Transcription of CI Plus Overview Presentation
1 CI plus Limited Liability Partnership (LLP) plus Overview11th November 20112/ - CI plus LLPfile: of ContentPage: One Page Overview of CI Plus3 History of Common Interface4 Requirements & Scope with CI Plus8 CI plus System Overview10 CI plus Specification11- SAC (Secure Authenticated Channel)- Authentification - Protection of TS (Transport Stream) with CC (Content Control)- URI (Usage Rules Information)- Revocation, Shunning- Interactivity with MHP CA API CI plus Administration21- CI+ LLP, Certificate Agent & Test Center- CI+ Documentation- Flow Chart of Certification & Licensing- Licensee Overview Summary26 Document History27 Abbreviations28 CAConditional AccessCAMCA ModuleCICommon InterfacePCMCIA Personal Computer Memory Card International AssociationSCSmart CardSCPCMCIACI-CAMCACID isclaimer.
2 All text and images that are presented herein are just for illustration purposes about the principles of CI plus . The Presentation may contain inaccuracies or errors. It does not necessarily reflect the most recent status of technical and licence relevant documents of CI - CI plus LLPfile: with v1 and Solution with 1997-02 Quite old standard EN 50221 (DVB-CI v1) with unencrypted CAM output 2006-09 Closed DVB TM-CIT group after missing consensus 2007-07 CI+ Forum founded by 6 companies 2008-01 CI plus Spec with encrypted CAM output 2008-11 CI+ forum replaced by CI plus LLP 2009-03 Appointment of Trustcenter & Test facility 2011-04 DVB adopts future development of CI plus specification 2011-05 SMiT becomes 7th partner in CI plus LLPIDTV additionalUsage Rulesfor A/D output and storageEncryptedTV SignalEncrypted Copy of originaldigital contentis impossible!
3 XPCMCIA InterfacexOne Page Overview STB, Recorder, ..not encryptedencryptedEncrypted4/ - CI plus LLPfile: of Common Interface (CI)1997-02:Standard DVB CI v1 (EN 50221)1999-11:Extension ETSI TS 101 6992002-01:EU directive for CI in IDTV with > 30cm2006-09:Start of DVB TM-CIT group (to close security gaps with new CI v2 ..)Closed after missing consensus on technology2007-07:Founding CI+ Forum by 6 companies2007-12CI plus Specification draft 2008-01CI plus Specification of CI+ Forum & creation of CI plus LLP (UK Limited Liability Partnership)2009-02CI plus Specification TC TrustCenter GmbH appointed2009-03 DTV Labs Ltd. appointed test facility2009-05CI plus Specification about continuation of specification under DVB2011-01CI plus Specification adopts development of CI plus spec beyond becomes 7th partner in CI plus LLP5/ - CI plus LLPfile: & CI plus - Usage for SD/HDTVSet-Top-Box withintegrated Decrypton-System(Only for few contentused or permitted)SDTVSDTVSDTVS mart Card with DVB-CISmart Card with CI+Smart CardDisplayor IDTV6/ - CI plus LLPfile.
4 CI - First Generation Standard v1 CI-Module used with smartcard containing key-informationen CI-Module remove the encryption of protected content The output of CI-Module isunencrypted Due to this, most content providers prefer integratedsolutions because of higher securityEncryptedTelevion SignalCI-ModuleSmartcardNoEncryptionCopy of originaldigital contentis possiblePlasma / LCD IDTVE ncryptedTelevion SignalPCMCIA Interface7/ - CI plus LLPfile: plus - Protection of Content Based on existing DVB-CI Standard Main requirement: achieving the same level of security as embedded solutions CI plus Modul and Receiver- Calculation & Usage of a secure key for content protection- Secure, authentificated channel for critical system messages The output of modul is encrypted Only certified devices are supportedPlasma / LCD IDTVS martcardLocal EncryptionEncryptedTelevision SignalEncryptedTelevision SignalCopy oforiginaldigital contentis not possible!
5 CI plus ModulePCMCIA Interface8/ - CI plus LLPfile: plus - Scope of ProtectionCA Conditional AccessCC Content Control9/ - CI plus LLPfile: plus - Scope of CompatibilityHostCA Module(CAM)DVB CICI PlusHostinDVB-CI modeModuleinDVB-CI mode*Host& ModuleCI plus modeHost& ModuleDVB-CI mode * DVB-CI mode operation permitted by network operator10 / - CI plus LLPfile: plus - System OverviewCAConditional AccessCCContent ControlCICommon InterfaceCAM Conditional Access Module11 / - CI plus LLPfile: plus - Specification History2007-12 Specification Draft2008-01 Specification Specification Specification Change number 002, effective 2009-04-23 (Security Extension)- Summary: Errata of , CICAM CIS CI plus compatibility advertisement Change number 005, effective 2011-03-01 (Security Extension)- Summary: Security fix for CI plus Host to check for Brand ID in a CI plus CICAM device certificate during Specification Change number 007, effective 2012-08-01- Summary: Extensions of PVR related functionality, CAS protected recording removed, Parental Control Clarifications, Low Speed Communication Resource, Extended CI Tuning Resource, Operator Profile2011-10 Specification Change number 013, effective 2012-08-01- Summary: Errata of , implementation guidelines12 / - CI plus LLPfile: plus - Specification :Pages:1-3 Scope, References, Definitions.
6 194 System Overview45 Theory of Operation476 Authentication Mechanisms167 Secure Authenticated Channel128 Content Key Calculations59 Public Key Infrastr. & Certificate Details910 Host Service Shunning511 Command Interface2212 CI plus Application Level MMI1213 CI plus MMI Resource414 Other CI Extensions52 Annex :316file: : 2011-01-1413 / - CI plus LLPfile: plus - Specification ChangeKey changes of compared to Extensions to PVR related functionality. CAS protected recording removed. Parental Control Extensions & Clarifications. Optimization of Low Speed Communication Resource & IP support. Extension to CI Tuning Resource to support Cable VOD Applications. Introduction of an Operator Profile. Change Notice with References prng_seed per manufacturer [ ] URI version 2 [ ] Digital Only Token [ ] Content license [ ] Parental Control [ ] Recording and Storage [ ] Host Authentication [Table , step 13, item d] Certificates, Service operator ID [ ] Host shunning, SDT absent [ ] Version 2 of CC resource [ ] SAS APDU clarifications [ , Annex ] MHEG profile extensions [ ] Low Speed Communications v3 [ ] IP connection by name [ ] Application MMI clarifications [ ] Application MMI File Caching [ ] Host Control v2 [ ] Operator Profile [ , Annex N] APDU clarifications [Annex E] CIS Feature Identification [ ] Removal of PVR Resource [ , 15]Details of changes:file: : 2011-01-21file: : 2011-03-1014 / - CI plus LLPfile: plus - Protocols1.
7 Compare CI+ versions supported by IDTV and If both sides have the same auth key, they have performed a successful authentication with each CI+ CAM and IDTV authenticate each other to make sure the opposite device is a valid CI+ The Secure Authenticated Channel (SAC) is used for transmission of security-related messages between CAM and Usage Rules Information (URI) version negotiation to find a URI version that is supported on both URI transmission and acknowledgement used by CAM to send a set of usage rules information to the Content Control (CC) key calculation used by both sides to calculate keys for scrambling /descrambling of transport stream (TS).8. System Renewability Message (SRM) transmission and acknowledgement is used from CI+ CAM to transfer SRM for HDCP and DTCP-IP to the Capability EvaluationAuth Key VerificationAuthenticationSAC Key CalculationURI Version NegotiationURI AcknowledgementCC Key CalculationSRM / - CI plus LLPfile: plus - Transport Stream Output ProtectionHost and CICAM Capabilities: DES-56-ECBData Encryption Standard, 56-bit key, Electronic Code Book (USA 1999-10, Federal Information Processing Standards, FIPS 46-3) AES-128-CBCA dvanced Encryption Standard, 128-bit key, Cipher Block Chaining(USA 2000-10, National Institute of Standards and Technology, NIST, FIPS 197)16 / - CI plus LLPfile: plus - AuthenticationSupported Authentication Phases per Service Mode.
8 Basic Service Mode Registered Service Mode- Requires upstream communication to HE (Head End) example:DH = Diffie-Hellman key exchange17 / - CI plus LLPfile: plus - Devices & external InterfacesAnaloguePAL / NTSC / SECAMRGB / YUV / S-VideoDigitalHDMI / HDCPDTCP-IPIDTVS ignals / InterfacesDevicestime shifted recording(optional)STB/PVRCI PlusDisplayEncryptedContent,paired to receiver:the content cannot be copied without / - CI plus LLPfile: plus - Usage Rules Information (URI)URI initial default valuefor host, after channel change: protocol version= 0x01 emi_copy_control_info = 0b11(Encryption Mode Indicator) aps_copy_control_info = 0b00(Analog copy Protection System) ict_copy_control_info= 0b0(Image Constraint Trigger/Token) rct_copy_control_info= 0b0(Redistribution Control Trigger) rl_copy_control_info= 0b000000(Retention Limit, default 90 min) reserved bits= 0b0 URI Mapping Table: Analog Output (MV, APS, CGMS, ICT) Digital Output (HDCP, DTCP, SPDIF) Digital Storage (AACS, CPRM, VCPS)see Digital Transmission Content Protection, Specification 2007-10, rev DigitalDigital Storage19 / - CI plus LLPfile: plus - Mechanisms of RevocationHost Service Shunning Host shunning state determined from Service Descriptor Table (SDT) Shunning active.
9 Service can only be descrambled by CI+ Module Shunning non active: Service can be descrambled by DVB-CI or CI+ ModuleHost Revocation Certificate Revocation List (CRL) transmitted to CICAM black-lists a host Certificate White List (CWL) can revert a previous revocation of a host Level of revocation granularity:1. Unique host2. Range of hosts3. Certain model4. Certain brandRevocation by CAS Possible, but out of CI plus specification scope20 / - CI plus LLPfile: plus - Additional Interactivity with ConsumerCI plus Browser Enables to CI plus modules to display graphics with menues, pictures, logos, .. in a common methodon all CI plus receivers/displaysAllows easy interaction with default remote controlSupport of MHP CA API Enables to the broadcasted MHP applikation to communicatewith a CA Smartcard inside the CI plus moduleCountry- and Language Support Enables CI plus modules to use the same language in menues,which is already defined by user in the receiver / - CI plus LLPfile: plus - LLP, Certificate Agent & Test CenterCI plus LLP contact details: CI plus LLP, , Pannell House, Park Street, Guildford, Surrey GU1 4HN, UK CI plus LLP registered (no OC341596) in England & WalesCI plus LLP authorized Certificate Agent: TC TrustCenter GmbH, Sonninstrasse 24-28, 20097 Hamburg, GermanyTel/Fax: + : plus LLP approved Test Facility.
10 Digital TV Labs Ltd., Venturers House, King Street, Bristol, BS1 4PB, UKTel/Fax: + : / - CI plus LLPfile: plus - DocumentationDocuments on CI plus Specification Detailed Specification for Receiver and Module with change notes 002, 005 & 007 Supplementary Specification Requirements for host revocation/shunning Implementations Guidelines Registration Application - Application for test and registration of a device CI plus Logo Guidelines & Archive Test Specification of test- and registration processDocuments on On-Boarding Guideline Interim License Agreement (ILA)- Compliance a
