Skip to main content

Cardless security brings battleground inside the chip

The inexorable trend from smart card-based to cardless conditional-access systems (CAS) for protecting pay-TV services against revenue theft is changing the battle lines against the pirates.

Traditional methods of attack such as smart-card cloning, where hackers break through the shielding of a legally obtained smartcard to extract the keys, will become history, and the battle zone will shrink back to the SoCs (System on Chips), where the security cores will reside. Developers of counter-measures against attacks on security cores, such as Cryptography Research, are cautiously optimistic that ultimately cardless systems will be more secure than smart cards, because the threats will be confined to operations inside the chip.

This is not universally agreed, with some CA vendors such as Norway-based Conax arguing that for now, smart cards still provide stronger protection more suitable for premium services. But there is no stopping the cardless tide now, and it is just a question of how quickly it will flow. Already the fight is on to protect cardless systems and ensure that operators and ultimately rights owners gain confidence in the new technology. It is worth considering that there are only two possible points of attack, by intercepting the content directly in the clear, or obtaining the keys to decrypt the content. The latter can be achieved by direct attack on the cryptographic hardware such as a smart card, or by intercepting a regularly changing control word as it is passed between a smart card and a set-top box. This enables control word sharing, which has proliferated with the Internet, but will be a reduced threat with use of cardless CA because keys are then never exposed on either external interfaces or internal interfaces, being confined to the innards of a SoC.

It is true that Internet content redistribution in the clear is likely to take over from control word sharing, and before that smart card cloning, as the major piracy threat and one that the CA can do nothing apart because the theft can be committed by legitimate subscribers to a pay-TV service. But cardless security can at least bear down on other threats, leaving techniques such as forensic watermarking to tackle content redistribution.

Since SoCs can be made tamper-proof, attacks against cardless systems shift to techniques that attempt to extract information from a chip without accessing it directly. Among such sources of attack is power analysis, which exploits the fact that a chip reveals what it is doing through changes in power consumption, which can be measured by access to the power supply for subsequent mapping and analysis. For example, a SoC performing encryption using the DES standards will yield a power trace showing clearly the well-known 16 rounds of processing. Similarly, the multiplication operations of the RSA public key method are clearly visible and enable the private key to be computed.

Simple power analysis can be countered by inserting background electrical noise that makes it harder to identify cryptographic activity, but hackers can in turn overcome this by use of Differential Power Analysis (DPA), which employs sophisticated statistical techniques to filter out background noise.

One problem with such techniques is that they leave no effective trace of their occurrence, but the likes of Cryptographic Research have developed counter measures that they are convinced will be practically impossible to crack. This involves disguising or burying the cryptographic operation with other calculations, such that the power trace is harder to analyze.

The evidence so far though suggests that every defense against DPA can in principle be overcome. For example, one defense that has been employed is to vary the clock speed of the SoC to make the DPA analysis more difficult. But this has been defeated by application of the same techniques used in speech recognition systems to cater for people talking at varying rates, which work by transforming each spoken work to a constant output rate. This same technique can identify the variations in the chip clock rate and smooth them out so that normal DPA analysis can be performed.

It should be pointed out that most of the successful DPA attacks so far have been conducted by cryptographic researchers rather than hackers or pirates. But they suggest that just as before, the hackers will in principle be able to stay one step ahead, with the security industry consistently playing catch-up. The hope, though, is that in practice the great computational and statistical sophistication involved will make attacks impractical and turn the attention of pirates elsewhere.