Nothing Special   »   [go: up one dir, main page]

CN112602288B - Method for obtaining a sequence of encryption keys - Google Patents

Method for obtaining a sequence of encryption keys Download PDF

Info

Publication number
CN112602288B
CN112602288B CN201980055283.0A CN201980055283A CN112602288B CN 112602288 B CN112602288 B CN 112602288B CN 201980055283 A CN201980055283 A CN 201980055283A CN 112602288 B CN112602288 B CN 112602288B
Authority
CN
China
Prior art keywords
key
time
value
server
receiver
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201980055283.0A
Other languages
Chinese (zh)
Other versions
CN112602288A (en
Inventor
昆汀·齐泽
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Viaccess SAS
Original Assignee
Viaccess SAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Viaccess SAS filed Critical Viaccess SAS
Publication of CN112602288A publication Critical patent/CN112602288A/en
Application granted granted Critical
Publication of CN112602288B publication Critical patent/CN112602288B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/088Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Two-Way Televisions, Distribution Of Moving Picture Or The Like (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Computer And Data Communications (AREA)

Abstract

A method for obtaining a sequence of L encryption keys k 1,m,ki,m,ki+1,m,kL,m, wherein: prior to time t 1,m, the receiver group establishes (140) a first connection to the key server and receives the information needed to obtain said key k 1,m during this first connection, then for each subscript i between 2 and L: the receiver group obtains (150) a subsequent key k i,m by a key derivation algorithm initialized using a previous key k i‑1,m, without resorting to information other than that received during the first connection; and performing a key derivation algorithm by the receiver group to obtain an average time TC i,m of key k i,m that is greater than 0.2V i‑1,m, where V 1‑i,m is the duration of the validity interval of the previous key k i‑1,m.

Description

Method for obtaining a sequence of encryption keys
Technical Field
The present invention relates to a method for obtaining an encryption key sequence and to a method for securely transmitting digital content by implementing the obtaining method. The invention also relates to a data storage medium, a receiver and a key server for implementing the method for obtaining a key sequence.
Background
A method is known for obtaining a sequence of L encryption keys k 1,m,...,ki,m,ki+1,m,...,kL,m by means of an electronic receiver group, wherein:
The subscript i is the sequence number of the key k i,m in the key sequence,
L is an integer greater than or equal to two, and
Regardless of the subscript i between 1 and L, the key k i,m is intended only for a validity interval [ t i,m,ti+1,m [ period ] of duration V i,m, where t i,m and t i+1,m are the start and end times, respectively, of the validity interval.
Among these known methods:
Before time t 1,m, the receiver group establishes a first connection with the key server and receives the information needed to obtain the key k 1,m during this first connection, then
For each index i comprised between 2 and L, the set of receivers obtains the key k i,m before the instant t i,m.
One such method is disclosed in patent application EP 2567500. In patent application EP2567500, each key k i,m is used to process a single given block CP i,m of multimedia content, the play time of which is called "key validity period". The term key validity period also refers to the block CP i,m itself. The key k i,m is thus valid during a time interval [ t i,m;ti+1,m ] corresponding to the key validity period CP i,m (i.e., during a time interval of playing the key validity period CP i,m of the multimedia content) [ t i,m,ti+1,m ]. Therefore, in order to be able to decrypt the key validity period CP i,m, the key k i,m must be obtained by the receiver before the time t i,m. Ideally, key k i,m must be obtained as late as possible before time t i,m to minimize the time it is exposed to cryptanalysis or attack attempts in the receiver. Typically, the key k i,m is obtained during the previous key validity period, i.e., during the interval [ t i-1,m;ti,m ]. Under these conditions, the key k i,m is exposed to cryptanalysis or attack attempts only during a portion of the interval [ t i-1,m;ti,m ], i.e. typically during a period of up to about ten seconds. The short duration of this interval makes it difficult to try by an attack.
In order to obtain the key k i,m, the receiver must be connected to a key server. Thus, the receiver must connect to the key server for each key expiration without any specific setup. Since the number of receivers that need to be connected to the same key server may be very large, i.e. greater than 1000 or 10000, the number of connections that the key server must be able to manage during the key validity period is also very large.
In order to limit the computer resources required for implementing such a key server, patent application EP2567500 discloses in particular that during connection to the key server not only the key k 1,m valid for decrypting the next key validity period CP 1,m is transmitted to each receiver, but also L key sequences { k 1,m;...;kL,m } for decrypting the next L key validity periods are transmitted to each receiver. Thus, the receiver need not connect to the key server every key validity period, but only every L key validity periods.
Patent application EP2567500 also discloses that transmitting such a sequence of keys to the receiver in this way before these keys are useful reduces the security of the method. In practice, for example, the key k L,m, which is the sequence { k 1,m;...;kL,m } of L keys, is received before the key validity period CP 1,m, and is used only from the time t L,m. Key k L,m is thus exposed to attack attempts during L consecutive key validity periods. In contrast, if any key k i,m is not transmitted to the receiver in advance, that same key k L,m will only be exposed to attack attempts at most during a single key validity period.
In order to compensate for this problem while limiting the number of synchronous connections to the key server, patent application EP2567500 proposes to adjust the number of keys L transmitted in advance to each receiver according to the probability that this receiver is compromised by an attack attempt. Thus, it is possible to both reduce the number of connections to be established with the key server, while maintaining a high level of security.
It is also known from the prior art that:
EP2460308A1, and
-Biming Tian et al :"An Efficient Self-Healing Key Distribution Scheme",New Technologies,Mobility and Security,NTMS'08',IEEE,5/11/2008,pages 1-5.
EP24660308 describes a solution for improving the robustness of a secure data transmission system to faults, such as packet losses, in a data transmission network. To this end, the receiver may construct a variable time interval [ i ] based on information for constructing a previous encryption key only in case of network failure; i+1[ decryption key used during the period. In case of normal operation of the data transmission network, the number of connections of the receiver to the server is not reduced.
Disclosure of Invention
The present invention aims to solve the same problems as described in EP2567500, but does not consider the safety level of the receiver for this purpose.
Another subject of the invention is a method for secure transmission of digital content.
Another subject of the invention is a data storage medium readable by a microprocessor, comprising instructions for implementing the subject methods of the present patent application when these instructions are executed by the microprocessor.
Another subject of the invention is a receiver group for implementing the acquisition method according to the subject of the present patent application.
Finally, another subject of the present invention is a key server for implementing the obtaining method according to the subject of the present patent application.
Drawings
The invention will be better understood by reading the following description, given by way of non-limiting example only, with reference to the accompanying drawings, in which:
fig. 1 is a schematic diagram of an encryption system for transmitting and receiving multimedia content;
fig. 2 is a flow chart of a method for securely transmitting multimedia content implemented in the system of fig. 1;
Fig. 3 and 4 are flowcharts of two different variants of the method of fig. 2.
Detailed Description
Chapter 1: terminology
In the drawings, like reference numerals are used to indicate like elements.
In the following of the present description, features and functions well known to those skilled in the art are not described in detail.
Examples of embodiments are given in the specific case of a system for conditional access to multimedia content. Thus, a term specific to this case is used. Several specific definitions for this term are given below. However, for more information about this term, the reader is referred to the following document :"Functional Model of Conditional Access System",EBU Review,Technical European Broadcasting Union,Brussels,BE,266, 1995, 12, 21.
The terms "scrambling" and "descrambling" are herein considered synonymous with "encrypting" and "decrypting", respectively.
"Multimedia content" refers to audio and/or video content intended to be reconstructed into a form that is directly perceived and understood by humans. In general, multimedia content corresponds to a sequence of images forming a movie, a television program, or an advertisement. The multimedia content may also be interactive content such as games.
"Plaintext" data or "plaintext data" corresponds to data prior to scrambling or encrypting it. Thus making it directly understandable to humans without resorting to descrambling operations and whose visualization is not limited by certain conditions.
In order to keep the visualization of the multimedia content secure and subject to certain conditions (such as pay-subscription), the multimedia content is distributed in scrambled, rather than plain text, form. Rather, each multimedia content is divided into a key validity period sequence. The access conditions to the scrambled multimedia content remain unchanged during the whole duration of the key validity period. In particular, the multimedia content is scrambled with the same encryption key (which is known by the term "control word") during the whole duration of the key validity period. Generally, the control word changes from one key validity period to the next.
Herein, a "password file" refers to a data or information item that is insufficient by itself to discover plaintext data (i.e., data such as that for which a password file is allowed to be established prior to applying encryption). Thus, if the transmission of the password file is intercepted, knowledge of the password file alone does not allow the plaintext data to be found. In order to find the plaintext data, the password file must be combined with secret information. The secret information is typically an encryption key that allows decryption of the password file. However, the password file may also be a reference to data stored in a table containing a plurality of similar data. In this case, the secret information is a table associating each of the password files to the plaintext data.
Chapter 2: sign symbol
The symbols defined in this chapter are used throughout this patent application.
CP m is the mth crypto-period of the multimedia content.
The subscript "m" is a sequence number that identifies the location relative to the reference point. The reference point may be an absolute origin independent of the multimedia content or an origin relative to the transmitted multimedia content. Hereinafter, the reference point is a relative origin. The reference point is the start of the multimedia content. Thus, the key validity period CP 1 is a first key validity period of the multimedia content, the key validity period CP 2 is a second key validity period of the multimedia content, and so on.
K m is an encryption key, known by the term "control word", and is used only for scrambling and descrambling key validity period CP m. Key k m is thus used immediately after the previous key k m-1 and immediately before the next key k m+1.
T m and t m+1 are the times when the key validity period CP m starts and ends, respectively, when it is played by the receiver. Thus, time t 1 corresponds to the start of the first key validity period CP 1 of the multimedia content.
Time interval t m;tm+1 corresponds to the time interval during which the key validity period CP m is played by the receiver. Interval [ t m;tm+1 [ also is a valid interval of key k m for scrambling key validity period CP m ]. In practice, the key k m may therefore be used for descrambling the multimedia content only during the interval t m;tm+1. Outside this time interval, the key k m does not allow the multimedia content to be properly descrambled.
V m is the duration of the interval t m;tm+1. When all intervals [ t m;tm+1 ] have the same duration, and thus when the duration V m is independent of the subscript m, this duration is simply denoted V.
ECM m is an Entitlement Control Message (ECM). The ECM m message is an ECM message containing an identifier of the key k m of the allowable descrambling key validity period CP m.
SE p is the key sequence { k 1;...;km;km+1;...;kN }, i.e. the ordered sequence of keys k 1 to k N, where N is the number of keys in sequence SE p.
SR m is the key sequence { k m;km+1;...;km+L-1 }, i.e. the ordered sequence of keys k m to k m+L-1, where L is the number of keys in the sequence SR m. The number L is symmetrically less than or equal to a pre-stored threshold L max. The threshold L max is smaller than N and is for example two or ten or one hundred times smaller than the number N. The number L max is an integer greater than or equal to two, which is stored in the memory 110 in advance. Quantity L max is the maximum length of sequence SR m. Thus, each sequence SR m is much shorter than sequence SE p.
K i,m is the ith key of sequence SR m. The subscript i indicates the position of the key k i,m in the sequence SR m relative to the first key k m of the sequence. Subscript i is the sequence number of key k i,m in sequence SR m. The value of the subscript i for the first key of sequence SR m is equal to 1. Thus, key k i,m is equal to key k i+m-1. The same symbol is also used for any variable associated with the key k i,m. For example, symbol C i,m indicates control information C i+m-1 associated with k i,m.
Chapter 3: examples of the embodiments
Fig. 1 shows a system 2 for transmitting and receiving scrambled multimedia content. For example, the multimedia content corresponds to a sequence of audiovisual programs such as television programs or movies.
The plaintext multimedia content is generated by one or more sources 4 and transmitted to a transmission device 6. The device 6 transmits the multimedia content synchronously to a plurality of receivers via a data transmission network 8. The number of receivers is typically very large, i.e. more than 1000 or 10000. For simplicity of fig. 1, only three receivers 10 to 12 are shown.
The network 8 is typically a long range data transmission network such as an internet network or a satellite network, or any other transmission network such as a transmission network for transmitting terrestrial digital television (TNT).
The device 6 comprises an encoder 16 which compresses the multimedia content it receives. Encoder 16 processes the digital multimedia content. For example, the encoder operates according to the MPEG2 (Moving Picture Expert Group-2) standard or the UIT-T H264 standard.
The compressed multimedia content is directed to an input 20 of a scrambler 22. The scrambler 22 scrambles each compressed multimedia content to make its visualization subject to certain conditions (such as the purchase of access rights by the user of the receiver). The scrambled multimedia content is sent to an output 24 connected to the input of a multiplexer 26.
The scrambler 22 scrambles each key validity period CP m of the compressed multimedia content by using a corresponding key k m (known in the art of conditional access systems as the term "control word"). Typically, the scrambling is compliant with a standard such as DVB-CSA(Digital Video Broadcasting–Common Scrambling Algorithm)、ISMACryp(Internet Streaming Media Alliance Cryp)、SRTP(Secure Real-time Transport Protocol)、AES(Advanced Encryption Standard).
The duration V m of the key validity period CP m is typically greater than five seconds, and preferably between 5 seconds and 10 minutes. In the present embodiment, all the key validity periods CP m have the same duration V.
The device 6 further comprises an access control system 28. The system 28 is more known by the abbreviation CAS (Conditional ACCESS SYSTEM). Here, for each key validity period CP m, system 28:
transmitting a key k m to be used for scrambling the key validity period to the scrambler 22, and
-Generating an ECM m message containing at least an identifier Id m of the key k m to be used for the descrambling key validity period CP m.
The ECM m message is here associated with the key validity period CP m by the multiplexer 26. To this end, in this example, the ECM m message and the key validity period CP m are synchronized in time with respect to each other by multiplexing them on the same audiovisual signal transmitted on the network 8. More precisely, here, the ECM m message is transmitted to the receiver during a key validity period CP m-1 immediately preceding the key validity period CP m.
Here, the receivers 10 to 12 are identical, and only the receiver 10 is described in more detail.
The receiver 10 comprises a module 70 for receiving the transmitted multimedia content. The module 70 is connected to an input of a demultiplexer 72. The demultiplexer 72 transmits each received scrambled key validity period CP m on the one hand to the descrambler 74 and on the other hand the messages ECM and EMM (Entitlement Management Message) to the processor 76.
The processor 76 processes confidential information such as encryption keys. In order to protect the confidentiality of this information, it is designed to be as robust as possible to attack attempts by hackers. Which is thus more robust to these attacks than the other components of the receiver 10. This robustness is achieved, for example, by implementing software modules dedicated to protecting secret information.
The processor 76 is generated, for example, by using a programmable microprocessor 77 capable of executing instructions stored on a data storage medium. To this end, the processor 76 also includes a memory 78 containing instructions required to perform the method of fig. 2.
The memory 78 also contains, for example:
A single symmetric secret encryption key shared with the key server 106;
an asymmetric encryption private key and an associated encryption certificate, i.e. an associated public key, to authenticate the receiver 10.
The memory 78 also contains a local table 79 containing the currently available key k m.
The descrambler 74 descrambles the scrambled multimedia content using the key k m transmitted by the processor 76. The descrambled multimedia content is transmitted to a decoder 80 that decodes it. The decompressed or decoded multimedia content is transmitted to a graphics card 82 that manipulates the display of the multimedia content on a display 84 equipped with a screen 86.
The display 84 displays the plaintext of the multimedia content on the screen 86.
Receiver 10 also includes a transceiver 88 that allows a secure connection between processor 76 and headend 90 to be established via a data transmission network 92. For example, the network 92 is a long-range data transmission network, and more precisely a packet-switched network (such as the Internet). The secure connection is, for example, a secure tunnel using the encryption credentials of the processor 76.
Headend 90 includes a module 100 for managing access rights for different users of system 2. The module 100 is more known by the term "user authorization system". The module 100 generates and updates a database 102. The database 102 associates each user identifier with access rights acquired by the user. The database 102 is stored in the memory 104.
Headend 90 also includes a key server 106. The server 106 comprises, inter alia, a generator 108 and a memory 110 of the key k m.
The memory 110 includes:
A counter C nbc of the number of connections per unit time,
A table 112 containing each key k m generated, and control information C m for each key k m whose subscript is greater than or equal to 1.
Counter C nbc counts the number of connections per unit time established by all receivers of system 2 with server 106. Typically, the counter C nbc contains the number of such connections recorded during a sliding time window of duration Δt. The sliding window ends at the current time. The duration Δt is, for example, V to 24 hours, or V to 1 hour.
Typically, the server 106 is generated using a programmable microprocessor 114 capable of executing instructions stored on a data storage medium. To this end, the memory 110 also includes instructions for performing the method of fig. 2.
The operation of the system 2 will now be described in more detail with reference to the method of fig. 2. Here, it is assumed that the table 79 is initially empty.
The method starts in response to a request for content transmission with an initialization phase 114 of the values of the different parameters required for implementing the following steps. The values of these parameters are stored in memory 110. These parameters are presented step by step in the description of the subsequent steps. Therefore, although it is positioned chronologically before the following steps, in this description the way in which the values of these parameters are set during stage 114 is described after these steps. Once stage 114 terminates, transmission of the multimedia content may begin.
During step 116, generator 108 generates keys k m of sequence SE p one by one. Each key k m of the sequence is used to scramble a corresponding key validity period CP m of the multimedia content to be transmitted. Over time, generator 108 successively generates keys k 1 through k N. The number N of keys in the sequence SE p is here, for example, equal to or greater than the number of key validity periods CP m of the multimedia content to be scrambled.
To generate sequence SE p, generator 108 starts by obtaining key k 1 and then, for any subscript m greater than or equal to two, it derives the next key k m from the previous key k m-1 by executing the first algorithm D1 for deriving key k m.
During operation 117, the generator 108 obtains the key k 1, e.g., by randomly or pseudo-randomly decimating the number in the set E k to obtain the key k 1. Here, set E k contains all integers whose binary representation includes up to N k bits. The value of the number N k is stored in advance in the memory 110. For example, the number N k has a value equal to 16, 32, 48, or 56. The generated key k 1 is then stored in the table 112.
Next, during operation 118, the generator 108 derives each subsequent key k m from the previous key k m-1 by executing the same algorithm D1 parameterized by the value of the previous key k m-1. Thus, key k m cannot be generated before key k m-1. The keys k m are thus generated one by one.
The algorithm D1 is here also parameterized by an adjustable parameter of complexity, denoted PC p, which allows to increase or decrease the average number of operations performed by the receiver, for obtaining the key k m from the key k m-1, as will be explained below. The parameter PC p thus allows to increase or decrease the average execution time TC i,m of the second algorithm D2 executed by the receiver for deriving the key k i,m. The average time TC i,m is the average time that passes between the time when the processor 76 starts executing the algorithm D2 to obtain the key k i,m and the time when the processor 76 terminates executing the algorithm D2 because the key k i,m has been obtained. The average time TC i,m thus generally corresponds to the average of the time spent by the multiple processors 76 of the terminal of the system 2 for obtaining the key k i,m by executing the algorithm D2. In this first embodiment, the parameter PC p is the size of the set of integers E R. Set E R contains all integers whose binary representation includes up to N R bits. For example, the number N R is equal to the value of the parameter PC p.
In this embodiment, algorithm D1 is a key calculation that involves randomly extracting a sequence of number R from set E R. This type of algorithm is hereinafter referred to as "random key calculation". For example, each time algorithm D1 is executed, generator 108 performs the following operations to generate a subsequent key k m:
1) Randomly or pseudo-randomly extracting the number R m from the set E R, then
2) The key k m is calculated by using the following relation: km=f1 (Rm// km-1), wherein:
the symbol "//" indicates an operation of combining the value of the key K m-1 with the number R m, and
F 1 is a known function of the generator 108 and the receiver.
For example, herein, the operation "//" is an exclusive or operation, which is generally indicated by the symbol XOR. Function F 1 is typically a one-way function. For example, the function F 1 is selected from the one-way function group G 1 consisting of a symmetric encryption function, an asymmetric encryption function, and a hash function.
In the present embodiment, during the additional operation 119, the generator 108 also generates the control information C m for each key k m generated by executing the algorithm D1. Control information C m is a parameter of algorithm D2 required to obtain key k m from key k m-1. in the present embodiment of the present invention, in the present embodiment, Control information C m is information that allows the receiver to obtain key k m from the previous key k m-1 without knowing the number R m. For example, control information C m is calculated by generator 108 using the following relationship: c m=H1(km), wherein H 1 is a one-way encryption function. Since H 1 is a one-way function for which it is very difficult to calculate the original image from its image, the key k m cannot be derived based on knowing only the control information C m. function H 1 is also typically selected from function group G 1. Here, the functions F 1 and H 1 are identical. For example, functions F 1 and H 1 are both the same hash function.
Each key k m generated by executing the algorithm D1 in association with the control information C m is stored in the table 112. Generator 108 also transmits each key k m to system 28.
Step 116 is triggered early enough so that the value of subscript m, whatever the value, is, key k m is timely available to scrambler 22 to scramble key validity period CP m with key k m. In addition, the execution of step 116 is triggered sufficiently early here so that at each time t m, table 112 already contains at least keys k m to k m+Lmax and associated control information C m to C m+Lmax. The number L max is an integer greater than or equal to one, which is stored in the memory 110 in advance. Quantity L max is the maximum length of sequence SR m.
In parallel with step 116 or after step 116, during step 120, the device 6 divides the multimedia content into successive key validity periods, scrambles each key validity period CP m by using the corresponding key k m, and then transmits the scrambled key validity periods. The ECM m message containing the identifier Id m of the key k m is multiplexed with the corresponding key validity period of the transmitted multimedia content. This multiplexing allows synchronizing the transmission of each identifier Id m with the transmission of the key validity period CP m of the multimedia content. Here, the identifier Id m is transmitted to the receiver only during the key validity period CP m-1 preceding the key validity period CP m. In the case of the first key validity period CP 1, the identifier Id 1 is transmitted to the receiver immediately before the time interval t 0;t1 during the first key validity period CP 1. The duration of the interval t 0;t1 is, for example, equal to the duration V of the key validity period.
The scrambled multimedia content is received substantially synchronously by each of the receivers of the system 2. Thus, for each of these receivers, the following steps are performed substantially in parallel. In the specific case of the receiver 10, the following steps are explained.
In step 122, an audiovisual signal containing the scrambled multimedia content and the ECM m message is received by the receiving module 70.
Next, in step 124, the demultiplexer 72 extracts the scrambled key-validity period CP m from the scrambled multimedia content and ECM m message as it is received. The demultiplexer 72 transmits the extracted scrambled key validity period CP m to the descrambler 74. The extracted ECM m message is then transmitted to the processor 76.
In response to at least the first receipt of each ECM m message, and at the latest a predetermined period of time d prior to time t m, the processor 76 verifies in step 126 whether it has obtained the key k i,m. Here, it retrieves in the table 79 whether this table already contains a key k m, which corresponds to the identifier Id m contained in the received ECM m message. The duration d is set by the operator of the system 2 to be slightly greater than the time required for the receiver to obtain the key k i,m from the server 106.
If so, in step 128, the processor 76 sends the key k m found in the table 79 to the descrambler 74. No connection is established with the server 106 for obtaining the key k m.
Next, in step 130, the descrambler 74 descrambles the received key validity period CP m by using the key k m.
Next, in step 132, the descrambled key validity period CP m is decoded by the decoder 80 and then transmitted to the video card 82.
Finally, in step 134, the video card 82 converts the descrambled and decoded key validity period CP m into a video signal. Where the video signal is then transmitted to the display device 84.
In response, the device 84 displays the key expiration CP m of the multimedia content on the screen 86 in a manner that is directly perceivable and understandable to humans.
If in step 126 the key k m corresponding to the identifier Id m is not contained in the table 79, the method continues to step 140 and not directly to step 128.
In step 140, the processor 76 establishes a secure connection with the server 106 and transmits a request via the connection to receive the information needed to obtain the key k m. For example, the request contains, inter alia, the identifier Id m of the key k m.
The request is transmitted to the server 106 via the transceiver 88 and the network 92. All information exchange between the processor 76 and the server 106 is accomplished via a secure tunnel established over the network 92. The establishment of this tunnel requires the server 106 to authenticate and identify the receiver, for example by using an encryption certificate contained in the memory 78. Thus, the server 106 has an identifier Id T of the receiver to which the request was sent.
Since the table 79 of the receivers is initially empty, step 140 is systematically performed by each of the receivers during a time interval [ t 0;t1 [ during ] immediately before the first key validity period CP 1 of the multimedia content to be descrambled. Next, step 140 is performed each time there is no key k m required by the descrambling key validity period CP m in the table 79.
Receipt of the request by the server 106 informs the server that the key k i,m cannot be obtained by the server until time t i,m. In response, in step 142, the server 106 updates the connection counter C nbc per unit time. For example, the server 106 counts the number of established connections (including the current connection) between all receivers of the system 2 and itself during a sliding window of duration Δt. Here, the server 106 counts only the connections during which the necessary information to obtain the key k m is requested.
Next, in step 144, the server 106 obtains the value of the integer L. The number L allows to adjust the number of key validity periods that will pass between this connection of the receiver 10 to the server 106 and the next necessary connection of the receiver 10 to the server 106. More precisely, the number L sets the maximum number of subsequent keys that can be derived from the key k m when the receiver 10 is not reconnected to the server 106. The number L thus sets the length of the sequence SR m of keys k m to k m+L-1 that the receiver 10 can obtain based on only the information contained in the response to its request.
The number L is set here to distribute the connections of the receivers to the server 106 as evenly as possible. To this end, during the first connection of the receiver 10 (i.e. the connection established for obtaining the key k 1), the server 106 selects a first value different from the number L selected for the other receivers of the system 2. For example, the server 106 is in interval [2; l max ] randomly decimating the first value. In another example, the server 106 is forming interval [2; the first values are randomly decimated sequentially in the subintervals of the L max partition. Next, during a subsequent connection of the receivers 10, the server 106 uses a second value of the same and constant number L for all receivers of the system 2. The subsequent connection is a connection established to obtain the key k m, where the subscript m is strictly greater than one. The second value of the number L is pre-stored in the memory 110, for example in stage 114. The second value of the number L is also between 2 and L max.
In step 146, in response to the request of the receiver 10, the server 106 transmits to the processor 76 via the connection established in step 140 the information necessary to enable the receiver 10 to obtain the sequence of keys SR m without establishing a subsequent connection with the server 106. In other words, the server 106 transmits all the information required to enable it to obtain the keys k 1,m to k L,m to the receiver 10 during this connection. To this end, in this embodiment, during this connection, the server 106 transmits, and the receiver 10 receives the following information:
-the current value of the parameter PC p;
-key k 1,m, and
Control information C 2,m to C L,m.
After the transmission of this information, the connection between the server 106 and the receiver 10 is interrupted. The connection is thus interrupted before the instant t m at which the key validity period CP m starts.
Next, in step 148, the processor 76 stores the received key k 1,m in the table 79, and the method returns to step 128. Thus, prior to time t m, the key k 1,m is transmitted to the descrambler 74 so that the key validity period CP m can be correctly descrambled in time.
In parallel, in step 150, the processor 76 immediately triggers the acquisition of the following keys from the information received in response to its request: a process of k 2,m to k L,m. After receiving the key k 1,m, step 150 is systematically triggered. In particular, the triggering of step 150 is independent of the operational status of networks 92 and 8.
To this end, in step 150, the processor 76 executes a key derivation algorithm D2. Algorithm D2 allows to obtain the following key k i,m from the previous key k i-1,m and here also from the value of parameter PC p and from control information C i,m. Thus, algorithm D2 is executed first to obtain key k 2,m from received key k 1,m, then executed a second time to obtain key k 3,m from key k 2,m, and so on, until key k L,m is obtained from key k L-1,m.
Here, each time algorithm D2 is executed by the processor 76, the processor performs the following operations to obtain the key k i,m:
1) Processor 76 randomly extracts the number R from set E R and then
2) The processor 76 calculates the candidate key k cd:kcd=F1(R/ki-1,m by using the following relationship), and then
3) The processor 76 calculates the control information C cd:Ccd=H1(kcd by using the following relation
4) Processor 76 compares control information C cd to control information C i,m received in step 146, and
5) If the control information C cd and C i,m are identical, the key k cd is equal to the key k i,m and thus the key k i,m is obtained. Key k i,m is then stored in table 79 and execution of algorithm D2 is terminated. In the opposite case, the processor 76 returns to operation 1). Thus, operations 1) through 5) are repeated in a loop until either key k i,m is obtained, or until processor 76 performs step 126 to determine if key k i,m has been obtained, and then performs step 140 to obtain the key from server 106. In the latter case, the key k i,m is not obtained by the receiver at least during the duration D preceding the instant t m, and the step 150 is interrupted before this key is obtained by executing the algorithm D2.
The functions F 1、H1 and// implemented by the processor 76 are identical to the functions implemented by the generator 108 for constructing the sequence SE p.
The size of the set E R is determined based on the parameter PC p, which is received by the processor 76 at the same time as the key k 1,m and the control information C i,m.
The average execution time TC i,m of this algorithm D2 depends on the size C a of the set E R. In fact, the larger the size C a of the set E R, the larger the average number of random extractions performed before they reach a number R equal to the number R m that allows the key k i,m to be obtained. Here, the average number of random decimations is equal to C a/2. The average time TC i,m for obtaining the key k i,m is therefore given by the following relation: TC i,m=(Ca/2)t1-5, where t 1-5 is the time required for processor 76 to perform operations 1) through 5).
After step 146, in parallel with step 148, for example, in step 160, the server 106 compares the updated counter C nbc with the predetermined thresholds S nbc-h and S nbc-i stored in the memory 110. The threshold S nbc-h is equal to or strictly greater than the number of connections per unit time: this number of connections per unit time may be expected if each receiver is able to calculate each of the keys k 2,m to k L,m in time and thus connect to the server 106 only after the last key k L,m of the key sequence SR m has been obtained by executing the algorithm D2, except for the first time. Thus, the threshold S nbc-h is equal to or greater than N rec/(L.V), where:
N rec is equal to the total number of system 2 receivers connected to the server 106;
the symbol "," indicates a multiplication operation.
The threshold S nbc-h must also be small enough to allow the value of the parameter PC p to be adjusted before the counter C nbc becomes much larger than N rec/(L.V). For example, the threshold S nbc-h is less than 2N rec/(L.V) or less than 1.5N rec/(L.V).
If the current value of counter C nbc exceeds threshold S nbc-h, this means that an excessive number of receivers cannot terminate computing key k i,m before time t i,m. As a result, the number of connections established with the server 106 is much greater than the initial setup. In response, in step 162, the server 106 alters the value of the parameter PC p so that the receiver can calculate the subsequent key k i,m more quickly. In this embodiment, for this purpose, the value of parameter PC p is reduced to reduce the size C a of set E R. Next, the method returns to step 116 to generate a subsequent key of sequence SE p by taking into account the new value of parameter PC p.
If the value of counter C nbc falls below threshold S nbc-i, this means that too small a number of receivers cannot terminate computing key k i,m before time t i,m. This generally corresponds to the case where the average time TC i,m is too small with respect to the duration V. Threshold S nbc-i is strictly less than threshold S nbc-h and is generally close to limit N rec/(L.V). For example, the threshold S nbc-i belongs to the interval [ N rec/(L.V);1.3Nrec/(L.V) ] or belongs to the interval [ N rec/(L.V);1.1Nrec/(L.V) ]. In this case, in response, in step 164, the server 106 changes the value of the parameter PC p to increase the average time TC i,m for calculating the key k i,m, and then returns to step 116 and step 120. To this end, the value of the parameter PC p is increased to increase the size C a of the set E R.
If the value of the counter C nbc is the threshold value S nbc-h to S nbc-l, the server 106 keeps the current value of the parameter PC p unchanged.
A method for setting the aforementioned parameters in stage 114 will now be described.
The second value of the number L stored in advance is set, for example, to the target number N cn for obtaining a connection to the server 106 per second. The number N cn is chosen by the designer of the system 2. To this end, in this particular embodiment, in which the duration V of the validity interval of each key k m is the same, the second value of the number L is determined by using the following relation: l=n rec/(Ncn.v.).
The initial value of the parameter PC p is set such that the desired average time TC i,m for the execution of algorithm D2 by the receiver before obtaining the key k m is greater than 0.2V i-1,m or 0.5V i-1,m or 0.9V i-1,m, where V i-1,m is the duration of the key validity period CP i-1,m.
For example, the initial value of the parameter PC p is designed so that the value of the index i is any value of 2 to L, and each average time TC i,m satisfies the following conditions (1) to (3):
In this case, no matter what value the index i is greater than or equal to two, the key k i,m cannot be obtained until the time t i-1,m. Thus, the key k L,m is only exposed to attack attempts at most during interval t L-1,m;tL,m. Interval t L-1,m;tL,m is much shorter than interval t 1,m;tL,m. Interval t 1,m;tL,m corresponds to the time interval during which key k L,m is exposed to an attack attempt in a known method, such as the method described in patent application EP2567500 in which key k L,m is transmitted to the receiver at the same instant as key k 1,m.
In this particular embodiment, where the durations of the key validity periods CP m are all equal to V and where all average times TC i,m are forced to be equal to a constant TC, then conditions (1) to (3) are satisfied, for example, by selecting the value of the parameter PC p such that the average times TC are (L-1) V/L to V.
Here, the initial value of the parameter PC p is selected by determining the maximum number N R such that the following condition is satisfied: t 1- 5.Ca/2 is less than or equal to V, wherein:
T 1-5 is the time taken by the receiver to perform operations 1) to 5) of step 150,
-C a is the number of elements of set E R, and C a is equal to 2 NR, and
V is the duration of each validity interval of the key k m.
For example, in stage 114, time t 1-5 is experimentally measured at the receiver. The duration V is set and known.
Fig. 3 shows the same method as fig. 2, except that steps 116 and 150 are replaced by steps 180 and 182, respectively. To simplify fig. 3 and the following figures, only the modified steps are shown. The steps which are not modified and therefore not shown are symbolically represented by dashed lines in these figures.
Steps 180 and 182 are identical to steps 116 and 150, respectively, except that algorithms D1 and D2 are replaced by algorithms D3 and D4, respectively.
Algorithm D3 is a deterministic key calculation and no longer a random key calculation. Unlike random key computation, deterministic key computation does not involve random extraction of the average time TC i,m that may significantly modify the execution of algorithm D4.
Algorithm D3, which is executed to generate key k m from key k m-1, consists of the one-way encryption function H 2 with itself Q m -1 times. Thus, the key k m:km=H2 Qm(km-1 is obtained by using the following relation:
-H 2 is a one-way encryption function;
- it is indicated that function H 2 is formed by itself, Q m -1 times.
Typically, the function H 2 belongs to the previously defined group of functions G 1. Here, the function H 2 is a hash function. The function H 2 and itself consist in applying the function H 2 to the key k m-1 a first time to obtain a first result H 2(km-1) and then in applying the function H 2 to the first result H 2(km-1 a second time to obtain a second result H 2 2(km-1)=H2(H2(km-1)), and so repeating Q m times. In this embodiment, the control information includes a parameter Q m.
The value of the parameter Q m varies according to the subscript m. For example, for each subscript m greater than or equal to two, the value of parameter Q m is randomly decimated in the set of values E Q that is close to V/t 182, where t 182 is equal to the time it takes for the receiver to perform the once function H 2. For example, set E Q is a set of integers included in the interval [0.7V/t 182;1.3V/t182 ] or the interval [0.9V/t 182;1.1V/t182 ]. In this case, the control information transmitted to the receiver 10 includes values of the parameters Q 2,m to Q L,m each time. Thus, when the receiver 10 is connected to the server 106 to obtain the sequence SR m, in response, the receiver receives:
The key k 1,m is used to store,
Control information Q 2,m to Q L,m.
Set E Q is much smaller than set E R. For example, set E Q contains 10 3 or 10 6 integers. Here, the value of subscript m is constant regardless of the size of set E Q.
In this embodiment, the complexity parameter PC p is the average value M Q of the set E Q and is not the number of integers it contains. The average value M Q is the average value of the integers contained in the set E Q, where each of these integers is assigned the same weighting coefficient. The more the average value M Q increases, the greater the computation time TC i,m for obtaining the key k i,m from the key k i-1,m. In stage 114, set E Q is constructed so that its average value is equal to V/t 182. In this embodiment, the value M Q, and thus the complexity parameter PC p, need not be transmitted to the receiver.
Next, in steps 162 and 164, the composition of set E Q is modified to reduce its average value in step 162, and alternatively, to increase its average value in step 164. For example, to increase the average value of set E Q by ε, the integer ε is added to each of the integers previously contained in set E Q.
In step 182, algorithm D4, which is executed by the receiver to obtain key k i,m from key k i-1,m, is identical to algorithm D3, except that the value of parameter Q i,m is obtained from the received control information. In other words, in step 182, the receiver 10 obtains the key k i,m:ki,m=H2 Qi,m(ki-1,m by using the following relation.
Fig. 4 shows the same method as fig. 3, except that steps 180 and 182 are replaced by steps 190 and 192, respectively. Steps 190 and 192 are identical to steps 180 and 182 except that generator 108 uses function H G5 and receiver 10 uses function H D6 on its side instead of using the same function H 2 to obtain key k m. Thus, the subsequent calculation of the key k m is accomplished by the generator 108 using the following relationship: k m=HG5 Qm(km-1).
The processor 76 calculates k i,m:ki,m=HD6 Qi,m(ki-1,m by using the following relationship. Function H G5 is designed to allow the calculation of key k m from key k m-1 much faster than when implementing function H D6. For this purpose, a one-way encryption function H D6 with a back gate is used, such as one-way encryption functions for implementing asymmetric encryption. The principle of operation of such a one-way encryption function with a back gate is well known. For example, the principle is the same as that used in an asymmetric encryption algorithm known as the RSA (Rivest-Shamir-Adleman) encryption algorithm. Therefore, only one detailed example of such a function is described below, as a person skilled in the art can deduce other possible embodiments based on this example without difficulty.
For example, here, the generator 108 calculates the key k m:km=(km-1^(e^Qm [ (P-1) (Q-1) ]) [ N ] by using a function H G5 defined by the following relation:
- (A≡B) [ C ] is a modular exponentiation, i.e., a exponentiation of the number B of the number A, the entire modulus dividing C,
P and Q are large prime numbers, i.e. the binary representation thereof comprises prime numbers of at least 500 or 1000 bits, and they are also different from each other,
-N equals the product of a number P and a number Q;
-e is the prime number of the product (P-1)/(Q-1) which is greater than 1 and is not between a (P-1) (Q-1) and a (P-1) (Q-1) +2s, where "a" is a non-zero natural number and s is a natural number generally equal to or greater than 80, called a safety parameter.
Processor 76 calculates key k im:ki,m=((ki-1,m^e)[N])Qi,m by using function H D6 defined by the following relationship.
The numbers P and Q are known only to the generator 108 and correspond to their private keys, for example. The numbers N and e are known to the generator 108 and the receiver 10 and then correspond to the public key of the generator 108. With the knowledge of numbers P and Q, generator 108 is able to calculate key k m from key k m-1 by performing only a modular exponentiation twice, while to obtain the same key, processor 76 must implement a modular exponentiation of Q i,m.
Chapter 4: modification:
chapter 4.1: variants of the method
Alternatively, the control information may be omitted. For example, in the case of deterministic calculation of key k i,m, if the number of times Q i,m that function H 2 has to be performed to construct key k i,m from key k i-1,m is a constant known to all receivers, server 106 need not transmit this control information to the receivers on every connection. In this particular case, the parameter PC p is also a constant. Thus, the server 106 transmits only the key k 1,m to the receiver, and the receiver derives the keys k 2,m to k L,m from the key k 1,m without receiving further information from portions of the server 106.
The number of keys N of sequence SE p may be 10 or 100 or 1000 times the number L max.
At any given time t p+1, generator 108 may cease using sequence SE p, including before key k N has been used for encryption key validity period CP N. From time t p+1, the generator starts using another key sequence SE p+1. In this case, preferably, before time t p+1, the server 106 transmits a signal to the receiver to indicate thereto that another sequence SE p+1 is to be used since that time. In response, the receiver immediately establishes a connection with the server 106 to receive the information needed to obtain the key k 1,m and derive the next L keys k i,m of the new sequence SE p+1.
The number of keys N of the sequence SE p may also be smaller than the number of key validity periods of the multimedia content to be scrambled. In this case, after having generated the key k N, the generator 108 starts to generate another sequence SE p+1 of keys intended to scramble a key validity period (e.g. CP N+1 to CP 2N or CP N+1 to CP N+M) after the key validity period CP N. The first key k N+1 of the sequence SE p+1 is generated independently of the key of the sequence SE p, in particular independently of the key k N. If necessary, the numbers N and M must still be chosen to be greater than or equal to the number L max.
The number N may also be predetermined. In this case, generator 108 continually generates new key k m for sequence SE p. In this case, the generator 108 generates the new sequence SE p+1, preferably in response to an external instruction to change the key sequence. For example, when an attack or attempted attack on the key sequence SE p is detected, an instruction to change the key sequence is sent. Successful cryptanalysis of the key derivation algorithm may be detected, for example, from the fact that an increased number of receivers no longer need to connect to the server 106 every L.V seconds to be able to properly descramble the multimedia content.
As a variant, in step 142, the server 106 updates the counter C nbc only if the last key obtained is not the last key of the current key sequence, i.e. only if the current connection is not desired.
In a simplified embodiment, the number L is not adjusted to more evenly distribute the receiver connection to the server 106 over time. In this case, for example, the number L is a constant determined in advance, for example, and is the same for all the receivers.
As a variant, in order to limit the amount of information transmitted by the server 106 to the receiver 10 during each connection, the value of the parameter Q m is independent of the subscript m, and this parameter Q m is then simply denoted Q. In this case, the numbers L and N may be selected to be equal. The generator then systematically permutes the sequence SE p after the L keys have been generated.
As a variant, step 160 is performed non-systematically after step 146. Step 160 is periodically implemented, for example, in the form of a number of times step 146 is implemented, or in the form of a time period, for example, with a predetermined period. When step 160 is not implemented after step 146, steps 162 and 164 are also omitted, and server 106 keeps the current value of parameter PC p unchanged.
Other methods for setting the value of the parameter PC p are possible. For example, setting of the value of the parameter PC p is triggered except by comparing the value of the counter C nbc with the thresholds S nbc-h and S nbc-i. For example, the time TC i,m taken by the processor 76 to execute the derivation algorithm is measured, for example, by the processor 76, and then transmitted to the server 106. In response, the server 106 compares the measured execution time with the duration V. If the measured execution time is less than the duration V, the value of the complexity parameter PC p is increased. In the opposite case, the value is reduced.
In another example, in response to receiving the time TC i,m measured by the processor 76, the server 106 calculates an average time to execute a derivation algorithm, and then compares the average execution time to the duration V. If the average execution time is less than the duration V, the value of the complexity parameter PC p is increased. In the opposite case, the value is reduced. In this example, the server 106 calculates the average time for execution of all receivers or a derivation algorithm, e.g., a set number of receiver samples, e.g., randomly composed. In this example, alternatively or in synchronization, the server 106 calculates the average time of execution of the derivation algorithm over a sliding time window of predetermined magnitude (e.g., on the order of one minute, ten minutes, one hour, or ten hours).
As a variant, the complexity of the derivation algorithm is not adjustable. In this case, the value of the parameter PC p is selected, for example, in stage 114, as previously described. Then, during execution of the method of fig. 2, the parameter PC p can no longer be changed. In this embodiment, steps 142, 160, 162, and 164 are omitted.
The parameter PC p may be set such that the average time TC i,m is greater than the duration V. In this case, in the case of the embodiment of fig. 2, this results in that only the receiver's monocot PP (of a smaller size than the subset PP size obtained with the adjustment of the parameter PC p described above) will randomly extract the number R allowing to obtain the key k i,m in time (i.e. before the instant t i,m). Receivers not belonging to the subset PP will have to connect to the server 106 to obtain the key k i,m. However, this setting still allows reducing the number of receivers connected to the server 106 per key validity period while increasing the security of the system.
As a variant, the connection between the server 106 and the receiver 10 is not interrupted after the information required to construct the sequence SR m is transmitted by the server.
Chapter 4.2: variants of the key derivation algorithm
Other functions than those described above may be used. For example, the function F 1 need not be a one-way function. It can be as simple as a function of an identity function. However, in this case, the function H 1 is different from the function F 1 and is still a one-way function.
Other deterministic key calculations are possible. For example, algorithm D3 may be replaced by another algorithm in which the calculation of key k m is implemented by using the following relation: k m=H3 Q(f(km-1,Dm)), wherein:
D m is a small number randomly extracted from the set E D containing integers whose binary representation is at most 18 bits or 10 bits;
-f is a simple function such as addition or multiplication of k m-1 with D m; and
-H 3 is a function belonging to the aforesaid group G 1, and is preferably a hash function; and
Q is a complexity parameter.
In this embodiment, the control information includes data D m and a parameter Q. Data D m is encoded over a number of bits that is preferably at least two times smaller than the number of bits required to encode parameter Q m as defined in the embodiment of fig. 3. Thus, in this variant, the bandwidth required to transmit control information to the receiver 10 is reduced.
Other embodiments of the derivation algorithm are possible. For example, instead of randomly extracting the number R from the set E R each time, the number R is initialized to 0 and then incremented by 1 at each iteration of operations 1) through 5) of step 150.
Chapter 4.3: other variants:
here, in the specific case where the generated and received key is a control word directly used for encrypting and decrypting the multimedia content, a method for obtaining a key sequence is described. However, these methods may be used to obtain keys other than control words. For example, the generated and received key may be a session key used to encrypt and decrypt control words transmitted to the receiver. In this case, the session key is typically replaced at a frequency 10, 100, 1000, or 10000 times less than the frequency of replacing the control word. For example, the validity interval of the session key is longer than one minute, one hour, or 24 hours. In this case, the value of the complexity parameter PC p is adjusted to correspond to such a duration of the validity interval.
The method for obtaining a key sequence described herein may also be used to obtain a key sequence for encrypting and decrypting digital content other than multimedia content. For example, the obtained key sequence may be used to encrypt or decrypt digital documents, such as text files, or any data exchanged over a communications channel.
What has been described herein also applies to systems other than conditional access systems. For example, what has been described herein applies to any system in which a sequence of keys each associated with a validity interval is used. For example, the teachings presented herein are not particularly difficult to transfer to the digital rights management system known by the acronym DRM ("DIGITAL RIGHTS MANAGEMENT"). In these DRM systems, each key of a sequence is obtained from a license. The license generally contains the validity interval of the key.
The content that has just been described in the specific case where the key k i,m is a decryption key can also be applied to the case where the key k i,m is used for encrypting digital content instead of decrypting the digital content. More generally, what has been described herein may also be used to obtain an encryption key sequence that is used for other purposes, such as authenticity verification, integrity verification of digital data, initialization of a pseudo-random generator, and others.
As a variant, the duration V i,m of the validity interval is not constant. In this case, the time TC i,m is, for example, different for obtaining each key k i,m. Time TC i,m is set by using, for example, control information Q m. in this case, in general, the control information Q m is selected so that the time TC i,m is 0.5V i-1,m to V i-1,m, Preferably 0.9V i-1,m to V i-1,m. Preferably, the control information Q m is selected such that the execution time is such that it is no matter belonging to the interval [2; how much i is for L ], time TC i,m satisfies the above conditions (1) to (3). When these conditions are met, the key k i,m may be obtained by the receiver at the earliest in interval t i-1,m;ti,m. thus, the key k i,m may only be attacked during interval t i-1,m;ti,m, which is of duration V i-1,m.
As a modification, the above condition (2) is omitted.
In another variant, the execution of the derivation algorithm is distributed over a group of M receivers that can securely exchange information with each other. The number M is greater than or equal to two, and preferably greater than or equal to 100 or 1000. For example, the receivers in the same group of receivers are connected to each other via a public or private network. Receivers belonging to one receiver group do not belong to another receiver group. The exchange of information between the sets of receivers is encrypted, for example, by using a key known only to the sets of receivers. For example, where the derivation algorithm is a random key calculation, set E R is divided into separate M subsets of the same size. Each of these subsets is assigned to a respective receiver of the group. In response to receiving the key k 1,m, each receiver of the group attempts to calculate k 2,m as described above, but by selecting only the number R from the subset that has been assigned to it. The first receiver of the group that obtains the key k 2,m then transmits the key to the other receivers of the same group. Once the key k 2,m has been distributed to all receivers of the same group, these receivers stop the previous execution of the derivation algorithm to obtain the key k 2,m and start to execute the derivation algorithm to obtain the key k 3,m in a similar manner as described above for the key k 2,m.
The receiver group thus performs the derivation algorithm at a time TC i,m equal to TCr i,m/M, where TCr i,m is the average time to perform the same derivation algorithm but by a single receiver of the group, which therefore must select the number R from the entire set E R, rather than just in a subset. This variant thus allows to increase the size of the set E R and thus to increase the security of the method.
Where the derivation algorithm is a deterministic key calculation, execution of the derivation algorithm may also be distributed among each receiver of the group to benefit from the computational power of all the processors 76 of the receivers. It is well known to distribute algorithm execution among different microprocessors such that portions of the algorithm are executed in parallel by each of the microprocessors and will not be described in detail herein. As in the case of the random key derivation algorithm, distributing the execution of the derivation algorithm over all receivers of the group allows for improved security, as this makes obtaining the key more complicated. In particular, this increases the computational power required to be able to perform the derivation algorithm sufficiently fast by an illegal receiver.
If the duration TA 1 required for illegally distributing and recovering the key k i,m just received by the receiver 10 is known, the complexity parameter PC P may be adjusted such that the time TC i,m is only comprised in the interval V-TA 1; v ] in.
If the duration TA 2 required for illegally distributing and recovering the key k 1,m received by the receiver 10 is known and the derivation algorithm is known by an illegitimate receiver, the complexity parameter may be adjusted such that the time TC i,m only fulfils the following conditions: TA 2+(L-1)TCi,m is not less than (L-1) V.
Chapter 4: advantages of the described embodiment:
In the method, the receiver can obtain the key k i,m only after the calculation of the key k i-1,m has been completed. Thus, the receiver must calculate the key k i,m in the order in which the index i is incremented. In addition, the average time TC i,m of the calculation key k i,m is long, i.e., here greater than or equal to 0.2V i-1,m. Thus, although all the information necessary to obtain keys k 1,m to k L,m is received before time t 1,m, the following keys k 2,m to k L,m can be obtained only after time t 1,m. For example, the key k L,m is obtained only after the time t R+TC2,m+TC3,m+...+TCL,m, where t R is the time at which information required to obtain each of the keys k 1,m to k L,m is received. In contrast, in a known method such as that described in patent application EP2567500, the key k L,m is obtained at time t R. In other words, the method described herein delays the acquisition of key k L,m by TC 1,m+...+TCL,m. Since the key k L,m is obtained in the receiver later than in the known receiver, the time available for attacking this key k L,m before the time t L,m is shorter than in the known method, which improves the security of the method.
Furthermore, as in the EP2567500 method, in order to obtain the L keys of the sequence SR m, the receiver only needs to be connected to the key server 106 once. Thus, the method also allows for a reduction in the number of connections or exchanges of information between the server 106 and each of the receivers. Finally, the method may be applied without having to determine a security level associated with each of the receivers.
The fact that the value of the parameter PC P is dynamically adjusted according to the information indicating that the key k i,m cannot be obtained before the time t i,m makes it possible to automatically adjust the actual performance of the receiver according to the situation.
Using different values of the number L for different receivers or groups of receivers thus allows for a better distribution over time of the different connections to the server 106.
The fact that the execution of the derivation algorithm is distributed over multiple receivers allows to improve the security of the method in terms of collusion attacks. In fact, in order to obtain the sequence SR m more quickly, an attacker may try to distribute the execution of the derivation algorithm over a plurality of illegal receivers. However, the number of legitimate receivers is typically much greater than the number of illegitimate receivers. This thus allows the value of the parameter PC P to be increased to allow for detection of collusion attacks. Successful implementation of such collusion attacks becomes more difficult.
The fact that if a receiver fails to obtain the key k i,m in time from the information received in the first connection, the receiver retains the ability to establish a second connection with the server 106 to obtain the key allows the claimed method to be implemented with some receivers, some of which are slower than others or slower than the receivers that are expected to perform the derivation algorithm. This allows taking into account the diversity of the receivers and the float of their computational performance, if necessary.
The fact that the derivation algorithm includes repeating the same one-way function Q i,m times allows to obtain an average time TC i,m that can be determined in advance and thus can be included systematically in the interval V i-1,m/2;Vi-1,m.
The fact that the one-way function is a one-way encryption function with a back gate allows to shorten the time required for generating the sequence SE p.
The fact that the key derivation algorithm is a random key calculation allows the generator 108 to perform significantly fewer operations than the receiver must perform to calculate the same key to calculate the key k i,m.
The fact that the derivation algorithm for calculating the random key k i,m is implemented thus makes it possible to obtain the time taken to execute the derivation algorithm, which is long on the receiver side and much shorter on the generator side.
Only the information required to obtain the sequence of L keys SR m is received during the first connection so that the receiver 10 can be forced to establish a new connection with the server 106 at the latest after obtaining the key k L,m.

Claims (16)

1. A method for obtaining a sequence of L encryption keys k 1,m,...,ki,m,ki+1,m,...,kL,m by a group of electronic receivers, wherein:
The subscript i is the sequence number of the key k i,m in the key sequence,
L is an integer greater than or equal to two, and
Regardless of the value of the subscript i between 1 and L, the key k i,m is used only during a validity interval [ t i,m,ti+1,m ] of duration V i,m, where t i,m and t i+1,m are the start and end times respectively of the validity interval,
Wherein:
-before time t 1,m, the receiver group establishes (140) a first connection with a key server and receives information required to obtain the key k 1,m during the first connection, then
For each subscript i ranging from 2 to L, prior to said instant t i,m, said set of receivers obtains (150) a key k i,m,
Characterized in that for each subscript i comprised between 2 and L, and in increasing order of these subscripts:
-the receiver group obtaining (150; 182; 192) a subsequent key k i,m by performing a key derivation algorithm initialized by using a previous key k i-1,m, without resorting to information other than that received during the first connection, and
-The average time TC i,m taken by the receiver group to execute the key derivation algorithm to obtain the key k i,m is greater than 0.2V i-1,m.
2. The method according to claim 1, wherein for at least one subscript i ranging from 2 to L:
After time t i-1,m and before time t i,m, the receiver group verifies (126) whether the process of obtaining the key k i,m has been completed,
-If the process of obtaining the key k i,m is not completed before said time t i,m, said receiver group establishes (140) a second connection with the key server and transmits to the key server via the second connection information indicating that the key k i,m cannot be obtained before time t i,m, and in the opposite case said receiver group does not transmit to the key server information indicating that the key k i,m cannot be obtained before time t i,m.
3. The method according to claim 2, wherein:
-in response to receiving information indicating that the key k i,m is not available before the time t i,m, the key server altering (162) the value of a complexity parameter PC p of the key derivation algorithm, the altered value of the parameter PC p corresponding to an average execution time TC i,m that is less than the current average execution time, or
-In response to not receiving information indicating that key k i,m cannot be obtained before the time t i,m, the key server altering (164) the value of the parameter PC p such that the value of the parameter corresponds to an average execution time TC i,m that is greater than the current average execution time.
4. A method according to claim 3, wherein, in response to receiving information indicating that key k i,m was not available before the time t i,m:
-the key server updating (142) a counter of the number of connections established per unit time, then
-The key server compares (160) the value of the counter with a predetermined high threshold, and in response the key server alters (162) the value of the complexity parameter to reduce the number of connections established per unit time, and/or
-The key server compares (142) the value of the counter with a predetermined low threshold value, and in response the key server alters (164) the value of the complexity parameter to increase the number of connections established per unit time if the value of the counter crosses the predetermined low threshold value.
5. The method according to any of claims 1-4, wherein the method for obtaining a key sequence is implemented for a first receiver group and a second receiver group, and the key server uses (144) a first value for a subscript L of the first receiver group and a different second value for the subscript L of the second receiver group.
6. The method of any of claims 1-4, wherein the set of receivers comprises a plurality of receivers, and execution of the derivation algorithm is distributed over each of the receivers of the set.
7. The method according to any one of claims 1 to 4, wherein the receiver group comprises a single receiver and the derivation algorithm is implemented by the single receiver.
8. The method of any one of claims 1-4, wherein for at least one subscript i ranging from 2 to L:
After time t i-1,m and before time t i,m, the receiver group verifies (126) whether the process of obtaining the key k i,m has been completed,
-If the process of obtaining said key k i,m has not been completed:
The receiver group establishes (140) a second connection with the key server and receives during the second connection the information needed to obtain the key k i,m without performing a key derivation algorithm, then
Obtain the key k i,m from the required information received during the second connection,
Without having to perform the key derivation algorithm, then
-The receiver group obtains (150; 182; 192) a subsequent key k i+1,m by performing a key derivation algorithm initialized by using a previous key k i,m, without resorting to information other than the information received during the second connection, wherein the previous key k i,m is obtained by using the information received during the second connection; and
-If the process of obtaining the key k i,m has been completed, the receiver group does not establish this second connection and obtains (150; 182; 192) the key k i+1,m after by performing a key derivation algorithm initialized by using the previous key k i,m, without resorting to information other than that received during the first connection.
9. The method of any of claims 1-4, wherein the receiver group, when it performs the key derivation algorithm, performs the following:
1) Initializing the value of the variable by using the previous key k i-1,m, then
2) Converting the value of the variable by using a one-way function to obtain a new value of the variable, then
3) The operation 2) is iterated a predetermined number of times Q i,m by taking the new value of the variable obtained at the end of the previous iteration of the operation 2) as the value of the variable to be converted.
10. The method of claim 9, wherein the one-way function is a one-way encryption function with a back gate.
11. The method of any of claims 1 to 4, wherein the receiver group, when it performs the key derivation algorithm, performs the following operations:
1) Select the number R from set E R, then
2) Candidate key k cd:kcd=F(R//ki-1,m is calculated by using the following relationship, where F is a predetermined function, the sign "//" indicates the combined operation of the numbers R and k i-1,m, and then
3) The control information C cd:Ccd=H(kcd is calculated by using the following relation, where H is a one-way function, then
4) Compare the control information C cd with the control information C i,m received during the first connection, and
5) If the control information C cd and C i,m correspond, the calculated key k cd is equal to the key k i,m, thus obtaining the key k i,m, otherwise the receiver group repeats the operations 1) to 5 for a further number R in the set E R).
12. The method of any of claims 1-4, wherein an average time TC i,m taken by the receiver group to execute the key derivation algorithm to obtain a key k i,m is less than or equal to V i-1.
13. A method for securely transmitting digital content, wherein:
The device divides (120) the digital content into successive key validity periods, encrypts each key validity period CP m with a respective key k m of an ordered sequence of keys k 1 to k N, and transmits each encrypted key validity period to the receiver group,
Decrypting (130) each received key validity period by the receiver group using a corresponding key k m of the ordered sequence of keys,
Characterized in that the set of receivers obtains (150; 182; 192) a key sequence by implementing the method of any of the preceding claims.
14. A data storage medium readable by a microprocessor, the data storage medium comprising instructions for implementing the method of any preceding claim when the instructions are executed by the microprocessor.
15. A set of receivers for implementing the method of any of claims 1 to 13, each receiver of the set comprising a microprocessor (77) programmed to implement the steps of:
-before time t 1,m, the receiver group establishes a first connection with a key server and receives information required to obtain the key k 1,m during the first connection, then
For each index i comprised between 2 and L, before said instant t i,m, said set of receivers obtains a key k i,m,
Wherein, for each subscript i ranging from 2 to L, and in increasing order of those subscripts, each microprocessor is further programmed to perform the steps of:
-the receiver group obtaining a subsequent key k i,m by performing a key derivation algorithm initialized by using a previous key k i-1,m, without resorting to information other than that received during the first connection, and
-The average time TC i,m taken by the receiver group to execute the key derivation algorithm to obtain the key k i,m is greater than 0.2V i-1,m.
16. A key server for implementing the method of any of claims 3 to 4, the server comprising a microprocessor (114) programmed to implement the steps of:
prior to time t 1,m, the key server establishes a first connection with the receiver group and transmits the information needed to obtain the key k 1,m during this first connection,
Characterized in that the microprocessor (114) is further programmed to carry out the steps of:
-in response to receiving information indicating that the key k i,m cannot be obtained before said time t i,m, said key server modifying the value of a complexity parameter PC p of said key derivation algorithm, said modified value of said parameter PC p corresponding to an average execution time TC i,m being smaller than the current average execution time, or
-In response to not receiving information indicating that key k i,m cannot be obtained before the time t i,m, the key server altering (164) the value of the parameter PC p such that the value of the parameter corresponds to an average execution time TC i,m that is greater than the current average execution time.
CN201980055283.0A 2018-07-04 2019-07-01 Method for obtaining a sequence of encryption keys Active CN112602288B (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
FR1856170A FR3083660B1 (en) 2018-07-04 2018-07-04 PROCESS FOR OBTAINING A SUCCESSION OF CRYPTOGRAPHIC KEYS
FR1856170 2018-07-04
PCT/FR2019/051616 WO2020008131A1 (en) 2018-07-04 2019-07-01 Method for obtaining a sequence of cryptographic keys

Publications (2)

Publication Number Publication Date
CN112602288A CN112602288A (en) 2021-04-02
CN112602288B true CN112602288B (en) 2024-08-16

Family

ID=65031368

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201980055283.0A Active CN112602288B (en) 2018-07-04 2019-07-01 Method for obtaining a sequence of encryption keys

Country Status (4)

Country Link
EP (1) EP3818659A1 (en)
CN (1) CN112602288B (en)
FR (1) FR3083660B1 (en)
WO (1) WO2020008131A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10964702B2 (en) 2018-10-17 2021-03-30 Micron Technology, Inc. Semiconductor device with first-in-first-out circuit
CN112291060B (en) * 2020-08-08 2024-07-23 北京天润海图科技有限公司 Secure communication method, transmitting end and receiving end
CN114143273B (en) * 2021-11-24 2024-05-17 深圳数马电子技术有限公司 Channel allocation method, channel allocation device, computer equipment and computer readable storage medium
CN116663041B (en) * 2023-07-28 2023-10-31 青岛农村商业银行股份有限公司 RPA flow robot data intelligent processing method and system

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2003115831A (en) * 2001-10-02 2003-04-18 Open Technology Kk Common key generation method, enciphering method using common key, program therefor, recording medium recording the same program, enciphering device, deciphering method and deciphering device
JP3770173B2 (en) * 2002-02-14 2006-04-26 日本電気株式会社 Common key management system and common key management method
CN100583990C (en) * 2007-03-05 2010-01-20 中国移动通信集团公司 Setup method and setup system for TV program stream secrete key of mobile terminal
US8223974B2 (en) * 2009-07-31 2012-07-17 Telefonaktiebolaget L M Ericsson (Publ) Self-healing encryption keys
FR2959905B1 (en) 2010-05-04 2012-07-27 Viaccess Sa METHOD OF DETECTING, TRANSMITTING AND RECEIVING CONTROL WORDS, RECORDING MEDIUM AND SERVER OF CONTROL WORDS FOR THE IMPLEMENTATION OF SAID METHODS
FR2970134B1 (en) * 2010-12-29 2013-01-11 Viaccess Sa METHOD FOR TRANSMITTING AND RECEIVING MULTIMEDIA CONTENT
BR112012033255A2 (en) * 2012-10-29 2017-11-28 Ericsson Telecomunicacoes Sa method and apparatus for securing a connection on a communication network
CN103560892A (en) * 2013-11-21 2014-02-05 深圳中兴网信科技有限公司 Secret key generation method and secret key generation device

Also Published As

Publication number Publication date
CN112602288A (en) 2021-04-02
WO2020008131A1 (en) 2020-01-09
FR3083660B1 (en) 2020-12-04
FR3083660A1 (en) 2020-01-10
EP3818659A1 (en) 2021-05-12

Similar Documents

Publication Publication Date Title
CN112602288B (en) Method for obtaining a sequence of encryption keys
US6934389B2 (en) Method and apparatus for providing bus-encrypted copy protection key to an unsecured bus
JP4510281B2 (en) System for managing access between a method and service provider for protecting audio / visual streams and a host device to which a smart card is coupled
EP1560361B1 (en) A secure key authentication and ladder system
TWI271079B (en) System and method for security key transmission with strong pairing to destination client
EP2461539B1 (en) Control word protection
RU2433548C2 (en) Method of descrambling scrambled content data object
CN101123496A (en) Digital content protection method
KR101139580B1 (en) Transmitting apparatus, receiving apparatus, and data transmitting system
EP2487829A1 (en) Method and device for generating control words
EP1234404B1 (en) Generation of a mathematically constrained key using a one-way function
Jiang et al. Secure communication between set-top box and smart card in DTV broadcasting
CN102714593B (en) The encryption method of control character, transfer approach and decryption method and the recording medium for performing these methods
US8121289B2 (en) Cryptographic method with integrated encryption and revocation, system, device and programs for implementing this method
TWI477133B (en) Methods for decrypting, transmitting and receiving control words, recording medium and control word server to implement these methods
US9544276B2 (en) Method for transmitting and receiving a multimedia content
CN106559682B (en) A kind of method and device of DTV finger water-print protection
WO2013186274A1 (en) Obtaining control words using multiple key ladders
US20100235626A1 (en) Apparatus and method for mutual authentication in downloadable conditional access system
WO2014154236A1 (en) Obtaining or providing key data
KHAN et al. Encryption And Embedding in all Multimedia Files
WO2019002736A1 (en) Method for receiving and decrypting a cryptogram of a control word
KR20100102032A (en) Apparatus and method for mutual authentication in downloadable conditional access system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant