FR2786973A1 - Security device for decoding compressed encrypted data has safe microcircuit in magnetic card separate from case and also includes decompression circuits - Google Patents

Abstract

The receiving device (M) has a case with a slit for a magnetic smart card and has a number of decoding circuits (r3-r5). Data from the receiving antenna passes to a decompression circuit (r2). Signals then pass to a circuit (r1) for conversion and presentation of signals. The signals to be received may be produced by a transmitter with a signal producing circuit (e1) connected to a compressor (e2), a data packet separation circuit (e3) and a packet decoding circuit (e4) which may be connected to a transmitting antenna.

Description

The present invention relates to information dissemination systems

  in which information is sent from a broadcaster to a user in compressed and encrypted form, and in which the user has

  a decoder associated with a protected electronic microcircuit, for example

  pie a microcircuit card, which is the key necessary for the

  decoder can reproduce clear information.

  The information disseminated by such systems can be varied, for example

  example of audio (music) or video signals (television programs

  sion), or textual data such as agency dispatches

  this or financial information.

  The purpose of encryption is to reserve unencrypted access to this information

  to authorized persons in return for a payment such as a subscription

  or a payment at the session.

  The electronic microcircuit allowing the decoder to ensure the deciphering-

  frement is generally protected against reading its content and against

  copying, whether it is a microcircuit card inserted in a container

  noder of the decoder, or of a microcircuit internal to the decoder.

  This level of security does not, however, prevent information from being

  once decoded can be copied, allowing the user to authorize

  se to share the dissemination of information with other people not

  authorized, i.e. without subscription to the broadcaster

  sor or without payment in return for the clear return of information

mation.

  There are indeed many possible attacks on existing systems

  tants in order to save the information in a usable form.

  These attacks, which are well known on broadcast systems

  encrypted, will be explained in the detailed description which follows.

  One of the aims of the invention is to prevent, as far as possible, that the information once decoded can be copied, or at least to ensure that this copying is accompanied by a significant degradation of quality of information or a dramatic increase

  the volume of data preventing or making it difficult to record it

is lying.

  Essentially, the invention proposes for this purpose an information decoder device.

  encrypted and compressed training, including video information,

  dio or text, of the known generic type comprising a box cooperating with a secure microcircuit comprising a memory and a processor protected against attempts to analyze and read and copy the information stored in this microcircuit, this decoder device comprising : means for receiving input of encrypted and compressed data; means for decrypting the data thus received; means for decompressing the data thus decrypted; and output delivery means, in a decoded form exploitable by

  a user, decrypted and decompressed data.

  According to the invention, the secure microcircuit incorporates all of the

  means of decryption and at least part of the means of deciphering

  pressure, the stream of decrypted and compressed data delivered by the

  means of decryption to means of decompression not being ac-

  transferable from outside the secure microcircuit.

  The secure microcircuit can be that of a microcircuit card separate from the box, the latter comprising connection means making it possible to

  couple the microcircuit card, or an internal microcircuit to the box.

  In the case of a microcircuit card, the connection between the microcircuit and the

  housing is advantageously a serial type link, very advantageous-

  a connection such that the stream of decrypted and partially or fully decompressed data is delivered by the microcircuit on at least

  one of the RFU contacts according to ISO0 7816-2.

  According to other advantageous subsidiary characteristics: - the case includes part of the decompression means, this

  part including circuits capable of delivering decompressed data

  carried out in response to commands issued by the secure microcircuit

laughed;

  - the secure microcircuit also includes part of the means of

  data output in an exploitable decoded form,

  this part including in particular means of treatment or fil-

digital trage;

  - the data received as input is received in the form of packets

  associated with associated data, and the decryption means operate

  rent by implementing a first algorithm allowing the calculation of packet keys from said associated information, and a second algorithm reconstructing a stream of information decrypted at

  from the packages and package keys calculated by the first algorithm

rithm;

  - the system includes means of payment conditioning the deli-

  data output in decoded form usable at the

  verification, by the microcircuit, of the prior realization of a pay-

  based on associated pricing information contained in

  a memory, in particular of tariff information comprising an information

  user identification training contained in a memory of the secure microcircuit; the device comprises recording means or means of coupling to recording means, which can in particular

  save compressed and encrypted data.

0

  We will now give an example of implementation of the invention, in

reference to the accompanying drawings.

  Figure 1 is an illustration, in block diagram form, of the

  chain of transmission and reception of information, explaining the various

  its stages of signal transformation.

  FIG. 2 represents the decoder of the user with his different elements

associated items.

  Figure 3 shows the different standardized contact areas of a

microcircuit card.

  We will first expose with reference to Figure 1 how the best current systems work (that is to say those providing the

  highest security against fraud) of information dissemination

  encrypted tions, typically encrypted television signals.

  We will first describe the steps implemented on the transmitter side:

  el) We first produce a stream of digital signals, ie direct

  either by digitizing analog signals, thereby giving

  if a high-speed uncompressed data stream 4, of the order

  1066 bps (bits per second) for audio and 108 bps for video.

  e2) The flow c1 is then compressed using a compression technique

  loss of information, for example of the MPEG type, to give a medium bit rate flow 6, of the order of 105 bps for audio and 3.106 bps for video; this operation uses relatively advanced technical means, that is to say requiring a high computing power, to achieve a compression which does not alter the sound or visual quality of the signal too much; e3) This compressed stream 4 is then cut into packets, each representing for example 0.1 seconds of sound or image; for each packet, a numerical value forming the packet key is chosen such that the possession of the master key of a first cryptographic algorithm ALG1 is necessary to calculate this packet key. For example, an incremental index is associated with each packet and the packet key is obtained by encrypting the index

  with the master key by a triple-DES algorithm.

  e4) Each packet is then encrypted with a second encryption algorithm

  tographic ALG2 using as key the packet key (it will be noted that the data flow for the first algorithm ALG1 is

  around 103 bps, much lower than the data flow of the second al-

  ALG2 gorithm, which is the medium data rate

awarded).

  The encrypted flow resulting from step e4 is then broadcast, accompanied by

  additional training needed to calculate package keys, in this example package indices. It can be a one-way broadcast, of the satellite, CD-ROM or DVD-ROM type, or on demand, such as a cable, Internet, telephone network broadcast.

switched or ISDN.

  Of course, this dissemination is accompanied by various verification operations.

  rification of the integrity of the information transmitted and possible correction

  errors, which are not affected by the present invention.

  Note that the term "dissemination" should not be understood in the technical sense.

  strict (television or radio broadcasting, radio or wire) but it also includes, for example, the dissemination of information by distribution of physical media such as CD-ROMs, DVDs, floppy disks,

  etc., the teachings of the invention applying equally to the deciphering

  frement and decompression of information read on a physical support

that of this nature.

  We will now describe the steps implemented on the receiver side. The receiver or decoder includes a secure electronic microcircuit, that is to say protected against analysis and duplication of its content, and

  containing the master key necessary for decryption.

  The successively implemented steps are as follows (we use-

  ra references comprising homologous indices of the stages cor-

  corresponding to the transmission): r3) The microcircuit receives the information necessary to calculate the packet keys (in this example, the packet indices) and

  applies the first ALG1 cryptographic algorithm; he communicates

  than the packet keys thus calculated to the rest of the decoder.

  r4) The decoder then decrypts the packets using the second al-

  ALG2 cryptographic gorithm and the corresponding packet key,

  producing a data flow j identical to that resulting from the

  eg e2, i.e. compressed data of medium speed.

  r2) The decoder then decompresses this data stream y, an operation which requires relatively limited means compared to those implemented in step e2, thus giving a high-speed data stream c 'comparable to the stream <D resulting from step el but

  not identical due to modifications linked to the

  pressure / decompression. rl) The decoder converts this data stream in a way accessible to the human senses, for example by controlling the vibration of a

  speaker membrane or the luminescence of a cathode ray tube

  than; typically this step rl firstly comprises a

digital / analog version.

  Note that the system described here is a digital system, which

  allows strong compression in step e2.

  The process can also be transposed to an analog system, for example for systems of older design using at I li 1 ilE11I step e2 an analog encoding of the PAL, SECAM or NTSC type and

  for e4 an analog encryption of the permutation or rotation type of li-

  genes; the operating principle is identical, although the resulting flow

  as long as step r4 is, in this case, only approximately identical to stream 1 resulting from step e2. The technique that we have just exposed presents a certain number of

  weak points that make her vulnerable.

  Even assuming that the microcircuit and the first crypto- algorithm

  ALG1 graphics are effectively resistant, there remain various possible attacks when one wishes to record the information in an exploitable form, namely: 1) The attack of the second ALG2 algorithm, that is to say the reconstruction of the step r4 without having the data flow resulting from the step

  r3, for example by using redundancies in the data flow

  born normally resulting from r4 the conception of the second algo-

  rithme tries to make this operation difficult, but we cannot

  rule out a successful attack - involving changing all the dice -

  coders using this second ALG2 algorithm.

  2) The recording, on the one hand, of the stream of encrypted information as broadcast (at the input of r4) and, on the other hand (on a decoder equipped

  legitimate microcircuit), the flow of packet keys, and then the deco-

  dage by a decoder devoid of the legitimate microcircuit and receiving these two information flows. The volume of data represented by the packet keys being very low, this information can by

  example be made available by radio or on the Internet.

  3) The recording of the deciphered information flow resulting from

  step r4, followed by its subsequent use in an appropriate device

  pleating r2 and rl. This recording can be done: - on a decoder equipped with the legitimate microcircuit, by recovering

  the information passing from the stage performing r4 to that realizing

  reading r2 (the most recent decoders try to avoid this attack by grouping steps r4 and r2 in the same circuit,

  o the flow in question is not very accessible).

  - by reproducing step r4 in an appropriate device, receive

  on the one hand the flow of encrypted information as broadcast, on the other hand the flow of packet keys from a microcircuit

  legitimate, the device reproducing the deciphering by the algo-

  rapid rithm (this attack can be combined with the previous

  toothed). 4) The recording of the information flow resulting from step r2. But

  the bitrate at this stage being high, in particular for the video, the frau-

  it will be in their interest to recompress the data, i.e. to apply

  a step similar to e2; we can assume that the technical difficulty

  that of the operation, as well as the resulting loss of quality (loss all the more important as the means used are modest)

decreases the attractiveness of the technique.

   ) Recording signals in a form derived from r2, for example an intermediate analog form used in rl. The reduction in quality is then clear moreover, we know various

  analog means preventing making a quality copy

  ceptable with a consumer video recorder.

  The invention endeavors to remedy these drawbacks which make the system

  vulnerable to attempts by fraudsters.

  It essentially consists in integrating into the safety microcircuit all of the decryption (steps r3 + r4 above) and at least most of the decompression (step r2 above), so that the flow (of medium flow ) decrypted and compressed data and the flow of packet keys are not present outside the microcircuit and

are therefore never accessible.

  The limits of the secure microcircuit have been illustrated in FIG. 1 in dashed lines.

  risé, in the two variants M, o this microcircuit includes all of the decompression stages of step r2, and M ', o it does not use

only part of this step.

  Under these conditions, attack # 1 (described above) is made more difficult, since the cryptographic algorithm can remain secret. In addition, if its safety is compromised by a design defect and it must be

  replaced by another algorithm, it is possible to change the only half

  crocircuit if the latter is removable, without modification of the decoder itself

  even. An additional advantage is that one can use algorithms

  laughing depending on the broadcast area, or even changing the decomposition algorithm

  pressure. Finally, the set-top box alone (i.e. without its micro-

  secure circuit) containing no cryptographic algorithm, is

  subject to no particular regulations.

  The aforementioned attacks n 2 and n 3 are made impossible, since the intermediate data flows necessary for these attacks remain

dull microcircuit.

  The system which we have just described can be presented in a form

  simplified, with the two encryption algorithms ALG1 and ALG2 re-

grouped into one.

  Under these conditions, the transmitter side steps will be: el) Production of digital signals (unchanged), e2) Compression (unchanged), e5) Encryption of data stream 4 by a cryptographic process

using a master key.

  On the receiver side, the decoder includes a secure electronic microcircuit

  laughed that contains the master key. The steps implemented are:

  r5) The microcircuit receives the data flow resulting from e5 and the

  cipher, reconstructing (in the absence of transmission error) the flow

  4 as it was produced in step e2.

  r2) The same microcircuit (the fact that it is the same microcircuit, and

  not from another decoder circuit, is an essential feature

  tielle of the invention) decompresses this data stream 4, producing a data stream V ', comparable to that 0 resulting from step el

  (the differences due to the compression / decompression process-

  if we). This flow O 'is communicated by the microcircuit to the rest of the

coder.

  rl) Conversion in a form perceptible to the senses (without change).

  As illustrated in FIG. 2, the invention can be implemented by a box ensuring interfacing between, on the one hand, radio reception means 12 (typically an antenna or a satellite decoder), a cable network 14, a reader DVD-ROM 16, etc. and, on the other hand, a receiver

  television 18 or a high-fidelity channel 20. The box can include

  dre a program selection and / or routing mechanism

  selective program on demand.

  This box cooperates with a secure microcircuit 22, for example the mid

  crocircuit of a removable card 24 inserted in a slot 26 of the housing

  , The housing 10 + microcircuit 22 assembly constituting the "decoder" men-

mentioned above.

  The selected information arrives, compressed and encrypted, from the box 10 to the microcircuit 22, and the latter - if it contains the appropriate key and possibly if other conditions are met, for example the debit of prepaid points or the electronic payment of 'a subscription or access to a program - decrypts and decompresses it, without the deciphered and compressed form being accessible. The decompressed stream is delivered by the microcircuit 22 to the housing 10 to be applied, after the conversions

  suitable for TV 18 or amplifier 20.

  This basic principle can receive several improvements.

  A first improvement aims to optimize the connection of the microcircuit

  to the housing, as well as the distribution between microcircuit and housing of the elements

  elements involved in the r2 decompression and conversion process

sion rl.

  First, to minimize the number of contacts, the link

  between the microcircuit and the box is advantageously of the serial type.

  For the data flows, in particular the high speed flow D leaving r2, the "RFU" ("reserved for future use") contacts of

ISO 7816-2 standard.

  Figure 3 shows the arrangement of the contacts of a microcircuit card

according to this standard.

  It will be noted that the ground contacts GND, power supply VCC, clock CLK, reset RST and input / output I / O keep their usual functions, I / O being used for supervisory functions such as those of step r3 and / or, by multiplexing, for slower data flows, in

  especially the flows entering r5.

  These serial data streams are synchronized by a phase locked loop integrated into the microcircuit, synchronized with a signal entering the microcircuit such as the data entering r5 and / or CLK. There is provided in the data code leaving the microcircuit an error detection code and an inhibition of the sound or visual restitution when the housing detects an error in this flow, this to prevent unwanted noise or images, when the microcircuit has a bad

contact with the housing.

  Furthermore, still in this development aimed at optimizing the con-

  connection of the microcircuit to the housing, the last

  last steps of the r2 decompression process, in order to decrease the complexity of the microcircuit, in particular the amount of memory and the

  processing power required.

  In the case of audio signals, it is known that the decompression processes

  in the phase preceding the digital / ana- conversion

  logic the generation and combination of various signals including the

  teristics are calculated elsewhere, for example generation and addi-

  digital tion of signals such as sinusoid and / or wavelet and / or noise whose frequency and / or amplitude and / or spectrum and / or envelope are parameterized. It can then be provided that the control (configuration) of these generators is carried out by the microcircuit, but that the generation and

  the combination itself is made in the housing, the essential

  the computing power being thus deported in this box.

  In video, the decompression methods include in the final phase of generation of the decoded signal the copying of information from

  lines and frames of previous images and / or the filling of areas.

  We can then predict that the box will store this information and make copies and filling, but according to parameters produced by the microcircuit. Conversely, if we still have in the microcircuit a power of

  sufficient calculation, one can integrate into it not only the decom-

  pressure r2, but also the first phases of the con-

  version rl, in order to increase the bit rate of the information leaving the microcircuit and to make its storage more difficult, which makes it possible to fight

  more effectively, to some extent, against attack # 4 above

  tee. In particular, for audio, the microcircuit can be integrated

  digital processing such as changing the number of bits in the sample

  tillonnage and / or digital filtering, making it possible to reduce the complexity

  of the analog filter placed downstream of the digital / analog converter

that of the case.

  A second improvement consists in carrying out each of the steps e5 and r5 in two respective steps e3 + e4 and r3 + r4 involving two distinct algorithms, which is justified cryptographically speaking, in

  the goal of carrying out the operation with a good compromise between complexity and cost.

  A third improvement consists in providing an additional mechanism

  intended to charge for the use of the system. To this end, provision is made in the microcircuit for a means of conditioning the production of the decrypted information to prior payment, means operating by processing the content of a memory containing the rights of the owner of the microcircuit. This memory can be located in the microcircuit itself, or in the case, or at the

information distributor.

  These rights change according to the use made of the system; for example a credit zone of this memory is debited when the information is first broadcast, for example the first hearing of a piece of music, and the identifier of this piece is stored in this memory, allowing the user who wishes to listen to the same song later, do so without bitrate, or at reduced bitrate. Some operations

  are inhibited when the credit drops to zero. Means of recharging-

are provided elsewhere.

  If it is with the broadcaster, the memory can be subdivided into zones each corresponding to a given microcircuit, the appropriate zone being selected from an identifier of the microcircuit contained in a

* memory of it.

  In addition to storing a song identifier in memory, the

  rights chat can be materialized by storage in the memory of the

  microcircuit of the key and / or the decryption algorithm of this mor-

  hides; this measure avoids having a key and / or an algorithm

  universal valid for all songs.

  We will provide that to the compressed and encrypted data is added an

  identification / pricing training operated by the microcircuit for

  complete which key and / or decryption algorithm and / or which price

  cation is to be applied to the encrypted information flow. In a step e6 (for example after e5), this identification / pricing information is added to the data flow; and in a step r6 (for example prior to r5), this identifier is extracted and used by the microcircuit to determine

  which key and / or which algorithm to use in step 5, and / or which pricing

  tion apply (for example if the decryption rights by the microcir-

  cooked are acquired definitively, or are subject to payment at each

use, and at what price).

  To protect the pricing section of this information against intentional alteration, a cryptographic method can be used, for example

  example the addition of an electronic signature of the data including the price

  fication and verified by the microcircuit, or by inserting this pricing information before encryption, so that its rapid alteration makes

  the rest of the data cannot be used.

  A fourth improvement consists in associating a recorder with the

system of the invention.

  For this purpose, the housing 10 can contain a device for recording

  information (or understand means of connection to such a device

  tif), allowing later use without the need to purchase

  undermining information through the media.

  The information can be saved in a still compressed and encrypted form.

  brother; it will be deciphered and decompressed on proofreading, which will therefore require the presence of the microcircuit (this service may possibly be accompanied by a payment). Registration may also have

  concurrently with the first use.

  These recording devices can for example take the form

  a semiconductor memory, a hard disk 28, a ma-

  genetic 30 of DAT type, of a magneto-optical disc 32 or of WORMoptical type or DVD-RAM, etc., if a recording is desired

  digital direct. As a variant or in addition, the housing 10 can also

  also include digital / analog conversion means for recording and analog / digital conversion for playback

  in the case of an analog recording, typically on a magnetic

VHS toscope.

Claims (12)

  1. A device for decoding encrypted and compressed information, in particular   ment of video, audio or text information, of the type comprising a box   tier (10) cooperating with a secure microcircuit (22) comprising a memory and a processor protected against analysis attempts   and reading and copying the information stored in this microcir-   cooked, this decoder device comprising:   - means for receiving input of encrypted and compressed data;   mées, - decryption means (r5; r3, r4) of the data thus received, - decompression means (r2) of the data thus decrypted, and   - output means (rl) in output, in a decoded form ex-   exploitable by a user, decrypted and decompressed data,   device characterized in that the secure microcircuit incorporates the   seems decryption means (r5; r3, r4) and at least part of the decompression means (r2), the stream (4) of decrypted data and   compressed delivered by the decryption means to the decryption means   compression not accessible from outside the dry microcircuit curious.   2. The device of claim 1, wherein the secure microcircuit (22) is that of a microcircuit card (24) separate from the housing, the latter comprising connection means making it possible to couple the card to microcircuit.   3. The device of one of claims 1 and 2, wherein the microcir-   secure baking is a microcircuit internal to the housing.   4. The device of one of claims 2 and 3, wherein the connection   between the microcircuit and the case is a serial type link.   5. The device of claim 4, wherein the data flow   encrypted and partially or fully decompressed is issued by the   microcircuit on at least one of the RFU contacts according to ISO 7816-2.   6. The device of one of claims 1 to 5, wherein the housing   includes a part of the decompression means (r2), this part   cluting of the own circuits to deliver the data decompressed in re-   response to commands issued by the secure microcircuit.   7. The device of one of claims 1 to 6, wherein the microcir-   secure baking also includes part of the delivery means (rl) in   output of the data in an exploitable decoded form, this part   including in particular digital processing or filtering means.   8. The device of one of claims 1 to 7, wherein the data   received as input are in the form of packets accompanied by don-   associated data, and the means of deciphering operate by implementing   vre of a first algorithm (ALG1) allowing the calculation of keys of pa-   quet from said associated information, and from a second algorithm   rithm (ALG2) reconstructing a stream (4) of information deciphered from   packets and packet keys calculated by the first algorithm.   9. The device of one of claims 1 to 8, comprising means   of payment conditioning the delivery at the output of the data under a   decoded form which can be used for verifying, by the microcircuit, that the   prior payment based on associated tariff information ciées contained in a memory.   10. The device of claim 9, wherein the information tari-   do contain user identification information contained therein   in a memory of the secure microcircuit.   11. The device of one of claims 1 to 10, comprising   recording means or means of coupling to recording means registration (38, 30, 32).   12. The device of claim 11, in which the data delivered   to the recording means are compressed and encrypted data.