ci plus overview presentation

CI Plus Limited Liability Partnership (LLP)www.ci-plus.com

CI Plus Overview

11th November 2011

2 / 29 www.ci-plus.com - CI Plus LLPfile: ci-plus_overview.ppt

Table of ContentPage:

• One Page Overview of CI Plus 3• History of Common Interface 4• Requirements & Scope with CI Plus 8• CI Plus System Overview 10• CI Plus Specification 11

- SAC (Secure Authenticated Channel)- Authentification - Protection of TS (Transport Stream)

with CC (Content Control)- URI (Usage Rules Information)- Revocation, Shunning- Interactivity with MHP CA API

• CI Plus Administration 21- CI+ LLP, Certificate Agent & Test Center- CI+ Documentation- Flow Chart of Certification & Licensing- Licensee Overview

• Summary 26• Document History 27• Abbreviations 28

CA Conditional AccessCAM CA ModuleCI Common InterfacePCMCIA Personal Computer Memory

Card International AssociationSC Smart Card

SC

PCMCIA

CI-CAM

CA

CI

Disclaimer:All text and images that are presented herein are just for illustration purposes about the principles of CI Plus. The presentation may contain inaccuracies or errors. It does not necessarily reflect the most recent status of technical and licence relevant documents of CI Plus.


Issue with v1 and Solution with• 1997-02 Quite old standard EN 50221 (DVB-CI v1) with unencrypted CAM output• 2006-09 Closed DVB TM-CIT group after missing consensus

• 2007-07 CI+ Forum founded by 6 companies • 2008-01 CI Plus Spec v1.0 with encrypted CAM output• 2008-11 CI+ forum replaced by CI Plus LLP• 2009-03 Appointment of Trustcenter & Test facility

• 2011-04 DVB adopts future development of CI Plus specification• 2011-05 SMiT becomes 7th partner in CI Plus LLP

IDTV

additional Usage Rules for A/D output and storage

EncryptedTV Signal

Encrypted

Copy of originaldigital contentis impossible!

x

PCMCIA Interface

x

One Page Overview

STB, Recorder, ...

not encrypted

encrypted

Encrypted


History of Common Interface (CI)1997-02: Standard DVB CI v1 (EN 50221)1999-11: Extension ETSI TS 101 6992002-01: EU directive for CI in IDTV with > 30cm2006-09: Start of DVB TM-CIT group (to close security gaps with new CI v2 ...)

Closed after missing consensus on technology

2007-07: Founding CI+ Forum by 6 companies2007-12 CI Plus Specification draft 2008-01 CI Plus Specification v1.02008-11 Disbanding of CI+ Forum & creation of

CI Plus LLP (UK Limited Liability Partnership)2009-02 CI Plus Specification v1.12009-02 TC TrustCenter GmbH appointed2009-03 DTV Labs Ltd. appointed test facility2009-05 CI Plus Specification v1.22010-12 Negotiations about continuation of specification under DVB2011-01 CI Plus Specification v1.3

2011-04 DVB adopts development of CI Plus spec beyond v1.32011-05 SMiT becomes 7th partner in CI Plus LLP


DVB-CI & CI Plus - Usage for SD/HDTV

Set-Top-Box withintegrated Decrypton-System

(Only for few contentused or permitted)

SDTV

SDTV

SDTV

Smart Card with DVB-CI

Smart Card with CI+

Smart Card Displayor IDTV


DVB CI - First Generation Standard v1

• CI-Module used with smartcard containing key-informationen• CI-Module remove the encryption of protected content• The output of CI-Module is unencrypted• Due to this, most content providers prefer integrated

solutions because of higher security

EncryptedTelevion Signal

CI-Module

Smartcard

No Encryption

Copy of original

digital contentis possible

Plasma / LCD IDTV

EncryptedTelevion Signal

PCMCIA Interface


CI Plus - Protection of Content• Based on existing DVB-CI Standard• Main requirement: achieving the same level of security as embedded solutions• CI Plus Modul and Receiver

- Calculation & Usage of a secure key for content protection- Secure, authentificated channel for critical system messages

• The output of modul is encrypted• Only certified devices are supported

Plasma / LCD IDTV

Smartcard

Local Encryption

EncryptedTelevision Signal

EncryptedTelevision Signal

Copy oforiginal

digital contentis not possible!

CI Plus Module

PCMCIA Interface


CI Plus - Scope of Protection

CA Conditional AccessCC Content Control


CI Plus - Scope of Compatibility

Host

CA Module(CAM)

DVB CI CI Plus

Host inDVB-CI mode

Module inDVB-CI mode*

Host & ModuleCI Plus mode

Host & ModuleDVB-CI mode

* DVB-CI mode operation permitted by network operator


CI Plus - System Overview

CA Conditional AccessCC Content ControlCI Common InterfaceCAM Conditional Access Module


CI Plus - Specification History2007-12 Specification Draft2008-01 Specification v1.02009-02 Specification v1.12009-05 Specification v1.2

• Change number 002, effective 2009-04-23 (Security Extension)- Summary: Errata of v1.1, CICAM CIS CI Plus compatibility advertisement

• Change number 005, effective 2011-03-01 (Security Extension)- Summary: Security fix for CI Plus Host to check for “Brand ID” in a CI Plus CICAM device certificate during authentication.

2011-01 Specification v1.3• Change number 007, effective 2012-08-01

- Summary: Extensions of PVR related functionality, CAS protected recording removed, Parental Control Clarifications, Low Speed Communication Resource, Extended CI Tuning Resource, Operator Profile

2011-10 Specification v1.3.1• Change number 013, effective 2012-08-01

- Summary: Errata of v1.3, implementation guidelines


CI Plus - Specification v1.3Chapter: Pages:

1-3 Scope, References, Definitions, ... 194 System Overview 45 Theory of Operation 476 Authentication Mechanisms 167 Secure Authenticated Channel 128 Content Key Calculations 59 Public Key Infrastr. & Certificate Details 910 Host Service Shunning 511 Command Interface 2212 CI Plus Application Level MMI 1213 CI Plus MMI Resource 414 Other CI Extensions 52

Annex A...N 109Total: 316

file: ci_plus_specification_v1.3.pdfdate: 2011-01-14


CI Plus - Specification v1.3 ChangeKey changes of v1.3 compared to v1.2

• Extensions to PVR related functionality. • CAS protected recording removed. • Parental Control Extensions & Clarifications. • Optimization of Low Speed Communication Resource & IP support. • Extension to CI Tuning Resource to support Cable VOD Applications. • Introduction of an Operator Profile.

Change Notice with References• prng_seed per manufacturer [5.3]• URI version 2 [5.7.5.2]• Digital Only Token [5.7.5.3]• Content license [5.10]• Parental Control [5.11]• Recording and Storage [5.12]• Host Authentication [Table 6.3, step 13, item d]• Certificates, Service operator ID [9.3.6]• Host shunning, SDT absent [10.4]• Version 2 of CC resource [11.3]• SAS APDU clarifications [11.4, Annex M.2.1]• MHEG profile extensions [12.8]• Low Speed Communications v3 [14.1]• IP connection by name [14.2.1.2]• Application MMI clarifications [14.4]• Application MMI File Caching [14.5]• Host Control v2 [14.6]• Operator Profile [14.7, Annex N]• APDU clarifications [Annex E]• CIS Feature Identification [G.3.2]• Removal of PVR Resource [v1.2, 15]

Details of changes:

file: ciplus_change_notice_007.pdfdate: 2011-01-21

file: 2011-03-10_ci-plus_specification_v1.3_diff_v1.2.pdfdate: 2011-03-10


CI Plus - Protocols1. Compare CI+ versions supported by IDTV and CAM.2. If both sides have the same auth key, they have

performed a successful authentication with each other.3. CI+ CAM and IDTV authenticate each other to make sure

the opposite device is a valid CI+ device.4. The Secure Authenticated Channel (SAC) is used

for transmission of security-related messages between CAM and IDTV.

5. Usage Rules Information (URI) version negotiation to find a URI version that is supported on both sides.

6. URI transmission and acknowledgement used by CAM to send a set of usage rules information to the IDTV.

7. Content Control (CC) key calculation used by both sides to calculate keys for scrambling /descrambling of transport stream (TS).

8. System Renewability Message (SRM) transmission and acknowledgement is used from CI+ CAM to transfer SRM for HDCP and DTCP-IP to the IDTV.

Host Capability Evaluation

Auth Key Verification

Authentication

SAC Key Calculation

URI Version Negotiation

URI Acknowledgement

CC Key Calculation

SRM Acknowledgement

1.

2.

3.

4.

5.

6.

7.

8.


CI Plus - Transport Stream Output ProtectionHost and CICAM Capabilities:

• DES-56-ECBData Encryption Standard, 56-bit key, Electronic Code Book (USA 1999-10, Federal Information Processing Standards, FIPS 46-3)

• AES-128-CBCAdvanced Encryption Standard, 128-bit key, Cipher Block Chaining(USA 2000-10, National Institute of Standards and Technology, NIST, FIPS 197)


CI Plus - AuthenticationSupported Authentication Phases per Service Mode:

• Basic Service Mode• Registered Service Mode

- Requires upstream communication to HE (Head End)

example:

DH = Diffie-Hellman key exchange


CI Plus - Devices & external Interfaces

AnaloguePAL / NTSC / SECAMRGB / YUV / S-Video

DigitalHDMI / HDCP

DTCP-IP

IDTV Signals / Interfaces

Devices

time shifted recording(optional)

STB/PVR

CI Plus

Display

Encrypted Content, paired to receiver:the content cannot be copied without authorization..


CI Plus - Usage Rules Information (URI)URI initial default value for host, e.g. after channel change:

• protocol version = 0x01• emi_copy_control_info = 0b11 (Encryption Mode Indicator)• aps_copy_control_info = 0b00 (Analog copy Protection System)• ict_copy_control_info = 0b0 (Image Constraint Trigger/Token)• rct_copy_control_info = 0b0 (Redistribution Control Trigger)• rl_copy_control_info = 0b000000 (Retention Limit, default 90 min)• reserved bits = 0b0

URI Mapping Table:• Analog Output (MV, APS, CGMS, ICT) • Digital Output (HDCP, DTCP, SPDIF)• Digital Storage (AACS, CPRM, VCPS)

see e.g. Digital Transmission Content Protection, www.dtcp.com• Specification 2007-10, rev 1.51

URIURI

Analog Digital Digital Storage


CI Plus - Mechanisms of Revocation

Host Service Shunning• Host shunning state determined from Service Descriptor Table (SDT)• Shunning active: Service can only be descrambled by CI+ Module• Shunning non active: Service can be descrambled by DVB-CI or CI+ Module

Host Revocation• Certificate Revocation List (CRL) transmitted to CICAM black-lists a host• Certificate White List (CWL) can revert a previous revocation of a host• Level of revocation granularity:

1. Unique host2. Range of hosts3. Certain model4. Certain brand

Revocation by CAS• Possible, but out of CI Plus specification scope


CI Plus - Additional Interactivity with ConsumerCI Plus Browser

• Enables to CI Plus modules to display graphics with menues, pictures, logos, ... in a common methodon all CI Plus receivers/displaysAllows easy interaction with default remote control

Support of MHP CA API• Enables to the broadcasted MHP applikation to communicate

with a CA Smartcard inside the CI Plus module

Country- and Language Support• Enables CI Plus modules to use the same language in menues,

which is already defined by user in the receiver setting.


CI Plus - LLP, Certificate Agent & Test CenterCI Plus LLP contact details:

• CI Plus LLP, www.ci-plus.com, • Pannell House, Park Street, Guildford, Surrey GU1 4HN, UK• CI Plus LLP registered (no OC341596) in England & Wales

CI Plus LLP authorized Certificate Agent: • TC TrustCenter GmbH, www.trustcenter.de• Sonninstrasse 24-28, 20097 Hamburg, Germany

Tel/Fax: +49.40.808026-0/-126Mail: [email protected]

CI Plus LLP approved Test Facility:• Digital TV Labs Ltd., www.digitaltv-labs.com• Venturers House, King Street, Bristol, BS1 4PB, UK

Tel/Fax: +44.117.915-4018/-4088Mail: [email protected]


CI Plus - DocumentationDocuments on www.ci-plus.com

• CI Plus Specification v1.3- Detailed Specification for Receiver and Module

with change notes 002, 005 & 007• Supplementary Specification v1.3

- Requirements for host revocation/shunning• Implementations Guidelines v1.0• Registration Application

- Application for test and registration of a device• CI Plus Logo Guidelines & Archive• Test Specification v1.0

- Definition of test- and registration processDocuments on www.trustcenter.de

• On-Boarding Guideline• Interim License Agreement (ILA)

- Compliance and Robustness Rule...• Certificate Supply Agreement (CSA)• Forms: Identification, Administrator Authorization, Brand On-Boarding, Registration Application• Robustness Certification Checklist

www.trustcenter.de/solutions/consumer_electronics.htm

www.ci-plus.com/index.php?page=download


CI Plus - License Agreement with Exhibits A-L

A: Device Type

B: Robustness Rules

C: Compliance Rules for Host Device

D: Compliance Rules for CICAM Device

E: URI Mapping Table

G: Robustness Rules Checklist

H: Confidentiality Agreement

I: Fee schedule

J: Registration Procedure

K: Change Procedure

L: Revocation Procedure

CICAMDevice

HostDevice

RobustnessRules

ComplianceRules

ConfidentialityAgreement


CI Plus - Implementation ...

CI Plus LLP(Limited Liability Partnership)

TrustAuthority

(TA)

CertificationAuthority (CA)

Test of Device

DeviceManufacturer

of CI PlusModule / Host

TCTrust Center

Sign License Agreement€15,000 registration/yearlyReceive License specs and Test technologyAt Website

Public Specification, License Agreement(incl. Compliance and Robustness)

Order Certificates (keys)€ 500/10.000 devices

Device Testing ResultRobustness Checklist€ 5,000/device type

Device RegistrationProduction Credentials

Test Partner

New deviceRobustness Checklist Device Testing

Result

or Self-Test-Registration(after registration of 2 different device types)

Deliver Certificates (keys)


CI Plus - LicenseesPublication

• Licensees of CI Plus are published with homepage URL on website of TrustCenter• 89 Licensees on 2011-10-10

- 29 Components Licensees- 54 Hosts Licensees- 6 Modules Licensees

www.trustcenter.de/consumer_electronics_licensees_host.htm ww

w.tr

ustc

ente

r.de/

cons

umer

_ele

ctro

nics

_lic

ense

es_h

ost_

mod

ule.

htm

www.trustcenter.de/consumer_electronics_licensees_module.htm


CI Plus - Summary• CI Plus is based on DVB-CI standard and is downward compatible• Encrypted communication over the CI/CI+ interface

- Secure & authenticated channel for critical system messages- Encrypted transmission of digital content from CI+ modul towards the host device

• Implementation- Licensing & administration of Certificates managed by independant Trust-Center- Certification of end user devices & CI+ modules in a digital TV laboratory

• Future proof with URI (Usage Rules Information) für UPnP, CPCM, CSA3, DTCP, DLNA, ...

STBPVR

LAN Internet


Document History2009-07-06 Creation and first publication on www.ci-plus.com2011-11-11 Specification v1.3, DVB resumption, SMiT membership, updated CIP contact detail,

licensee overview, reformatting to 16:9


AbbreviationsAACS Advanced Access Content System aacsla.comAES Advanced Encryption StandardAPI Application Programming InterfaceCA Conditional AccessCAM Conditional Access Module (DVB-CI or CI Plus)CAS Conditional Access System CC Content ControlCDA Content Distributor Agreement (contract with CI Plus)CE Consumer ElectronicsCGMS Copy Generation Management System CI Common InterfaceCIP CI Plus LLP ci-plus.comCIv1 DVB CI version 1.0 dvb.orgCI Plus Common Interface Plus ci-plus.comCM Commercial Module (of DVB)CPRM Content Protection for Recordable Media 4centity.comCRL Certificate Revocation ListCWL Certificate White ListCSA Certificate Supply AgreementDES Data Encryption StandardDLNA Digital Living Network Alliance dlna.orgDOT Digital Only TokenDVB Digital Video Broadcasting dvb.orgDRM Digital Rights ManagementDTCP Digital Transmission Content Protection dtcp.comDTVL Digital TV Labs (CI Plus) digitaltv-labs.comEU Europe europa.euFFW Fast Forward (PVR function)

HDCP High-bandwidth Digital Content ProtectionHDD Hard Disk DriveHDMI High Definition Multimedia Interface hdmi.orgICT Image Constraint TokenIDTV Integrated Digital tuner TelevisionILA Interim License AgreementLCD Liquid Crystal DisplayLLP Limited Liability PartnershipMHP Multimedia Home PlatformMPAA Motion Picture Association of America mpaa.orgPCMCIA Personal Computer Memory Card International AssociationPVR Personal Video RecorderSAC Secure Authenticated ChannelSC Smart CardSDT Service Descriptor TableSOC Selectable Output ControlSMiT Shenzen State Micro Technology Co. Ltd.SPDIF Sony/Philips Digital Interconnect Format STB Set Top BoxTA Trust Authority (e.g TC for CI Plus)TC TrustCenter GmbH trustcenter.deTM Technical Module (of DVB)TS Transport Stream USB Universal Serial BusURI Usage Rules InformationVCPS Video Content Protection System

Version: 2011-11-11

CI Plus Limited Liability Partnership (LLP)www.ci-plus.com

Thank you for your interest

CI Plus LLP www.ci-plus.comDVB www.dvb.org

TC TrustCenter GmbH www.trustcenter.deDigital TV Labs Ltd. www.digitaltv-labs.com