-.
`f
`
`.
`
`.
`.
`.
`
`f ...
`
`>
`f
`~ .
`
`ENCRYPTION: A CABLE TV PRIMER
`
`.·
`
`Anthony Wechselberger
`·Director, Advanced Engineering
`Oak Communications Inc..
`
`The use of encf)'ption technology in the dell vel)' of premium
`television is the center of much attention loday. II is also an
`area of misinformation where misunderstood terminology and
`technology are being discussed. This paper defines the prin."
`cipal requirements, characterislics and br;meflts of encryption
`technology as it can be applied to pay TV. Particular attention
`is paid to...cll1fa"entlatlng the essentials of what constitutes
`"cryptographic security" from less complex techniques
`employing simple time varying characteristics or multiple
`scrambling modes .. The fundamentals of encryption, principal
`· approaches to its utilizallory and some associated technical
`jargon will be explained. The concept of the cryptographic
`"key" and the importance of secure key distribution will also
`be defined.
`·
`·
`One major area of confusion lies In the technical differ(cid:173)
`ences between encryption and scrambling and, particularly,
`hybrid utilizations of the two. In understanding some basics
`about of)'ptography, one can better appreciate these differ(cid:173)
`ences, and differentiate buzz words from substance In the ex(cid:173)
`panding selection of products utilizing encrypUon.
`
`· tJA I( .Communications Inc.
`
`APPLE EX. 1027
`Page 1
`
`

`
`ITS TIME HAS COME
`CATV SYSTEM SECURITY -
`Whenever there's a need in the marketplace, any market(cid:173)
`place, responses to that need vyill be garnered from the market
`suppliers. The attribute approach to product demand theory
`tells us that demand can be·influenced by need, price, com(cid:173)
`petition and budget, as well as a whole set of attributes con(cid:173)
`nected to the products perceived value or need. This can be
`hypeq one way or another by advertising, the "bandw~gon
`effect" and the !ike, which affects the consumer's perception~
`and tastes.
`And so It is In our marketplace, the CATV market, where
`specmanship and buzzwords·change each year in the scram-·
`ble for market share. This is not a negative thing. Consu~er
`features in converters and decoders, for example, is an area
`where much innovation has taken place. When the consumer
`gives up the remote control for his $800 console TV, system
`suppliers are n.ow able to glv_e back some of those remote con·
`veniences with newer CATV equipment.
`'
`The demands we cable equipment suppliers react to must
`be responsive to both the end user and our immediate con(cid:173)
`sumer the MSO. The MSO in turn creates needs, but also
`respo~ds to th~ palpitations of his own market, for which he
`purchases equipment, runs a busine~s. and distributes pro(cid:173)
`gramming. He must control the consumption of his product
`(programming) for both short term and long term gains and
`market stability.
`·
`The process of controlling that product brings us to security
`and the newest contemporary market response: encryption
`. technology.' The Industry h.as responded to a O!:!ed for better
`security already, although not directly. The evolution of prod·
`ucts into the baseband arena is being aided primarily by two
`attributes, one real, one perceived. The "real" attribute is in·
`.. creased utility as a result of baseband processing. Examples
`l are user features (such as Yolume control), 81"\d the freedom
`' to do novel kinds of signal processing. The "perce[ved" attri(cid:173)
`bute Is security. In reality, being at baseband ha.s litlle to do
`with the ability of a system to resist compromise.
`
`An understanding ot the value ot encryption when prop(cid:173)
`erly applied is the goal of· this paper. It is intended that t.he
`skeptical reader be swayed by discussions and expl<!-natlons
`contained herein by looking at a system's security_from a
`global standpoint. By understanding some of the buzzwords,
`and asking a tew critical questions about how the system you
`are evaluating is put together, you can tear down the rhetoric
`and make the tradeoffs: We first look at the main facets of a
`contemporary cable system.
`
`THE ADDRESSABLE SYSTEM -
`·
`WHAT'S IMPORTANT, WHAT'S NOT
`A CATV system is a communications system In a modern
`addressable system there are four basic kinds of information .
`sent: Program video; Program audio; Control information;
`Data Services; (Figure 1).
`
`Onder data services is lumped a variety o1 additive types
`· of digital information such as teletext, videotext, down(cid:173)
`loaded software such as games or computer programs, and
`any Interactive communications. While the need lor security
`of these service will certainly become evident in time, the lack
`of standardization in· format or modulation/transmission
`techniques causes us to set this category aside for the
`moment.
`In securing premium television delivery, the methods of
`han'dlingthe first three iAiormation types are within the con(cid:173)
`fines of a specific addressable paylY·system. Program audio
`and video are generally, though not always, associated with
`each other. For simplicity we consider them two constituents
`of a premium broadcast;as Is usually the case. TheY. are
`counted separately above, however, for two reasons: their
`broadcast formats are different and independent (VSB AM
`versus FM), and the associated channel bandwidt!lsrequired
`for each are an order of T]lagnltude different. The relevance
`of these differences will be explained, but we note that pre(cid:173)
`mium programming has no entertainment value without both.
`
`. 1-- _....,
`
`0111:1
`
`-a:III'IQ.
`
`-{-=
`
`Of" : aMPn
`
`Figure 1. Contemporary CATV Network
`
`- .~
`
`APPLE EX. 1027
`Page 2
`
`

`
`.. ..
`
`The ttiird information type, "control" is whatever is us~d by
`the manufacturer (assuming an addressable system) for net·
`work control and authorization purposes. Note that the con·
`trol channel or channels have no direct relation to the enter(cid:173)
`tainment being purchased. One of the first questions to ask
`tjlen about a scrambling system Is what Is the function of the
`control/authorization channel? Secondly, how is it related to
`the scrambling approach If at all? In most systems the con·
`tro t channel(s) direct t he decoder to deCQde or not to decode
`as a function·ot channel tuned to, or the " tier" of a given pro(cid:173)
`gram. Critical to the Issue is whether any information can(cid:173)
`tal ned In the control-channel is used In the decoding process.
`If not, the control channel can be Ignored when attempting
`Illicit program access. Likewise, If the scrambling technique
`or. decoder circuitry easily succumbs t o one-time defeats, the
`.control channel content is of no interest. Such is the case
`when descrambling can be accomplished by observation of
`the scrambled signal alone.
`'
`What about "'time v~rylng scrambling"? Time varying
`scrambling adds a dimension of change to the scrambling pro(cid:173)
`cess such that the decoder will not property deeode at all
`times unless· it appropriately follows the change. Is this
`better security? To a degree, yes. But consider the pirate enter(cid:173)
`preneur who wishes to build the "universal decoder!' Most
`positive scrambling systems use one of several teChniques
`Of suppressing the horizontal synch pulse. ('Positive" sys(cid:173)
`tems are those wf:ilch actively scramble the premium signal,
`and thus require a decoder. " Negative" systems remove the
`si gnal from the unauthorized viewer througl) filters or signal
`path switching.) Whether the systems' scrambling is at AF or ·
`baseband the pirate's universal decdder, if built to operate
`at baseband, can quite easily re-construct t he synch pulse
`completely Ignoring all control channel information, tinie vary(cid:173)
`Ing or not .
`Figqre 2 illustrates several avenues where system attacks
`can take place. While simple wire changestclipping/sh,orts,
`etc. are the deadly fears of operators, In fact there are many
`ways to attempt piracy. Jamming tones can be fillered, notch
`filters which trap out pay channels can be removed, address(cid:173)
`ing dat a can be synthesized locally, and add.on hardware in
`the decoder can be employed.
`
`What is desired is a scrambling technique which 1) renders
`the entertainment value of scrambled programming useless,
`2) does not tend itself prey to one-time defeats (implies some
`sort of time-dependence), 3) cannot be undone by observation
`of the scrambled waveform, and 4) req uires information con·
`tinually downloaded from the headend, forcing contact
`through the cont rol channel between headend and decoder
`to be maintained.
`The last crit erion has an Important implication: in order to
`effect proper decoding, it's necessary for the decoder to be
`instructed how to decode, not just simply when to decode. In
`an addressable system, the control. channel is the link be·
`tweell headend and decoder over which decoding lnstruc·
`lions can be sent.
`The previous discussion is _gearing u:; toward the theme of
`this paper. Prif'Cipally that in CATV distribution "security'' Is.
`a systems issue. The simplest method of defeat will be the
`p.ath followed by the would be pirate. The system must there·
`tore be viewed from several angles and an adequate threshold
`against compromise developed for each. How much added
`security Is afforded by random video I nversion o f the picture,
`. for example, If a simple-to-detect " flag" exists in the vertical
`interval indicating polarity? Is any security afforded In an ad·
`dressable system simply because it's addressable? Not If it's
`easier io address (authorize) the box yoUrself than it is to open
`the box up and tamper with circuitry. At one time such argu(cid:173)
`ments would have been considered too far out to worry about
`But premium TV is big business these days and getting big·
`ger. The motivations for the program thief an.d the MSO de-
`mand attention to t hese details as never before.
`·
`
`CASU
`TA~,
`
`CATV _..,..
`CABlE
`
`SOIAM8LSI \l1t'EO
`
`SCRAMBLED AUOIO
`
`. COtmiOl OATA
`
`AlflhJAM )
`flll:li(S).
`nc
`
`(
`
`----------+
`------.. ( T=NG )
`
`-..--!I
`
`Figure 2. Network A ttack Scenarios
`
`oECriwl
`BOX
`
`TO
`TV
`
`AOO-oN
`HARDWARE
`
`APPLE EX. 1027
`Page 3
`
`

`
`.
`ENCRYPTION IMPLIES DIGITAL
`Now that we have defined what Is desired, the value of en(cid:173)
`cryption will be less mystifying. F(l( encryption simply enables
`a complex security problem, in which many variables (audio,
`video, control) must be secured, to be bottled up into just pro(cid:173)
`tecting a lew digital words. How this Is brought about requires
`an appreciation fC)( the difference between analog and digital
`transmission. ·
`Standard television transmission, including all current
`scrambled pay TV techniques, is analog. That is, irrespective
`of whatever pre-processing or post processing technique$ are.
`used, the signal is analog during its transmission phase. Even
`newer systems claiming to employ "digital video" are in fact
`transmitted analog. The fact that they are processed qlgital(cid:173)
`ly at the headend or receiver is purely an Implementation con(cid:173)
`venience (and as yet an expensive one). The reason true digital
`video transmission techniques are not ~sed In a matter of
`cost, both In terms of dollars and bandwidth. To digitize fi color
`video picture requires a data rate between approximately 20
`MBs and 80 MBs, depending on the coding technique and
`degree of compression applied. Efforts to reduce this bit
`stream appreciably arc pocoible, but at extreme penalties of
`cost or picture fidelity.
`The audio portion of a television program Is less prohibi(cid:173)
`tively handled digitally. A. bit rate between 200 KBs and 700
`KBs Is necessa.y for digital audio, end this data can be readily
`transmitted within the confines of a standard 6 MHz video
`channel (along with the video, of course). Digital audio pro(cid:173)
`cessing Is no easy trick, however, this sort of technology re(cid:173)
`quires a very sophisticated degree of systems engineering
`capability. ·
`Once we have prepared the information Itself for digital
`transmission, the door Is open for the application of encryp(cid:173)
`tion. The controtchannolla lnhe.-cnUy digital so it too oo.n be
`"cryptographically" protected.
`·
`
`BQ)ONG IT UP - THE ENCRYPTION OVERLAY
`There are two main categories of modem encryption ap(cid:173)
`proaches: the "classical" or "conventional" approach and the
`"public-key" approach. The public key crypto system is, In
`theory, capable of performing all o f the functions of the clas(cid:173)
`sical technique, but has a few special qualities in tha~ fewer
`secret variables need to be passed around in the system. II
`also has implementatlonal difficulties which make it less than
`; attractive for many applications. For purposes of this paper,
`we consider only the classical system.
`. .
`·
`In the convent ional encryption pfocess (Figure 3) a d1g1tal
`bit s tream (the Information) Is passed through an algorithm
`which tr;lhsforms the Input into a seemingly unrelated output
`bit stream. The transformation which Is performed Is a func(cid:173)
`tion of the "key variable!' and In a conventional system the
`same key Is used at both the transmit side where enc:;ryption
`is performed, and the receiVe side where decryption Is per(cid:173)
`formed. Since tho key ic a digital word of many bits, many dif(cid:173)
`ferent transformations are possible by varying the koy.ln a
`"good" algorithm, all keys are equally stro!lg o.e.: resistant
`to " cracking'1, and no detectable relaUonsh1p exists between
`the input data, output data, or key variable.
`
`The process of encryption muSt, of course, be.reversible.
`That is, applying the same key at the receiver must yield back
`the original message. The origi nal, non-encrypted data is
`called clear or plain text, the encl)'pted !fata is called cypher
`text. So during transmission, I.e., between headend and de(cid:173)
`code.-, only non-intelligible cypher text is available to the
`would be tamperet".lf the decoder doesn't have the proper key,
`no message or clear text will be obtainable, even if the pirate
`has the harc;Jware. Further, In a properly designed s_rstem
`based on cryptographic security principles, we can g1\le the
`pirate Just about anything he desires: hardware, access to,
`and kn<;>wlcdge about the control channel, schematics, any
`lirrJ)ware, even tho crypto algorithm itself. The only doorway
`to Information access, or in our case programming, Is through
`the key variable. Controlling access to the key variables Is thus
`essential. This is called "key distribution;• and Is the basis for
`what ultimately makes or breaks the security o f a crypto(cid:173)
`graphically-based system. The cryptographic or encryption
`algorith m, therefore, can be lhought of as a lockbox. The
`message is encrypted or locked by the algorithm, and can only
`be unlocked by the same algorithm, which means the lden·
`tical digital key must be used for decryption (we have yet to
`define ex!lctly what is being encl)'ptecl).
`KEY DISTRIBUTION
`hi a broadcast scenario, the problem$ of key variable dJs.
`tributlon are not easy to solve. It p robably has occurred to
`the reader by now that If access to working har~ware Is given
`to the pirate, It Is little trOl!ble to determine what digital key
`is being u~ed for decryption. RecaU, we said earlier that o_ne(cid:173)
`tlme deleals will not be allowed. Therefore, tlie message
`encryption/decryption keys (referred to as ''service keys:' since
`they are used in encrypting the service which in our case Is
`programming) must be changed from time to Ume.lhe inter(cid:173)
`val depends on tne key 1engt11, the ability or the encryption·
`algorithm to resist Mnlysls by computer, the expected &e·
`cesslblllty of the key, and the motivation of the system's
`enemy. Changing the key itself, ir performed as part of the
`communications system network control protocol, is really
`very easy once tho methOd is derived. (Alternate methods
`might be by courier, mall, etc.)
`.
`In an addressable system the CATV control channel is the
`obviOus choice for a key distribution path. But one can't 1\ISt
`go broadcasting the new keys throughout the network. Thoy
`must remain secret to all but authorized decoders. The solu(cid:173)
`tion for controlling key access Is to encrypt the keys for
`transmission. In fact, several types of information passing
`through the control channel .are candidates for encryption.
`Authorization-or tiering d ata, for example should also be con(cid:173)
`sidered "sensitive" Information as, as po_lnted out earlier, It
`can easily be synthesized and fed to the decoder by simple
`digital hardware or any hor:ne computer. Such control chan·
`nel manipulation by other than the legitimate network con·
`troller Is callea tampering. Attempts to subvert the system by
`tampering is called "spoofing~·
`So, we see that encryption alone-will not secure the Infor(cid:173)
`mation exchange .. Integrated within the system must be a
`totally planned oul methodology for key distribution anO.-pro(cid:173)
`tection against spoofing.
`
`--('=')
`
`Figura 3. Classical Cryptographic System
`
`APPLE EX. 1027
`Page 4
`
`

`
`I. 1 .
`
`s'AcK TO'BASJCS
`Armed with some encryption fundamentals, we loo~ ~t
`the CATV distribution problem. Emphasized earlier was the
`notion that encrypHon is a digital process, that digital video
`transmission is not yet feasible, but that digital ~udio is. By
`recognizing that a time varying analog s?rambhng p~ocess
`can be developed in which the descrambhng proc~ss 1s con(cid:173)
`trolled digitally, we have a solid basis for an accepttbly secure
`entertainment delivery system. The other component s are
`digital, encrypted audio, and an encrypted contr~l channel for
`network control, key distribution and authorization of all pro:
`gram distrib!Jtion and user features from the headend. In this
`system the Information in the control channel must be Elm·
`played to gain access to the services, because the services
`themselves are locked by the encryption overlay.
`Time for another definition: VIdeo " scrambling" refers to
`processes.that are inherently analog. Une swapping, segment
`swap'ping, or other such time shuffling techniques operate·to.
`destroy the picture, and are quite effective. But they do not
`represent examples of encrypted video~ for encryption re(cid:173)
`quires a digital information source.· Rather, these examples
`represent time varying analog scrambling controlled by an en·
`cryptlon process. Essentially any analog scram~ling approach
`can be used with digital encryption of the audt~ and control
`channels provided it adequately destroys the p1cture and Is
`tied Into the decryption process. This tie-in must be such that
`Information necessary tor p_roper descrambllng Is secured
`{and not self-evident by observatiOf! of the video).by the re· ·.
`qulrement for proper decryption.
`In such a system "medium" security of the vldeo exis~s and
`"hard" security on the audio Is achieved. These phrases relate
`to the relative difficulty of pi~tlng tfle resulting ~ystem. While
`anCjlog scrambling is known to be less secure than encryption·
`based protection, with hard audi o the entortainmc~t vo.luo of
`the programming is, In fact, secured .. In almost all current
`CATV systems, the audio channel is in the 'clear, o r at pest
`located on an easily defeated aural subcarrler. This leaves the
`only barrier to piracy the video scrambling. In the system
`described above, the video scrambling is very difficult to
`defeat and the audio is unrecoverable to the extent that the
`encryption cannot be broken.
`Additional remarks are due in the area of key distribution.
`By transmitting service keys in an encrypted 'fashion through· ·
`out the system, we have not really solved the key distribution
`problem because to encrypt the service keys requires yet
`another key. Such is the notion of mul~llevel key distribution
`. (Figum 4). Various information el<change networks (local area
`networks electronic funds transfer, military communications,
`etc.) req~lre different implementations of a multilevel ap(cid:173)
`proacn. In !he CATV environment tho requirements dictate
`that =t) when the service keys are updated {changed), all de·
`coders (and the encoder) must do so at the same time, 2) the
`system qperation must insure that all decoders have had t~e
`new keys property delivered, decrypted and prepared pnor
`engaging them, and 3) only authorized decoders are able to
`perform (1) and (2).
`
`Additional ·problems having to do with error controlleJTOr
`propagation. must be addressed whe~ dealing with encryp·
`tion. Encryption algorithms generally have the characteristic
`that bit errors occurring in the receiving/detection·,process
`avalanche during decryption. Poor.attenllon to detail in the
`systems design phase ot a networi< employing encryption can·
`have catastrophic results.
`
`nie ADVERTISEMENT
`Having given the reader enough background in the mean(cid:173)
`ing of "cryptographically" protected CATV delivery system,
`the following Is a brief description of Oak's new Cable Sigma
`system.
`·
`Scrambled video Is employed, wherein complete horiz.on·
`tal and vertical synch pulse removal (a~ opposed to synch
`pulse suppression) is performed. Two channels of audio are
`digitized, encrypted and imbedded In the video. The standard
`aural carrier Is not used, but Is available. Two separate con·
`tre>l channels are employed; the first, a global, FSK·modulated
`channel which all decoders continuously monitOr; the other,
`an in..ohannel VBI {vertical blanking interval) data path which
`is channel-specific. The former contains general authori~tion
`and system oriented control data. The latter contains program·
`specific data relevant to a given channel and time. Separate
`serviCe keys are utilized for each cliannel and the keys are
`varied continuously. A muitl.Jevel key distribution system Is
`employed In which three key variables are used. These Include
`a. box-specific key which Is secret and un!que to each boX
`{unknown, even to the MSO), a variable second-level key cqm·
`mon to all legitimate subscribers, and the service keys. Solid
`s1ate non·volatlle memory Is used In the decqderto store ke)
`and authorization information {encrypted while stored). Each
`box also has a non-secret box address which Is its address·
`lng 10 used by the headend computer to communicate tc
`the box.
`.
`A 64 bit field structured data·packet-based communication~
`protocol has been designed around t he FSK dat~ chan'nel.
`These packets deliver a continuous stream of data to· de·
`coders both globally-and box·speclflc for purposes of encfYP'
`lion key delivery, special event programming, box installation.
`and downloading of system parameters and box features.
`Special provisions exist to guard against spoofing and 00)1
`swapping between systems. Protect~o~ for time-dependent
`variables and error control is also provtded.
`
`.
`CONCI:.US10N
`Oak Is proud to present Sigma. With the Information con·
`talned in this paper, It Is our hope that th(l reader Is bette•
`equipped to appreciate the security features available to hilT
`In this exciting new product line. The technology behlnc
`Sigma lias been In development at Oak for the past four years
`Extensive experience In digital audio and application of cryp
`tpgraphlc prfnciples has been accrued t hrough Oak's ORIOI\
`satellite security system and STV Sigma operations. Custorr
`LSI circuits developed and used on those programs have beer
`applied to Cable Sigma, and represent a maJor technology ad
`va'ntage toward reliability and manufacturabllity. W e Invite
`you to Inquire for more detailed Information, and encourage
`a comparison between Sigma and any CATV product on the
`m arket. With Sigma, program distribution is yours to control
`
`:;-.
`
`cocoa.....,..._.
`1---~---· _..,.ftlioollll
`
`-....
`
`Figure 4. Multilevel Key-Distribution
`(Decoder End)
`
`~ >>-----------IJ :E: L
`-
`l
`I -Q(M.E-.. ~
`~
`
`APPLE EX. 1027
`Page 5
`
`

`
`·
`
`.
`
`; ,
`
`ttl~~ Communications Inc.
`
`16935 West Bernardo Drive, Rancho Bernardo, CA 92127
`
`About the Author:
`
`Mr. Wechelberger is director of advancefl engineering for Oak
`Communications Inc. His major areas of concentrat/on '8ra
`communfcatfons, computers, digital processing and control.
`He joined Oak in 1980 and spent 2 years In the corporate ad·
`vanced technology group workfng to devslop a technology
`baSfilin cryptographic area. Research centered on synthesis
`of hardware and software based proprietary cryptographic
`algorithms, cryptanalysis, aJld key distribution scenarios lot
`the broadcast environment. Before joining Oak, he spen·t 6
`· years with General Dynamics Electronfcs Division working
`with data communications hardware, digital control sys·
`tems, microprocessor systems and radar signal processing
`systems.
`
`Th• $)'stem and equJpt11en1 de$Cribea in 1hls papet 1re covt.n-d by pale-ntsl.s$ued a:.d
`ap,plled ror.
`
`APPLE EX. 1027
`Page 6