Académique Documents
Professionnel Documents
Culture Documents
Introduction
In the recent years, digital television has been replacing analog television as the preferred
transmission medium as it offers more services (e.g. interactive television, electronic program
guides), programs and higher video and audio quality. This transition has allowed cable
operators to increase their revenues by increasing the amount of paid services and programs.
But this would be meaningless if non-subscribers can easily view the paid services and
programs from their cables. This is the main reason why cable companies use scrambling
techniques to prevent non-subscribers to view the content.
In the past, simple methods were used to prevent non-subscribers to view paid
channels. One of these methods includes adding or removing filters according to their
subscription. As the amount of channels grew, this method became increasingly impractical.
An alternative was adding interference signals to the original signal, however this could be
easily bypassed using filters. As technology progresses dedicated hardware, set-top boxes
(STB), are used to descramble signals. This enables the combination of scrambling and
encryption methods. The main difference between scrambling and encryption methods is that
scrambling methods change the values of some bits in a data block or stream with the purpose
of spreading the signal across spectrums to decrease the electromagnetic interference or to
introduce security, whereas encryption methods processes the information (plain-text) through
an algorithm (cipher) to make it unreadable for others that do not poses certain knowledge
about the key. In this article no difference will be made between scrambling and encryption
method as it does not add additional relevance in the article purpose.
The purpose of this article is to provide an introduction on how digital television
signals are encrypted and decrypted using the Digital Video Broadcasting (DVB) Common
Scrambling Algorithm (CSA) and some cryptanalysis that has been done on it. This paper
also briefly addresses the problem when subscribed users are sharing their keys as this would
give non-subscribers access to paid programs. The article has been divided in four sections,
the second section gives a briefly overview on the general view of from transmission to
receiver. The second section explains the common scrambling algorithm including and
discussing its weaknesses. The last section briefly summarizes this article.
Overview
Before explaining how DVB CSA works, knowledge of the data that it encrypts is needed.
The broadcaster provides a set of programs, in which each are composed of different elements,
namely audio, video and text. These elements are then converted using the MPEG2-codec and
each program is broken up into packages. The total of these packages for each program are
called the program elementary stream (PES) (Haskell, Puri, & Netravali, 1996). The PES of
each program is then multiplexed together with those of other programs and divided into 188bytes packages for transmission. This stream of data is called the Digital Video Broadcasting
(DVB) MPEG2 transport stream (TS). DVB CSA can be either implemented at the PES level
or the TS level. This is unspecified in the guidelines for television broadcasting. At the
receivers side the STB together with a conditional access module (CAM). The CAM is used
to include a smartcard that can derive short-term control words (see Section 3). If the security
is breached, the smartcard then can be easily replaced.
General Overview
The DVB Common Scrambling Algorithm can be seen as a combination of a block and
stream cipher. It can be thought as cascading the block and stream cipher. Both ciphers use a
64-bit key, which is called a common key to encrypt the data. This key is renewed every 10 to
1
Note this can also be applied to PES. It is actually unspecified for other usages other than digital
terrestrial television.
120 seconds. For encrypting a payload of m-bytes, the payload is first divided into blocks of 8
bytes (
). If the payload is undividable by 8 bytes, then a residue will remain ( ) and the
residue will not be processed by the block cipher. The MPEG2 states that the payload can be
different than a multiple of 8 due to the use of an adaption field, which contains ancillary data
(i.e. non-video information, e.g. audio). The blocks
cipher using cipher block chaining in reversed order (see Figure 3.1). Cipher block chaining is
mode invented by IBM in 1976 (Ehrsam, Meyer, & Smith, 1976), which uses the cipher text
of the previous block and XOR it with the plaintext before encryption. The block cipher used
will be explained more in-depth in later sections. The block cipher encryption results in
intermediate blocks
, the last
block of the sequence will be used as nonce (i.e. an arbitrary number used only once in
cryptographic communication) to set up the initial state and is left unprocessed by the stream
cipher. The first
, ,
with
) are then
1 followed by the
residue. The decryption diagram can be seen in Figure 3.2, which uses the same principle as
encryption.
Figure 3.1: An image describing how Cipher Block Chaining works during encryption of three different blocks of
plaintext (Source: Wikipedia).
Figure 3.2: An image showing how to decrypt the common scrambling algorithm. The variables are defined in the
text section General Overview (Wirt, 2005).
B . The stream cipher consists of two phases, the initialization phase, in which the starting
state of the cipher is set up and the generating phase, in which the cipher produces two
pseudo-random bits per clock cycle. A schematic overview can be seen in Figure 4.1.
Figure 4.1: A schematic overview of the stream cipher used by the common scrambling algorithm (Weinmann &
Wirt, 2005).
In the initialization phase, all registers are first set to 0, then the common key ,
consisting of
,,
a0,0 a0,3
b0,0 b0,3
A , B
a
9,0 a9,3
9,0 b9,3
(1.1)
A different notation that will be used in the document will be the following equation
(see Equation (1.2)), where ai ai ,0
A a0
ai ,3 and bi bi ,0
a9 , B b0
T
bi ,3 2
b9
(1.2)
Each key element is loaded in to the corresponding register and location determined
by the following rules (see Equation (1.3)).
i7
k
ai , j 4i j
else
0
i7
k
bi , j 32 4i j
else
0
(1.3)
After the key is loaded, IB0 is used together with feedback register D to calculate the
input for A and B , which are called I A and I B , using 32 clock cycles. These are determined
by Equation 1.3. Thus in every odd cycle the input I A contains the high nibble (i.e. the four
highest order bit3) of IB0 and the I B contains the lower nibble of IB0 . In an even cycle this is
reversed.
4
4
( IB 2 , IB0 mod 2 )
( I A , I B ) : 0
4
4
( IB0 mod 2 , IB0 2 )
ti , i 1,3,5,...,31
else
(1.4)
The feedback a0 ' of shift register A is given by the following equation (see Equation
(1.5)). This results in the new register A ' : a0
calculated by X : S4,0
S3,0
S 2,1
a0
A shown in Table 4.1 with the corresponding S-formulas that used in the algebraic notation
of the S-formulas used can be found in equation (1.13)4). The letters a to e are referring to
the highest order bit to the lowest order bit. The D register will be defined later.
2
3
4
a X
a0 : 9
a9 X D I A
init phase
else
(1.5)
The feedback b0 of shift register B is given by the following equation (see Equation
(1.6)). This result in register B , which is given by the next equation (see Equation (1.7)). The
will be calculated by Y : S6,0
register
S5,0
S4,1
b b9 Y I B
b0 : 6
b6 b9 Y
b0 b0
B :
b0 1
(1.6)
else
b8
b0
p0
b8
(1.7)
else
S1
a3,0
a0,2
a5,1
a6,3
a8,0
S2
a1,1
a2,2
a5,3
a6,0
a8,1
S3
a0,3
a1,0
a4,1
a4,3
a5,2
S4
a2,3
a0,1
a1,3
a3,2
a7,0
S5
a4,2
a3,2
a5,0
a7,1
a8,2
S6
a2,1
a3,1
a4,0
a6,2
a8,3
S7
a1,2
a2,0
a6,1
a7,2
a7,3
register that is used for calculating the S-box formulas (Weinmann & Wirt,
2005).
The stream cipher then uses a combiner to calculate two bits of output per clock. It
uses the register and and to calculate these outputs. The states of E and F are
determined using the following equation (see Equation (1.8)). The register Z is calculated by
Z S2,0
S1,0
S6,1
equation (1.9).
( F , E )
( E , F ) :
4
( F , E Z c mod 2
c
c 1
0
q0
else
(1.8)
q0
E Z c 24
else
(1.9)
(1.10)
448 bits. The function (...) that is used can be found in Table 3.2.
E
K 0,...63
k0 ,...k63
E
E
K 64i ,...,64i 63 (k64(
i 1),...,64 i 1 ) 0 0i 0i 0i 0i 0i 0i 0i 0i
(1.11)
1 i 6
10
11
12
13
14
15
(i )
17
35
41
48
28
20
27
53
61
49
18
32
58
63
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
(i )
23
19
36
38
52
26
33
12
13
56
39
25
40
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
(i )
50
34
51
11
21
47
29
57
44
30
24
22
46
60
16
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
(i )
59
55
42
10
43
31
62
45
14
37
15
54
, it maps bit i
to (i ) .
s7 ,
T
which can be represented as a vector of bytes. The round function is defined in equation
(1.12).
( s0 ,..., s7 , k ) ( s1 , s2 s0 , s3 s0 , s4 s0 ,
(1.12)
s5 , s6 f (k s7 ), s7 , s0 f (k s7 ))
(i )
Cryptanalysis
Two attacks have been proposed to retrieve the common key. The first attack is called a fault
attack, which targets the block cipher by injecting random errors into the decryption process.
This could be used to determine the round keys used in the block cipher. The attacker then
can use Equation (1.11) to reconstruct the common key. It should be noted that this attack
works even though the stream cipher is completely ignored. For a more detailed explanation I
refer to Fault attack on the DVB Common Scrambling Algorithm.
The second attack that can be used is by targeting the stream cipher by solving a
number large number of systems of equations. Ralf-Philipp Weinmann, Kai Wirt, have shown
that the stream cipher is weak and can be cracked efficiently.
Summary
The common scrambling algorithm is made public and the process is completely understood
including the substitutions and permutations used. The common scrambling algorithm
consists of cascading the block cipher and the stream cipher to encrypt broadcasting messages.
However even though two ciphers are used, only one key is used for encryption in both
phases, this design has allowed attacks to be focused on a single cipher rather on the complete
algorithm. Two attacks have been proposed, however no real implementations of it has yet to
be found outside universities.
Appendix A
S1,0 abce abc abd bde ab ae be ce b d
S1,1 abcd abde abc abd acd ade bcd bce
ab ae be bd be cd ce de a d e 1
S 2,0 abce abde ade bce bde ab ac ce c
d e 1
S 2,1 abde abc abd abe acd cde cd ce b
d e 1
S3,0 ce de a b d
S3,1 abcd acde abe ac abc acd ace ade bcd
bde cde ad bc bd be cd ce a b d e 1
S 4,0 abcd abde acde abc abe bde ab ad ae bc
be de c d 1
S 4,1 abcd abde acde abc abe bcd cde ad ab
ae de a b c e 1
S5,0 abde acde acd abe abd ace bce cde ab
ac ae bd be ce de c
S5,1 abcd abce acde abd abe acd bcd bce bde
cde ac ad ae be cd ce de b d e 1
S6,0 abcd abde acde acd ade bcd cde bc bd
cd c e
S6,1 abe ade bce bde bc ce a d
(1.13)
10
Appendix B
Figure B: The
function permutation, where the lower nibble is located column wise and the higher nibble located
row wise (Weinmann & Wirt, 2005).
References
Ehrsam, W. F., Meyer, C. H. W., & Smith, J. L. (1976). In International Business Machines
Corporation (Ed.), Message verification and transmission error detection by block
chaining. United States:
Haskell, B. G., Puri, A., & Netravali, A. N. (1996). Digital video: An introduction to MPEG-2
(1st ed.) Springer.
Weinmann, R., & Wirt, K. (2005). In Chadwick D., Preneel B.(Eds.), Analysis of the DVB
common scrambling algorithm Springer Boston. doi:10.1007/0-387-24486-7_15
Wirt, K. (2005). In Gervasi O., . . . Tan C.(Eds.), Fault attack on the DVB common
scrambling algorithm Springer Berlin / Heidelberg. doi:10.1007/11424826_61
11