`:!_
`
`1~·.:
`
`'-.
`. . .
`.,;;:,
`
`~:
`
`ENCRYPTION: A CABLE TV PRIMER
`
`Anthony Wechselberger
`· Director, Advanced Engineering
`Oak Communications Inc.
`
`The use of encryption technology in the delivery of premium
`television ls the center of much attention today. It is also an
`area of misinformation where misunderstood terminology and
`technology are being discussed. This paper defines the prin_.
`cipal requirements, characteristics and b£?nefils of encryption
`technology as it can be applied to pay TV. Particular attention
`is paid to...dllferentiating the essentials of what constitutes
`"cryptographic security" from less complex techniques
`employing simple time varying characteristics or multiple
`scrambling modes. The fundamentals of encryption, principal
`· approaches to its utilizatior:"~ and some- associated technical
`jargon will be explained. The concept of the cryptographic
`"key" and the importance of secure key distribution will also
`be defined.
`·
`One major area of confusion lies in the technical differ(cid:173)
`ences between encryption and scrambling and, particularly,
`hybrid utilizations of the two. In understanding some basics
`about cryptography, one can better appreciate these differ(cid:173)
`ences, and differentiate buzz words fr0!1J substance in the ex(cid:173)
`panding selection of products utilizing encryption.
`
`-ttA I( -Communications Inc.
`
`J~ EXH ..
`/ LFori.D.
`LorRae D. Nelson, CSR #7384
`o 7-J/1 , 2005, No. Pgs. ~
`Witness:~ f:'-f-u.U,
`
`PMC3654014
`
`PMC Exhibit 2006
`Apple v. PMC
`IPR2016-01520
`Page 1
`
`
`
`CATV SYST~M SECURITY -ITS TIME HAS COME
`Whenever there's a need in the marketplace, any market(cid:173)
`place, responses to that need vyill be garnered from the market
`suppliers. The attribute approach to product demand theory
`tells us that demand can be·influenced by need, price, com(cid:173)
`petition and budget, as well as a whole set of attributes con(cid:173)
`nected to the products perceived value or need. This can be
`hypec_l one way or another by advertising, the "bandw~gon
`effect .. and the like, which affects the consumer's perception~
`and tastes.
`And so it is in our marketplace, the CATV market, where
`specmanship and buzzwords-change each year in the scram-(cid:173)
`ble for market share. This is not a negative thing. Consu~er
`features in converters and decoders, for example, is an area
`where much innovation has taken place. When the consumer
`gives up the remote control for his $800 console TV, system
`suppliers are now able to give back some of those remote con-
`veniences with newer CATV equipment.
`'
`The demands we cable equipment suppliers react to must
`ba responsive to both the end user and our immediate con(cid:173)
`sumer. the MSO. The MSO in turn creates needs, but also
`responds to the palpitations of his own market, for which he
`purchases equipment, runs a busine~s. and distributes pro(cid:173)
`gramming. He must control the consumption of his product
`(programming) for both short term and long term gains and
`market stability.
`·
`The process of controlling that product brings us to security
`and the newest contemporary mark_et response: encryption
`• technology: The industry h_as· responded to a n.eed for better
`security already, although not directly. The evolution of prod(cid:173)
`ucts into the baseband arena is being aided primarily by two
`attributes, one real, one perceived. The "real" attribute is in·
`creased utility as a result of baseband processing. Examples
`are user features (such as volume control), and the freedom
`to do novel kinds of signal processing. The "perce[ved" attri(cid:173)
`bute is security. In reality, being at baseband ha_s little to do
`with the ability of a system to resist compromise.
`
`An understanding ot the value ot encryption when prop(cid:173)
`erly applied is the goal of this paper. It is intended that t.he
`skeptical reader be swayed by discussions and expl~ations
`contained herein by looking at a system's security .from a
`global standpoint. By understanding some of the buzzwords,
`and asking a few critical questions about how the system you
`are evaluating is put together, you ci:m tear down the rhetoric
`and make the tradeoffs: We first look at the main facets of a
`contemporary cable system.
`
`·
`THE ADDRESSABLE SYSTEM -
`WHAT'S IMPORTANT, WHAT'S NOT
`A CATV system is a communications system. In a modern
`addressable system there are four basic kinds of information .
`sent: Program video; Program audio; Control information;
`Data Services; (Figure 1).
`
`Under data services is lumped a variety of additive types
`of digital information such as teletext, videote){t, down(cid:173)
`loaded software such as games or computer programs, and
`any interactive communications. While the need for security
`of these service will certainly become evident in time, tne lack
`of standardization in· format or modulation/transmission
`techniques causes us to set this category aside for the
`moment.
`In securing premium television delivery, the methods of
`hanoling the first three information types are within the con·
`fines of a specific addressable pay TV· system. Program audio
`and video arB generally, though not always, associated with
`each other. For simplicity we consider them two constituents
`of a premium broadcast;as is usually the case. TheY. are
`counted separately above, however, tor two reasons: their
`broadcast formats are different and independent (VSB AM
`versus FM), and the associated channel bandwidt~s required
`for each are an order of f!le\gnitude different. The relevance
`of t_hese differences will be explained, but we note that pre(cid:173)
`mium programming has no entertainment value without both.
`
`Qt%
`
`-AWO
`- a:tiJ1ICt.
`
`. { """
`Alb) !--
`
`01 y
`
`- CtHilQ.
`
`-
`
`-
`
`Figure 1. Contemporary CATV Network
`
`-.--:
`
`PMC365401
`
`PMC Exhibit 2006
`Apple v. PMC
`IPR2016-01520
`Page 2
`
`
`
`What is desired is a scrambling technique which 1) renders
`the entertainment value of scrambled programming useless,
`2) does not lend itself prey to one-time defeats (implies some
`sort of time-dependence}, 3) cannot be undone by observation
`of the scrambled waveform, and 4) requires information con(cid:173)
`tinually downloaded from the headend, forcing contact
`through the control channel between headend and decoder
`to be maintained.
`The last criterion has an important implication: in order to
`effect proper decoding, it's necessary for the decoder to be
`instructed how to decode, not just simply when to decode. In
`an addressable system, the control_ channel is the link be(cid:173)
`tween headend and decoder over which decoding instruc(cid:173)
`tions can be sent
`The previous discussion is .gearing U!i toward the theme of
`this paper. Pri~cipally that in CATV distribution "security'' is.
`a systems issue. The simplest method of defeat will be the
`path followed by the would be pirate. The system must there(cid:173)
`fore be viewed from several angles and an adequate threshold
`against compromise developed for each. Ho:w much added
`security is afforded by random video-inversion of the picture,
`. for example, if a simple-to-detect "flag" exists in the vertical
`interval indicating polarity? Is any security afforded In an ad(cid:173)
`dressable system simply because it's addressable? Not If it's
`easier to address (authorize) the box yourself than it is to open
`the box up and tamper with circuitry. At one time such argu(cid:173)
`ments would have been considered too far out to worry aboul
`But premium TV is big business these days and getting big(cid:173)
`ger. The motivations for the program thief an_d the MSO de-
`·
`mand attention to these details as never before.
`
`The ttiird information type, "control" is whatever is used by
`the manufacturer {assuming an addressable system) for net(cid:173)
`work control and authorization purposes. Note that the con(cid:173)
`trol channel or channels have no direct relation to the enter(cid:173)
`tainment being purchased. One of the first questions to ask
`t!"len about a scrambling system is what is the function of the
`control/authorization channel? Secondly, how is it related to
`the scrambling approach if at all? In most systems the con(cid:173)
`trol channel(s} direct the decoder to decode or not to decode
`as a function "of channel tuned to, or the "tier'' of a given pro(cid:173)
`gram. Critical to the issue is whether any information con(cid:173)
`tained in the control-channel is used in the decoding process.
`If not, the control channel can be ignored when attempting
`illicit program access. Likewise, if the scrambling technique
`or decoder circuitry easily succumbs to one-time defeats, the
`.control channel content is of no interest. Such is the case
`when descrambling can be accomplished by observation of
`the scrambled signal alone.
`'
`What about ''time vl!lrying scrambling"? Time varying
`scrambling adds a dimension of change to the scrambling pro(cid:173)
`cess such that the decoder will not properly decode at all
`times unless· it appropriately follows the change. Is this
`better security? To a degree, yes. But consider the pirate enter(cid:173)
`preneur who wishes to build the "universal decoder:• Most
`- positive scrambling systems use one of several techniques
`of suppressing the horizontal synch pulse. ("Positive" sys(cid:173)
`tems are those which actively scramble the premium signal
`and thus require a decoder. "Negative" systems remove th~
`signal from the unauthorized viewer througl) filters or signal
`path switching.) Whether the systems' scrambling is at AF or ·
`baseband the pirate's universal decoder, if built to operate
`at baseband, can quite easily re-construct the synch pulse
`completely ignoring all control channel information, tirrie vary-
`Ing or not.
`·
`Fig~re 2 illustrates several avenues where system attacks
`can take place. While simple wire changeslclipping/sh_orts,
`etc. are the deadly fears of operators, In fact there are many
`ways to attempt piracy. Jamming tones can be filtered, notch
`filters which trap out pay channels can be removed, address(cid:173)
`ing data can be synthesized locally, and add-on hardware in
`the decoder can be employed.
`
`FIXED
`DEFEAT
`
`CABLE
`,,._~
`
`CATV
`CABLE
`
`SCRAMBLED VIDEO
`
`SCRAMBLED AUDIO
`
`( ~i~~fs~. )
`------+
`
`ETC
`
`CIRCUIT
`MODIFICATIOMS
`
`)
`
`(
`
`DECODER
`BOX
`
`..,__.,._TO
`TV
`
`- -~
`
`• CONTROL DATA - - - - - - • ( TAMPERING )
`DEVICE
`
`f
`
`··sPOOFING.. >
`
`"7
`
`__ _.,...
`
`PIRATE )
`DEFEAT
`
`(
`
`ADO-oN
`HARDWARE
`
`Figure 2. Network Attack Scenarios
`
`PMC3654016
`
`PMC Exhibit 2006
`Apple v. PMC
`IPR2016-01520
`Page 3
`
`
`
`.
`ENCRYPTION IMPLIES DIGITAL
`Now that we have defined what is desired, the value of en(cid:173)
`cryption will be less mystifying. For encryption simply enables
`a complex security problem, in which many variables (audio,
`video, control) must be secured, to be bottled up into just pro(cid:173)
`tecting a few digital words. How this is brought about requires
`an appreciation for the difference between analog and digital
`transmission. ·
`Standard television transmission, including all current
`scrambled pay TV techniques, is analog. That is, irrespective
`of whatever pre-processing or post processing technique$ are.
`used, the signal is analog during its transmission phase. Even
`newer systems claiming to employ "digital video" are in fact
`transmitted analog. The fact that they are processed qigital(cid:173)
`ly at the headend or receiver is purely an implementation con(cid:173)
`venience (and as yet an expensive one). The reason true digital
`video transmission techniques are not lJSed In a matter of
`cost, both in terms of dollars and bandwidth. To digitize a color
`video picture requires a data rate between approximately 20
`MBs and 80 MBs, depending on the coding technique and
`degree of compression applied. Efforts to reduce this bit
`stream appreciably are possible, but at extreme penalties of
`cost or picture fidelity.
`.
`·
`The audio portion of a television program is less prohibi(cid:173)
`tively handled digitally. A. bit rate between 200 KBs and 700
`KBs is necessary for digital audio, and this data can be readily
`transmitted within the confines of a standard 6 MHz video
`channel (along with the video', of course5. Digital audio pro(cid:173)
`cessing Is no easy trick, however, this sort of technology re(cid:173)
`quires a very sophisticated degree of systems engineering
`capability. ·
`Once we have prepared the information itself for digital
`transmission, the door is open for the application of encryp(cid:173)
`tion. The control.ch~mnells Inherently digital so it too can be
`"cryptographically" protected.
`·
`
`BOXING IT UP -THE ENCRYPTION OVERLAY
`There are two main categories of modern encryption ap·
`preaches: the "classical" or "conventional" approach and the
`"public-key" approach. The public key crypto system is, In
`theory, capable of performing all of the ~unctions of the clas(cid:173)
`sical technique, but has a few special qualities in tha~ fewer
`secret variables need to be passed around in the system. It
`also has implementational difficulties which make it less than
`: attractive for many applications. For purposes of this paper,
`we consider only the classical system.
`• .
`·
`In the conventional encryption process (Figure 3) a d1g1tal
`bit stream (the information) Is passed through an algorithm
`which tr~lnsforms the input into a seemingly unrelated output
`bit stream. The transformation which is performed is a func(cid:173)
`tion of the "key variable!' and in a conventional system the
`same key is uSt;~d at both the transmit side where ~nqryption
`is performed, and the receive side where decryption IS sx:r(cid:173)
`formed. Since the key is a digital word of many bits, many d1f·
`ferent transformations are possible by varying the key. In a
`"good" algorithm, all keys are equally strong (i.e.: resistant
`to "cracking"), and no detectable relationship exists between
`the input data, output data, or key variable.
`
`The process of encryption must, of course, be.reversible.
`That is, applying the same key at the receiver must yield back
`the original message. The original, non-encrypted data is
`called clear or plain text, the encrypted 9ata is called cypher
`text. So during transmission, i.e., between headend and de·
`coder, only non-intelligible cypher text is available to the
`would be tamperer. If the decoder doesn't have the proper key,
`no message or clear text will be obtainable, even if the pirate
`has the hardware. Further, in a properly designed system
`based on cr-Yptographic security principles, we can give the
`pirate just about anything he desires: hardware, access to,
`and knQwledge about the control channel, schematics, any
`firmware, even the crypto algorithm itself. The only doorway
`to Information access, or in our case programming, Is through
`the key variable. Controlling access to the key variables is thus
`essential. This is called "key distribution:• and is the basis for
`what ultimately makes or breaks the security of a crypto(cid:173)
`graphically-based system. The cryptographic or encryption
`algorithm, therefore, can be thought of as a lockbox. The
`message is encrypted or locked by the algorithm, and can only
`be unlocked by the same algorithm, which means the Iden(cid:173)
`tical digital key must be used for decryption (we have yet to
`define ex!3ctly what is being encrypted).
`KEY DISTRIBUTION
`In a broadcast scenario, the problem.s of key variable dis(cid:173)
`tribution are not easy to solve. It probably has occurred to
`the reader by now that if access to working hardware is given
`to the pirate, it is little tro4ble to determine whb.t digital key
`is being u~ed for decryption. RecaU, we said earlier that one(cid:173)
`time defeats Will not be allowed. Therefore, tlie message
`encryption/decryption keys (referred to as "service keys;• since
`they are used in encrypting the service which in our case Is
`programming) must be changed from time to time. The inter·
`val depends on the key length, the ability of the encryption·
`algorithm to resist analysis by computer, the expected ac(cid:173)
`cessibility of the key, and the motivation of the system's
`enemy. Changing the key itself, if performed as part of the
`communications system network control protocol, is reaHy
`very easy once the method is derived. (Alternate methods
`might be by courier, mail, etc.)
`_
`In an addressable system the CATV control channel is the
`obvious choice for a key distribution path. But one can't i!lst
`go broadcasting the new keys throughout the network. They
`must remain secret to all but authorized decoders. The solu(cid:173)
`tion for controlling key access Is to encrypt the keys for
`transmission. In fact, several types of information passing
`through the control channel .are candidates for encryption.
`Authorizatlon·or tiering data, for example should also be con·
`sidered "sensitive" Information as, as poJnted out earlier, it
`can easily be synthesized and fed to the decoder by simple
`digital hardware or any hor:ne computer. Such control chan(cid:173)
`nel manipulation by other than the legitimate network con(cid:173)
`troller Is called tampering. Attempts to subvert the system by
`tampering is called "spoofing~·
`·
`So, we see that encryption alone- will not secure the infor(cid:173)
`mation exchange. Integrated within the system must be a
`totally planned out methodology for key distribution and--pro(cid:173)
`tection against spoofing.
`
`::.~..--- 1-::---~rt"Aa%1$
`I
`~~~rod~
`
`.. =-_j --- 1---!-!---:::~=-=---'"""'if ~=-~}-E..
`{~) ''-· -1.---..J
`t
`:
`!
`
`(c:r)
`
`I
`
`•
`J
`
`{~}
`
`Figure 3. Classical Cryptographic System
`
`PMC3654017
`
`PMC Exhibit 2006
`Apple v. PMC
`IPR2016-01520
`Page 4
`
`
`
`~-
`
`;
`
`BACK TO"BASJCS
`Armed with some encryption fundamentals, we loo~ at
`the CATV distribution problem. Emphasized earlier was the
`notion that encryption is a digital process, that digital video
`transmission is not yet feasible, but that digital :'ludio is. By
`recognizing that a time varying analog s?rambhng p~ocess
`can be developed in which the descramblmg proc~ss 1s con(cid:173)
`trolled digitally, we have a solid basis for an accept1bly secure
`entertainment delivery system. The other components are
`digital, encrypted audio, and an encrypted contr<?l channel for
`network control, key distribution and authorization of all pr?:
`gram distribution and user features from the headend. In t~1s
`system the information in the control channel must be _em(cid:173)
`ployed to gain access to the services, because the serv10es
`themselves are locked by the encryption overlay.
`Time for another definition: Video "scrambling" refers to
`processes.that are inherently analog. Line swapping, segment
`swap.ping, or other such time shuffling techniques operate·to.
`destroy the picture, and are quite effective. But they do not
`represent examples of encrypted video,. for encryption re(cid:173)
`quires a digital Information source: Rather, these examples
`represent time varying analog scrambling controlled by an en(cid:173)
`cryption process. Essentially any analog scram~ling approach
`can be used with digital encryption of the aud1~ and contr?l
`channels, provided it adequately destroys the picture and IS
`tied Into the decryption process. This tie-in must be such that
`Information necessary for p_roper descrambllng is secured
`{and not self-evident by observatlo11 of the video}.by there- ·.
`qurrement for proper decryption.
`.
`In such a system "medium" security of the video exis~s and
`"hard" security on the audio Is achieved. These phrases rel~te
`to the relative difficulty of pir~ting ttie resulting ~ystem. W~1le
`an~log scrambling is known to be less secure than encryption·
`based protection, with hard audio the entertainme~t value of
`the programming is, In fact, secured .. In almost all current
`CATV systems, the audio channel is in the 'clear, or at pest
`located on an easily defeated aural subcarrier. This leaves the
`only barrier to piracy the video scrambling. In the system
`described above, the video scrambling is very difficult to
`defeat and the audio is unrecoverable to the extent that the
`encryption cannot be broken.
`Additional remarks are due in the area of key distribution.
`By transmitting service keys in an encrypted fashion through- ·
`out the system, we have not really solved the key distribution
`problem because to encrypt the service keys requires yet
`another key. Such is the notion of mul~llevel key distribution.
`.(Agure 4}. Various information exchange networks (local area
`networks, electronic funds transfer, military communications,
`etc.) require different implementations of a multilevel ap(cid:173)
`proach. In the CATV environment the requirements dictate
`that 1) when the service keys are updated {changed), all de(cid:173)
`coders (and the encoder) must do so at the same time, 2) the
`system·qperation must insure that all decoders have had t~e
`new keys properly delivered, decrypted. and prepared pnor
`engaging them, and 3) only authorized decoders are able to
`perform (1) and (2).
`.............
`
`_,j~'
`
`~r >4L_~_,.,._"'"'__
`)~----------~··1 ~~ ~-----r-----·~~~
`
`r z
`~)~--------------+f·l = ~ ~o.~~OQ
`
`-
`
`ll ~
`_l - ·
`
`Additional ·problems having to do with error controlferror
`propagation. must be addressed when dealing with encryp·
`tion. Encryption algorithms generally have the characteristic
`that bit errors occurring in the receiving/detection·,process
`avalanche during decryption. Poor.attention to detail in the
`systems design phase of a network employing encryption can·
`have catastrophic results.
`
`THE ADVERTISEMENT
`Having given the reader enough background in the mean(cid:173)
`ing of "cryptographically" protected CATV delivery system,
`the following is a brief description of Oak's new Cable Sigma
`system.
`·
`Scrambled video is .employed, wherein complete horizon·
`tal and vertical synch pulse removal (al? opposed to synch
`pulse suppression} is performed. Two channels of audio are
`digitized, encrypted and imbedded in the video. The standard
`aural carrier is not used, but is available. Two separate con·
`trol channels are employed; the first, a global, FSK-modulated
`channel which all decoders continuously monitor; the other,
`an in-channel VBI (vertical blanking interval) data path which
`is channel-specific. The former contains general authorization
`and system oriented control data. The latter contains program(cid:173)
`specific data relevant to a given channel and time. Separate
`service keys are utilized for each cliannel and the keys are
`varied continuously. A multi-level key distribution system Is
`employed in which three key variables are used. These Include
`~ box-specific key which is secret and un!que to each bo)(
`(unknown, even to the MSO), a variable second-level key cqm·
`mon to all legitimate subscribers, and the service keys. Solid
`state non·volatile memory is used in the decoder to store ke)
`and authorization information (encrypted while stored). Each
`box also has a non·secret box address which is its address·
`ing ID used by the headend computer to communicate tc
`the box.
`.
`A 64 bit field structured data-packet-based communications
`protocol has been designed around the FSK datq chan"nel.
`These packets deliver a continuous stream of data to·de·
`coders both globally·and box-specific for purposes of encryp(cid:173)
`tion key delivery, special event programming, box installation.
`and downloading of system parameters and box features.
`Special provisions exist to guard against spoofing and boll
`swapping between systems. Protect!o':' for time-dependent
`variables and error control Is also provtded.
`
`CONCI:.USION
`Oak Is proud to present Sigma. With the Information con·
`tained in this paper, it ls our hope that thl.'l reader is bette1
`equipped to appreciate the security features available to hlr'r
`In this exciting new product line. The technology behlnc
`Sigma has been In development at Oak fort he past four years
`Extensive experience in digital audio and application of cryp(cid:173)
`tpgraphlc principles has been accrued through Oak's ORIOI\
`satellite security system and STV Sigma operations. Custorr
`LSI circuits developed and used on those programs have beer
`applied to Cable Sigma, and represent a mafortechnolo~y ad
`vantage toward reliability and manufacturabllity. We mvitE
`you to Inquire for more detailed information. and encourage
`a comparison between Sigma and any CATV product on thE
`market. With Sigma, program distribution is yours to control
`
`Figure 4. Multilevel Key Distribution
`(Decoder End)
`
`PMC3654018
`
`PMC Exhibit 2006
`Apple v. PMC
`IPR2016-01520
`Page 5
`
`
`
`•.:
`>
`
`~:
`
`till( Communicati~ns l~c.
`
`16935 West Bernardo Drive, Rancho Bernardo, CA 92127
`
`The system and equlpmenl described in this paper are covered by patents Issued and
`applied for.
`
`12-1!3
`
`About the Author.
`
`Mr. Wechelberger is director of advance_d engineering for Oak
`Communications Inc. His major areas of concentration-are
`{;ommunfcatfons, computers, digital processing and control.
`He joined Oak in 1980 and spent 2 years In the corporate ad(cid:173)
`vanced technology group working to develop a technology
`base in cryptographic area. Research centered on synthesis
`of hardware and software based propri(!tary cryptographic
`algorithms, cryptanalysis, and key distribution scenarios fot
`the broadcast environment. Before joining Oak, he spen-t 8
`- years with General Dynamics Electronics Division working
`with data communications hardware, digital control sys(cid:173)
`tems, microprocessor systems and radar signal processing
`systems.
`
`PMC3654019
`
`PMC Exhibit 2006
`Apple v. PMC
`IPR2016-01520
`Page 6
`
`