase during first connection of the security module to the receiver. An additional module to decrypt or encrypt each input / output data with the pairing keys Kp1 , Kp2 is also included in both security module and receiver or chip set. The pairing mechanism may be applied either only to the low throughput channel used by the packet header H and the encrypted seed data [SD]TK or only to the high throughput channel used by the key stream KS or to both channels. The pairing key Kp1 , Kp2 may be either different for each channel or common to both channels, but the algorithm may preferably be different for each channel.

In a second embodiment of the invention as illustrated by figure 2, the chip set CS comprises a random access memory RAM connected to the security module SM via an input / output controller I/O. The input scrambled payload packet SCP is stored in the memory RAM while the header H is sent to the security module SM through the input output controller I/O. The key stream KS, which is generated on the basis of the header H and the seed data SD by the security module, is sent to the chip set via the high speed channel and stored in the RAM memory. The packet header H may also be returned by the security module to the chip set along the key stream as in the preferred embodiment for synchronization purposes. The input scrambled payload packet SCP and the key stream KS are mixed together in the RAM memory by using the mixing function F to obtain a descrambled payload packet DCP to which the corresponding header H is attached.

In this second embodiment, an input scrambled packet is stored in the RAM memory as long it is not descrambled by the key stream KS. Once the packet is descrambled, the RAM memory receives the next packet P from the input audio / video data stream and so on . The header H of the input packet P may also be stored in the RAM memory together with its payload SCP. In this case, the synchronization may not be necessary like in the preferred embodiment where packets are processed "on the fly" in a continuous processing flow. The header H used for generating the key stream KS is thus not returned to the chipset CS along the key stream KS.

According to a further embodiment and to improve security, the headers H of the input packets may be in an encrypted form and transmitted as such by the chip set CS to the security module SM. The key stream generator G introduces into the high throughput key stream KS the encrypted packet headers wh ich are used as synchronization data during descrambling operation by the mixing function F in the chip set CS. The decryption of the headers is thus not necessary as they are used mainly for synchronizing the input packets stream with the key stream produced by the security module.