`
`I w .... ·
`
`I,
`
`*' ' ·~·
`
`.·
`
`ENCRYPTION: A CABLE TV PRIMER
`
`Anthony Wechselberger
`·Director, Advanced Engineering
`Oak Communications Inc.
`
`.·
`
`The use of encl}'ption technology in the delivery of premium
`television is the center of much attention today. II is also an
`area of misinfonnaUon where lflisunderstood terminology and.
`technology are being discussed. This paper defines the prin·
`clpal requirement s, characteristics and b~nelits of encryption
`technology as it can be applied to pay TV. Particular attention
`is paid to..dllferentiatlng the essentials of what constitutes
`"cryptographic security" from less complex techniques
`employing simple time varying characteristics or multiple
`scramblfng modes. The fundamentals of encryption, prindpal
`· approaches to its utilization and some associated technical
`jargon will be explained. The concept of the cryptographic
`"key" and the importance of secure key distribution will also
`be defined.
`·
`·
`One major area of confusion lies In the technical differ(cid:173)
`ences between encryption and scrambling and, partlovlarly,
`hybrid utilizations of the two. In understanding some basics
`about CJYplog.raphy, one can better appreciate these differ(cid:173)
`ences, and differentiate buzzwords fro!ll substance In the ex(cid:173)
`panding selection of products utilizing encrypUon.
`
`· tiA I( .Communications Inc.
`
`APPLE EX. 1027
`Page 1
`
`
`
`ITS TIME HAS COME
`CATV SYSTEM SECURITY -
`Whenever there's a need in the marketplace, any market(cid:173)
`place. responses to that need o,yill be garnered from the market
`suppliers. The attribute approach to product demand theory
`tells us that demand can be·influenced by need, price, com(cid:173)
`petition and budget, as well as a whole set of attributes con(cid:173)
`nected to the products perceived value or need. This can be
`hypeq one way or Mother by advertising, the "bandw~gon
`effect"' and the !ike, which affects the consumer's perception~
`and tastes.
`And so It is In our marketplace, the CATV market, where
`specmanship and buzzwords·change each year in the scram•
`ble for market share. This is not a negative thing. Consu~er
`features in converters and decoders, for example, is an area
`where much innovation has taken place. When the consumer
`gives up the remote control for his $800 console TV, system
`suppliers are n.ow able to give back some of those remote con·
`veniences with newer CATV equipment.
`'
`The demands we cable equipment suppliers react to must
`be responsive to both the end user and our immediate con(cid:173)
`sumer the MSO. The MSO in turn creates needs, but also
`respo,;ds to th~ palpitations of his own market, for which he
`purchases equipment, runs a business. and distributes pro(cid:173)
`gramming. He must control the consumption of his product
`(programming) for both short term and long term gains and
`market stability_
`-
`The process of controlling that product brings us to security
`and the newest contemporary market response: encryption
`- technology: The Industry h_as responded to a need for better
`security already, although not directly. The evolution of prod·
`ucts into the baseband arena is being aided primarily by two
`attributes, one real, one perceived. The "real" attribute is in·
`.. creased utility as a result of baseband processing. Examples
`) are user features (such as volume control), a11d the freedom
`to do novel kinds of signal processing. The "perce[ved" attri(cid:173)
`bute is security. In reality, being at baseband ha.s little to do
`with the ability of a system to resist compromise.
`
`An understanding ot the value ot encryption when prop(cid:173)
`erly applied is the goal of· this paper. It is intended that t.he
`skeptical reader be swayed by discussions and expi(!Jlatlons
`contained herein by looking at a system's security_from a
`global standpoint. By understanding some of the buzzwords,
`and asking a few critical questions about how the system you
`are evaluating is put together, you can tear down the rhetoric
`and make the tradeoffs: We first look at the main facets of a
`contemporary cable system.
`
`·
`THE ADDRESSABLE SYSTEM -
`WHAT'S IMPORTANT, WHAT'S NOT
`A CATV system is a communications system In a modern
`addressable system there are four basic kinds of information .
`sent: Program video; Program audio; Control information;
`Data Services; (Figure 1).
`
`Onder data services is lumped a variety of additive types
`· .of digital information such as teletext, vldeotellt, down(cid:173)
`loaded software such as games or computer programs, and
`any interactive communic~tions. While the need for security
`of these service will certainly become evident in time, the lack
`of standardization in· format or modulation/transmission
`techniques causes us to set this category aside for the
`moment.
`In securing premium television delivery, the methods of
`han'dlingthe first three inlorrnation types are within the con·
`fines of a specific addressable pay1Vsystem. Program audio
`and video are generally, though not always, associated with
`each other. For simplicity we consider them two constituents
`of a premium broadcast,-as is usually the case. TheY. are
`counted separately above, however, for two reasons: their
`broadcast formats are different and independent (VSB AM
`versus FM), and the associatecl channel bandwidt~s required
`for each are an order of f!18gnitude different. The relevance
`of tl1ese differences will be explained, but we note that pre(cid:173)
`mium programming has no entertainment value without both.
`
`-.-~
`
`Figure 1. Contemporary CATV Network
`
`APPLE EX. 1027
`Page 2
`
`
`
`..
`
`The third information type, "contror• is whatever is used by
`the manufacturer (assuming an addressable system) for net·
`work control and authorization purposes. Note that the con·
`lrol channel or channels have no direct relation to the enter(cid:173)
`tainment being purchased. One of the first questions lo ask
`then about a scrambling system Is what Is the function of the
`control/authorization channel? Secondly, how is i1 related to
`the scrambling approach II at all? In most systems the con·
`trot ohannol(s) direct the decoder to deoode or not to decode
`AS a functlon"of channel tuned to, or the " t ie(' of a given pro.
`gram. Critical to tho Issue is whether any information cOn·
`tal ned In the control·channel ls used In the decoding process.
`If not, the control channel can be Ignored when attempting
`Illicit program access. Likewise, It the scrambling technique
`or decoder circuitry easily succumbs to one·time defeats, the
`control channel content Is of no interest. Such is the case
`when descrambling can be accomplished by observation of
`•
`the scrambled sipnal alone.
`What about " time v~rylng scrambling"? Time varying
`acrambll ng adds a dimension of change to the scrambling pro(cid:173)
`cess such that the decoder will not properly decode at all
`times unteM· It appropriately follows the change. Is this
`better security? To a degree, yes. But consider the pirate enter·
`preneur who wishes to build the "universal decode(.' Most
`positive scrambling systems use one of several teChniQues
`of cuppressing the horizontal synch pulse_ ('Positive" sys(cid:173)
`tems are those which actively setamble the premium signal
`and thus requi~ a decoder. "Negative" systems remove t~
`signal from the unauthorized viewer thfoug(l filters or signal
`path swit ching.) Whether the systems' scrambling is at AF or ·
`baseband the pirate's universal dec<ider, if built to operate
`at baseband, can quite easily re-construct the synch pulse
`completely Ignoring all control channel information, time vary.
`lng or not.
`-
`Fig&fre 2lllustrates several avenues where system attacks
`can take place. While simple wire changes/clipping/shorts
`etc. are the deadly fears of operators, In fact there are many
`ways to attempt piracy. Jamming tones can be fillered, notch
`filters which trap out pay channels can be removed, address.
`lng data can be synthesized locallv. and add-On hardware in
`the decoder can be employed.
`
`What is desired is 8 scrambling technique which 1) renders
`the entertainment value of scrambled programming usefess,
`2) does not lend itself prey to one-time defeats (implies somo
`sort of time-dependence), 3) cannot be undone by observation
`of the scrambled waveform, and 4) requires information con·
`tinually dOwnloaded from the neadend, forclng contact
`through t he control channel between headend and dacodor
`to be maintained.
`Tho last criterion has an Important implication: in order to
`effect proper decoding, it's necessary for the decoder to be
`Instructed how to decode, not just simply when to decodo. ln
`an addressable system, the control. channeJ is the link be·
`twoon headend and decoder over which decoding Jnstruc·
`lions can be sent.
`The previous discussion is _gearing u,s toward t he thome of
`this paper. Pri(lcipally that In CAlV distribution "security" Is.
`a systems issue. The simplest method of defeat will be the
`path followed by the would be pirate. The system must there·
`lore be viewed from several angles and an adequate threshold
`against compromise developed for each. How much added
`security is afforded by random video Inversion of the picture,
`for example, If a simple-to-detect "flag" exists In the vertical
`Interval indicating polarity? Is any security afforded In an ad(cid:173)
`dressa.ble system simply because it's addresSable? Not If It's
`easier to address (authorize) the box yoUrself than it is to open
`tho box up and tampor with circuitry. At one time such argu·
`ments would have been considered too far out to worry oboul.
`But premium TV is big business these days and getting big(cid:173)
`ger. The mouvatlons for the program thief afl:d the MSO de(cid:173)
`mand attention to the so details as never befOI'e.
`
`CATV __ .
`CA8I.E
`
`• CUHT10l. DATA
`
`CAIIU
`
`TA~
`
`--- ( ~· )
`---.. (r~ )
`~-~ ._z _ _.
`
`Figure 2. Network A t tack Scenarios
`
`DECriool
`eox
`
`TO
`TV
`
`AOIHlN
`HARDWARE
`
`APPLE EX. 1027
`Page 3
`
`
`
`.
`ENCRYPTION IMPLIES DIGITAL
`Now that w e have defined what is desired, the value of en(cid:173)
`cryption will be less mystifying. For encryption simply enables
`a complex security problem,in which many variables (audio,
`video, control) must be sucure<l, to be bottled up into just pro(cid:173)
`tecting a lew digital words. How this Is brought about requires
`an appreciation fort he difference between analog and digital
`transmission. ·
`Standard television transmission, Including all current
`scrambled pay TV techniques, is analog. That is, irrespective
`of whatever pra.processlng or post processing technique{) are.
`used,lhe signal is analog during its transmission phase. Even
`newer systems claiming to employ "digital video" are in fact
`transmitted analog. The fact that they are processed d,igital(cid:173)
`ly at the headend or receiver is purely an Implementation con(cid:173)
`venience (and as yet an expensive one). The reason true digital
`video transmission techniques are not used In a matter of
`cost, both in terms of dollars and bandwldih. To digitize A color
`video picture requires a data rate between approximately 20
`MBs and 80 MBs, depending on the coding technique and
`degree of compression applied. Efforts to reduce this bit
`stream appreciably aro pocolble, but at extreme penalties of
`cost or picture fidelity.
`.
`·
`The audio portion of a television program is less prohibl·
`lively handled digitally. A. bit rate between 200 KBs and 700
`KBs Is necessary lor digital audio, and this data can be readily
`transmitted with in the conllnes of a standard 6 MHZ video
`channel (along with the video, of course). Digital audio pro(cid:173)
`cessing Is no easy trick, however, this sort of technology re(cid:173)
`quires a very sophisticated degree of systems engineering
`capability. ·
`Once we have prepared the information itself for digital
`transmission, the door Is open lor the application of encryp(cid:173)
`tion. The control.chonnoll' lnhMenUy digital 3o it too can bo
`"cryptographically" protected.
`·
`
`BOXING IT UP -THE ENCRYPTION OVERlAY
`There are two main categories of modem encryption ap(cid:173)
`proaches: the "classical" or "conventional" approach and the
`"publlc·key" approach. The public keY. crypto system is, In
`theory, capable of performing a ll o f the tunctlons of the clas(cid:173)
`sical technique, but has a lew special qualities in tha~ fewer
`secret vaJiables need to be passed around in the system. It
`also has implementatlonal difficulties which make it less than
`; attractive for many applications. For purposes of this paper,
`we consider only the classical system.
`·
`In the conventional encryption p(ocess (Figure 3) a digital
`bit stream (the Information) Is passe(j through an a.lgorithm
`which tr~nsforms the Input Into a seemingly unrelated output
`bit stream. The transformation Which Is performed Is a func(cid:173)
`tion of the "kay variable!' and in a conventional system the
`same key Is used at both the transmit side where em;ryption
`Is performed, and the receive sldo where decryption Is per·
`formed. Since tho key Is a digital word o f many bits, many dlf·
`ferent transformations are possible by varying the key. In a
`"good" algorithm all keys are equally strong (i.e.: resistant
`to "cracklng'1, and no detectable relationship exists between
`the input data, output data, or key variable.
`
`The process of encryption must, of course, be.re·versible.
`That is, applying the same key at the receiver must yield back
`the original message. The original, non-encrypted data is
`called clear or plain text, the encrypted ~ata is called cypher
`text So during tr31lsmlsslon, I.e., between headend and de(cid:173)
`coder, only non-intelligible cypher text is available to the
`would be tamperer.lf the decoder doesn't have the proper key,
`no message or clear text will be obtainable, even if the pirate
`has the hardware. Further, In a properly designed system
`based on c,YPiographlc security principles, we can gl\le the
`pirate Just about anything he desires: hardware, access to,
`and knc;>wlcdge about the control channel, schematics, any
`fir(Jlware, even the crypto algorithm itself. The only doorway
`to Information access, or In our case programming, Is through
`the key variable. Control II ng access to the key variables Is thus
`essentiaL This Is called "key distribution:· and Is the basis for
`what ultimately makes or breaks the security of a crypto(cid:173)
`graphically-based system. The cryptographic or encryption
`algorithm, therefore, can be thought of as a lookbox. The
`message Is encrypted or locked by the algorithm, and can only
`be unlocked by the same algorithm, which means the lden·
`tical digital key must be used for decryption (we have yet to
`define ex!'ctly what is being encrypiB{j).
`KEY DISTRIBUTION
`In a broadcast scenario, the problem,s of key variable dfs..
`trlbutlon are not easy to solve. It probably has occurred to
`the reader by now that If access to working hard_ware Is given
`to the pirate, II Is little tro1.1ble to determine what digital key
`is being u~ed for decryption. RecaU, we said earlier that one·
`time defeats will not be allowed. Therefore, tt'te message
`enorypt.lon/decryptlon koys (referred to as "sel\lice keys!' since
`they are used In encrypting the service which In our case Is
`programming) must be changed from time to time. The inter·
`val depends on the key length, tile ability or the encryption·
`algorithm to resist 3nnlysls by computer, the expected ac(cid:173)
`cessibility or lhe key, and the motlvatlon of the system's
`enemy. Changing the key itself, if performed as part of the
`communications system network control protocol, Is really
`very easy onoe tho mothdd Is derived. (Alternate methods
`might be by courier. mall, etc.)
`.
`In an addressable system the CATV control channel is the
`obvious choice for a key distribution path. But one can' t J\lst
`go broadcasting the new keys throughout the network. Thoy
`must remain secret to all but authorized decoders. The solu(cid:173)
`tion lor controlling key access is to encrypt the keys for
`transmission. In fact, several types of infonnatlon passing
`through the control channel _are candidates for encryption.
`Authorlzatlon·or tiering d ata, for example should also be con(cid:173)
`sidered "sensitive" Information as, as po_lnled out earlier, It
`can easily be synthesized and fed to the decoder by simple
`digital hardware or any ho(Jle computer. Such control chan(cid:173)
`nel manipulation by other than the legitimate network co.n(cid:173)
`trotler Is call eo tamperin g. Atlempts to subvert the system by
`tampering Is called "spoofing:•
`So, we see that encryption alone-will not secure the infor(cid:173)
`mation exchange. Integrated within the system must be a
`totally planned out methodology ror key distribution an(}pro(cid:173)
`tection against spoofing.
`
`---
`
`-:::::-
`
`('::')
`
`--
`l----L--==~r .:: r--=-
`1
`--
`
`(~)
`
`Agu ro 3. Classical Cryptographic System
`
`APPLE EX. 1027
`Page 4
`
`
`
`,. .
`
`s'AcK TO'BASJCS
`Armed with some encryption fundarryentals, ~e loo~ at
`the CATV distribution problem. Emphastzed earher was the
`notion that encryption is a digital process, that digital video
`transmission is not yet feasible, but that digital _audio is. By
`recognizing that a time varying analog s?rambhng p~ocess
`can be developed in which the descrambhng proc~ss IS con(cid:173)
`trolled digitally, we have a solid basis for an accepttbty secure
`entertainment delivery system. The other components are
`digital, encrypted audio, and an encrypted control channel for
`network control, key distribution and authorization of all pro:
`gram distribution and user features from the headend. In this
`system the Information in the control channel must be .em(cid:173)
`ployed to gain access to the services, because the servtces
`themselves are locked by the encryption overlay.
`nme for another definition: VIdeo "scrambling" refers to
`processes.that are inherently analog. Une.swapping, segment
`swap'ping, or other such time shuffling techniques operate·to.
`destroy the picture, and are quite effective. But they do not
`represent examples of encrypted video~ for encryption re(cid:173)
`quires a digital Information source: Rather, these examples
`represent time varying analog scrambling controlled by an en(cid:173)
`cryption process. Essentially any analog scrambling approach
`can be used with digital encryption of the audio and control
`channels, provided It adequately destroys the picture and Is
`tied Into the decryption process. This tie-in must be such that
`Information necessary tor p,roper descrambllng is secured
`(and not self-evident by observatiOf'! of the video).by the re· ·.
`quirement for proper decryption.
`In such a system "medium" security of the vldeo exis~s and
`"hard" security on the audio Is achieved. These phrases relate
`to the relative difficulty of pl~tlng tl'le resulting system. While
`an<IIOQ scrambling Is known to be less secure than encryption·
`based protection, with hard audio the entertainmc"!t value of
`the programming is, In fact, secured .. In almost all current
`CATV systems, the audio channel is In the ·clear, or at pest
`located on an easily defeated aural subcarrler. ThiS leaves the
`only barrier to piracy the video scrambling. In the system
`described above, the video scrambling Is very difficult to
`defeat and the audio is unrecoverable to the extent that the
`encryption cannot be broken.
`Additional remarks are due In the area of key distribution.
`By transmitting service keys in an encrypted 'fashion through·
`out the system, we have not realty solved the key distribution
`problem because to encrypt the service keys requires yet
`another key. Such is the notion of mul~llevel key distribution
`.(Figu1'9 4). Various information e>cchange networks (local area
`networks, electronic funds transfer, military communications,
`etc.) require different Implementations of a multilevel ap·
`proacn. In the CATV environment tho requirements dictate
`that '1) when the service keys are updated (changed), all de(cid:173)
`coders (and the encoder) must do so at the same time, 2) the
`system'qperation must insure that all decoders have had t!'e
`new keys property delivered, decrypted. and prepared pnor
`engaging them, and 3) only authorized decoders are able to
`
`perform (1) and (2}. --,.,..j'."
`s:! ~L-=_--_ _J
`i :?.:
`)~----------~·1 ::::1 ~------r--~-~---~==-~
`;:;{L)>------------ - - --fi = ~ A~~L~
`.......
`
`Additional ·problems having to do with error control/error
`propagation. must ·be addressed when dealing with encryp·
`lion. Encryption algorithms generally hiwe the characteristic
`that bit errors occurring in the receiving/detection-,process
`avalanche during decryption. Poor.attentlon to detail in the
`systems design phase ot a networi< employing encryption can·
`have catastrophic results.
`
`Tl'fE ADVERTISEMENT
`Having given the reader enough background in the mean(cid:173)
`ing of ''cryptographically" protected CATV delivery system,
`the following is a brief description of Oak's new Cable Sigma
`system.
`·
`Scrambled video Is employed, wherein complete horizon·
`tal and vertical synch pulse removal (a~ opposed to synch
`pulse suppression) is performed. Two channels of audio are
`digitized, encrypted and imbedded In the video. The standard
`aural carrier is not used, but Is available. Two separate con·
`trc:>l channels are employed; the first, a global, FSK-modulated
`channel which all decoders continuously monitor; the other,
`an in-channel VBI (vertical blanking interval) data path which
`is channel-specific. The former contains general authorizat.lon
`and system oriented control data. The latter contains program
`specific data relevant to a given channel and time. Separate
`servic·e keys are utilized for each cliamiel and the keys are
`varied continuously. A multl-leveJ key dlstrlbutlon system Is
`employed in which three key variables are used. These Include
`a. box-specific key which Is secret and un!que lo each box
`(unknown, even to the MSO), a variable second-level key C(!m·
`mon to all legitimate subscribers, and the service keys. Solid
`s1ate non-volatile memory Is used In the decqderto store ke)
`and authorization Information (encrypted while stored). Each
`box also has a non-secret box address which is Its address·
`lng 10 used by the headend computer to communicate tc
`the box.
`.
`A 64 bit field structured data-packet-based communication~
`protocol has been designed around the FSK dat~ channel.
`These packet.s deliver a continuous stream of data to· de·
`coders both globally·anc:l box-specific for purposes of encf¥P
`l ion key delivery, special event programming, box installation.
`and downloading of system parameters and box realures.
`Special provisions exist to guard against spoofing and bol'
`swapping between systems. Protect~o~ for time-dependent
`variables and error control is also provtded.
`
`CONCI:.US10N
`Oak Is proud to present Sigma. With the Information con·
`tal ned in this paper, It Is our hope that the reader Is bette•
`equipped to appreciate the security features available to hilt
`In this exciting new product line. The technology behlnc
`Sigma lias been In development at Oak for the past four years
`Extensive experience In digital audio and application of cry~
`tpgraphlc prfnciples has been accrued through Oak's ORIOI\
`satellite security system and STV Sigma operations. Custorr
`LSI circuits developed and used on those programs have beer
`applied to Cable Sigma, and represent a maJor technology ad
`va'ntage toward reliability and manufacturabllity. We Invite
`you to Inquire for more detailed information, and afl(;ourag€
`a comparison between Sigma and any CATV product on the
`m arket. With Sigma, program distribution Is yours to control
`
`:;...
`
`Figure 4. Multilevel Key ·Distributlon
`(Decoder End)
`
`APPLE EX. 1027
`Page 5
`
`
`
`·.: ,
`
`till~ Communicat ions Inc.
`
`16935 West Bernardo Drive, Rancho Bernardo, CA 92127
`
`About the Author.
`
`Mr. Wechelberger is director of advanceP englneertng for Oak
`Communications Inc. His major areas of concentration-are
`communfcations, computers, digital processing and control.
`He joined Oak In 1980 and spent 2 years In the corporate tJd(cid:173)
`vanced technology group working to dev.elop a technolooy
`basli!ln cryptographic area. Research centered on synthesis
`of hardware and software based proprietary cryptographic
`algorithms, cryptanalysis, and key distribution scenarios for
`the broadcast environment Before joining Oak, he spen·t 6
`· years with General Dynamics Electronics Division working
`with data communications hardwa re, digital control sys(cid:173)
`tems, microprocessor systems and radar signal processing
`systems.
`
`Th• $JJlem a nd cqulPIJlC-nl de-scribed in ll'lls paper 1rc1 c ove.nd by pa\e.nts t:nued aAd
`applied lot.
`
`APPLE EX. 1027
`Page 6