1. Patent Search
  2. Details

PERSONALIZED WHITEBOX DESCRAMBLERS

20170111167 ยท 2017-04-20

    Inventors

    Cpc classification

    International classification

    Abstract

    The invention prevents intercepted keys from being used in unauthorized whitebox descrambler modules for the decryption of a ciphertext. Hereto a receiver with a personalized whitebox descrambler is proposed, whereby a part of the descrambling operation of the personalized descrambler is performed in a preprocessing module external to the descrambler.

    Claims

    1-36. (canceled)

    37. A descrambler, comprising: a processor configured to: receive a transformed key; generate an output of a descrambling operation by applying a second part of the descrambling operation, comprising: partitioning the transformed key into a plurality of transformed key parts for a plurality of block cipher round modules; for each of the plurality of transformed key parts, receiving, in a corresponding block cipher round module, input ciphertext data and selecting, based on the transformed key part.

    Description

    BRIEF DESCRIPTION OF THE DRAWINGS

    [0042] Aspects of the invention will be explained in greater detail by reference to exemplary embodiments shown in the drawings, in which:

    [0043] FIG. 1a snows a prior art receiver and secure client;

    [0044] FIG. 1b shows another prior art receiver and secure client;

    [0045] FIG. 1c shows another prior art receiver and secure client;

    [0046] FIG. 2a shows a block diagram of a prior art descrambler;

    [0047] FIG. 2b shows another block diagram of a prior art descrambler;

    [0048] FIG. 3 shows a prior art descrambler in more detail;

    [0049] FIG. 4 shows a prior art block cipher round module;

    [0050] FIG. 5 shows another prior art descrambler in more detail;

    [0051] FIG. 6 shows another prior art block cipher round module;

    [0052] FIG. 7 shows a prior art block cipher based descrambler;

    [0053] FIG. 8 shows a diagram clarifying transformation functions and encryption in general terms;

    [0054] FIG. 9 shows a receiver and a secure client of an exemplary embodiment of the invention;

    [0055] FIG. 10a shows a block diagram of a descrambler of an exemplary embodiment of the invention;

    [0056] FIG. 10b shows block diagram of a descrambler of another exemplary embodiment of the invention;

    [0057] FIG. 11 shows a receiver and a secure client of another exemplary embodiment of the invention;

    [0058] FIG. 12 shows a descrambler of an exemplary embodiment of the invention;

    [0059] FIG. 13 shows a block cipher round module of an exemplary embodiment of the invention;

    [0060] FIG. 14 shows a whitebox iterated block cipher based descrambler of an exemplary embodiment of the invention;

    [0061] FIG. 15 shows a whitebox iterated block cipher based descrambler of another exemplary embodiment of the invention;

    [0062] FIG. 16 shows a whitebox iterated block cipher based descrambler of another exemplary embodiment of the invention;

    [0063] FIG. 17 shows a prior art stream cipher based descrambler;

    [0064] FIG. 18 shows a whitebox stream cipher based descrambler of an exemplary embodiment of the invention;

    [0065] FIG. 19 shows a whitebox stream cipher based descrambler of another exemplary embodiment of the invention;

    [0066] FIG. 20 shows a prior art public key based descrambler;

    [0067] FIG. 21 shows a whitebox public key based descrambler of an exemplary embodiment of the invention;

    [0068] FIG. 22 shows a conditional access system of an exemplary embodiment of the invention;

    [0069] FIG. 23 shows a method in a whitebox descrambler of an exemplary embodiment of the invention;

    [0070] FIG. 24 shows a method in a whitebox descrambler of another exemplary embodiment of the invention; and

    [0071] FIG. 25 shows a method in a secure client of an exemplary embodiment of the invention.

    DETAILED DESCRIPTION OF THE DRAWINGS

    [0072] The invention prevents intercepted keys from being used in unauthorized whitebox descrambler modules for the decryption of a ciphertext. Hereto a receiver with a personalized whitebox descrambler is proposed, such as e.g. shown in FIG. 9, whereby a part of the descrambling operation of the personalized descrambler is performed in a preprocessing module external to the descrambler.

    [0073] With reference to FIG. 9, the personalized descrambler 311 is typically implemented as an obfuscated software module in the receiver 111. Alternatively, the personalized descrambler may be implemented in programmable hardware. Each receiver in a conditional access network typically has a unique personalized descrambler 311. A secure client 211 is typically communicatively connected to the receiver 111 to provide descrambler specific key related data to the personalized descrambler 311 to achieve a common descrambling function. Hereto, the secure client 211 is implemented such that a part of the descrambling operation of the personalized descrambler 311 is performed in a preprocessing module 811 of the secure client 211. The secure client 211 is typically implemented in hardware of a smartcard. The preprocessing module 811 may be implemented as an obfuscated software module running in the secure client 211.

    [0074] Alternatively the descrambler specific key related data is provided from a head-end system to the receiver, possibly via the intermediary of a smartcard. The preprocessing module 811 is then a part of the head-end system.

    [0075] The personalized whitebox descrambler of the invention uses the descrambler specific preprocessor key-related data as input.

    [0076] In conditional access systems the wording CW or control word is a synonym of a key.

    [0077] Software obfuscation techniques make use of transformation functions to obfuscate intermediate results. The concept of transformation functions differs from encryption, which is clarified in general with reference to FIG. 8.

    [0078] Assume, there exists an input domain ID with a plurality of data elements in a non-transformed data space. An encryption function E using some key is defined that is configured to accept the data elements of input domain ID as an input to deliver a corresponding encrypted data element in an output domain OD. By applying a decryption function D, the original data elements of input domain ID can be obtained by applying the decryption function D to the data elements of output domain OD. In a non-secure environment (typically referred to as white box), an adversary is assumed to know the input and output data elements and the encryption function E, such that the key can be derived.

    [0079] Additional security can be obtained in a non-secured environment by applying transformation functions to the input domain ID and output domain OD, i.e. the transformation functions are input- and output operations. Transformation function T.sub.1 maps data elements from the input domain ID to transformed data elements of transformed input domain ID of a transformed data space. Similarly, transformation function T.sub.2 maps data elements from the output domain OD to the transformed output domain OD. Transformed encryption and decryption functions E and D can now be defined between ID and OD using transformed keys. T.sub.1 and T.sub.2 are bijections.

    [0080] Using transformation functions T.sub.1, T.sub.2, together with encryption techniques implies that, instead of inputting data elements of input domain ID to encryption function E to obtain encrypted data elements of output domain OD, transformed data elements of domain ID are input to transformed encryption function E by applying transformation function T.sub.1. Transformed encryption function E combines the inverse transformation functions T.sub.1.sup.1 and/or T.sub.2.sup.1 in the encryption operation to protect the confidential information, such as the key. Then transformed encrypted, data elements of domain OD are obtained. By performing T.sub.1 and/or T.sub.2 in a secured portion, keys for encryption functions E or decryption function D cannot be retrieved when analysing input data and output data in the transformed data space.

    [0081] One of the transformation functions T.sub.1, T.sub.2 should be a non-trivial function. In case, T.sub.1 is a trivial function, the input domains ID and ID are the same domain. In case, T.sub.2 is a trivial function, the output domains are the same domain.

    [0082] In white box cryptology, it is assumed that this process is performed completely in a hostile environment, wherein an attacker has access to the data elements in ID, OD and the functions E and D. White box cryptology provides security by securing (parts of) the keys for the functions E and D. By applying transformation functions T.sub.1 and T.sub.2 in at least one of the smart card or a secured portion the receiver, the lookup tables L.sub.n as applied in white box cryptology cannot be resolved in the transformed space.

    [0083] The software implementations of the secure client and the descrambler use software transformations to secure software applications. Transformations are typically used in whitebox cryptography, wherein a decryption key is merged with the decryption steps of the algorithm to achieve a software program that can decrypt a ciphertext C.

    [0084] FIG. 10a shows a whitebox implementation of FIG. 2b, wherein a key is provided to a decryption module 3111 in a transformed format. The transformed key T(K) is loaded in the whitebox implementation of the decryption module 3111. The decryption module 3111 transforms T(K) to obtain the key K before applying a descrambling operation with the key K. The implementation of the decryption module 3111 ensures that an attacker with knowledge of the decryption module 3111 and the value of T(K) cannot recover K. In variants of this scheme, the ciphertext input C and/or the decrypted output M can be transformed as well.

    [0085] FIG. 10b shows a personalized whitebox descrambler 3112 that uses descrambler specific key-related data T.sub.i(K) that has been preprocessed prior to being input to the whitebox descrambler 3112. The index i Mb is used to indicate the specific descrambler 3112. The preprocessed key related data T.sub.i(K) is construed such that it can be used in the corresponding personalized whitebox descrambler 3112 only. Thereto, each receiver uses a personalized transformation T.sub.i of the key.

    [0086] The transformed key T.sub.i(K) is loaded in the whitebox implementation of the descrambler 3112 for decrypting the broadcast stream C. The implementation of the descrambler 3112 ensures that an attacker with knowledge of the implementation and the value of T.sub.i(K) cannot recover the key K. Moreover the attacker will not be able to generate key-related data T.sub.j(K) for another receiver (indicated by j), which receiver has a personalized whitebox descrambler using a personalized transformation T.sub.j.

    [0087] With known descramblers, such as e.g. shown in FIG. 5, FIG. 17 and FIG. 20, the input key K could be intercepted and redistributed to other receivers for descrambling a broadcast stream C. Because the key related data T.sub.i(K) is unique to a receiver, the key related data T.sub.i(K) is useless for any other receiver. Hence, intercepting the input key related data T.sub.i(K) and redistribution to other receivers is advantageously no longer is useful.

    [0088] FIG. 11 shows a more detailed example of a receiver 111 with a personalized whitebox descrambler 311 of an exemplary embodiment of the invention. In the example of FIG. 11 a personalized key data T.sub.i(CW) is generated by preprocessing a CW in a secure client 211 of a smartcard. More specifically, a preprocessing module 811 is used in the secure client 211 to preprocess the CW outside the descrambler 311 of the receiver 111. Herewith, a part of the descrambling operation of the personalized descrambler 311 is performed in the preprocessing module 811. The preprocessing module 311 performs a transformation function before providing the personalized key data T.sub.i(CW) to the descrambler 311. Alternatively the CW may be preprocessed in a preprocessing module of a head-end system and transmitted to the receiver from the head-end system to the receiver, possibly via the intermediary of a smartcard.

    [0089] The receiver 111 receives an input stream input from a broadcast network in a manner known per se. In a conditional access system the input stream is typically an MPEG-2 or DVB transport stream, and contains multiple TV channels (i.e. program streams) as well as encrypted information containing the keys required for descrambling a program stream. For the descrambling of a program stream, the key is commonly called a Control Word or CW. A demux/filter module 901 in the receiver 111 forwards a part of the transport stream that corresponds to a user selected program stream C, which is a ciphertext, to the descrambler 311. The demux/filter module 901 further extracts to the program stream C relevant information from the encrypted information, such as Entitlement Management Messages (EMM) and Entitlement Control Messages (ECM), and sends the information to the secure client 211. The ECM contains the CW encrypted with a product key P.sub.K, which is shown in FIG. 11 as E.sub.PK(CW). The secure client 211 receives the ECM and decrypts it in a decryption module 902 with a pre-stored P.sub.K value read from a secured key storage module 903. The preprocessing module 811 processes the CW into a descrambler specific transformed form T.sub.i(CW). The descrambler specific CW transformation in the secure client 211 is linked to the personalized descrambler 311 in the receiver 111 using knowledge of the receiver identity i, which may be communicated from the descrambler 311 to the preprocessing module 811. A part of the descrambling operation of the personalized descrambler 311 is performed in the preprocessing module 811.

    [0090] Use of the transformed key T.sub.1(CW) in the personalized descrambler 311 needs to be secure. This means that it should be difficult to obtain the CW from the transformed key T.sub.1(CW) and from the personalized descrambler 311. Moreover, it should be hard to calculate a valid transformed key for a different particular personalized descrambler 111.

    [0091] The following exemplary embodiments show how a personalized descrambler may be secured using personalized whitebox descramblers based on block ciphers.

    [0092] In the exemplary embodiment of FIG. 12, the personalized descrambler is a personalized block cipher 312. Similar to the block cipher 305 as shown in FIG. 3, a block of ciphertext C is processed over n rounds into a plaintext message M using block cipher round modules 4111, 4112. In the personalized block cipher 312, each round r receives its own personalized round key PRK.sup.i.sub.r as input, which is derived from the received personalized key data T.sub.i(K) in the key partitioning module 511.

    [0093] FIG. 13 shows an example of a personalized block cipher round module 412 that may be used as block cipher round module 4111, 4112 as shown in FIG. 12. The block cipher round module 412 has a diffusion module 611 that operates similar to the diffusion module 601 shown in FIG. 4. The Personalized Round Key PRK.sup.i.sub.r is input to a personalized confusion module 711. The Personalized Round Key is calculated by applying a bitwise XOR with a Unique Key UK.sup.i.sub.r for round r and personalized descrambler i. A repeated XOR operation with the same Unique Key in the Personalized Confusion module removes the transformation of the Personalized Round Key.

    [0094] A simplified example of a whitebox lookup table driven implementation 313 of the personalized block cipher 312 of FIG. 12 is shown in FIG. 14. In the example of FIG. 14, a transformed binary key T.sub.i(K)=1011 is the personalized version of a common key K=11 as shown in the prior art example of FIG. 7. Moreover, the personalized key T.sub.i(K) has already been expanded in an external preprocessing module 811 from a two bit value to a four bit value. The block cipher round modules 4121, 4122 operate in a similar manner as shown for the block cipher round modules 4031, 4032 of FIG. 7. The exemplary embodiment of the invention of FIG. 14 differs from FIG. 7 in that the personalized descrambler 313 operates on the personalized input key T.sub.i(K).

    [0095] In the example of FIG. 14, a key partitioning module 5121 selects a two-bit personalized round key PRK.sup.i.sub.r from the string of personalized round keys that are contained in the transformed key. The transformed key T.sub.1(K)=1011 is a concatenation of PRK.sup.i.sub.1=10 and PRK.sup.i.sub.2=11. A personalizing module 5122 transforms each PRK.sup.i.sub.r using a XOR operation with a preprogrammed Unique Key UK.sup.i.sub.r. Unique keys UK.sup.i.sub.1=11 and UK.sup.i.sub.2=01 are used to convert the personalized round keys into common round keys that are used in the block cipher round modules 4121, 4122.

    [0096] In FIG. 14, ciphertext C=11 is input to the first block cipher round module 4121. Diffusion module 611 uses a lookup table to change the input value C=11 into 10. The confusion module 711 uses a lookup table to convert the value 10 into 01 using the first common round key value 11 to select the appropriate column of the lookup table. Intermediary result C.sub.1=01 is input to the second block cipher round module 4122. Diffusion module 611 uses a lookup table to change the input value C.sub.1=01 into 11. The confusion module 711 uses a lookup table to convert the binary value 11 into 10 using the second common round key value 01 to select the appropriate column of the lookup table. Final result M=10 is the descrambled message.

    [0097] The XOR operation as shown for the personalizing module 5122 may be integrated in the block cipher round modules 4121, 4122. This is shown in FIG. 15, wherein a personalized confusion module 712 processes the PRK.sup.i.sub.r values as they are extracted from the transformed key T.sub.i(K)=1011. The confusion module 712 is personalized by changing the column order of the lookup tables in the confusion module 712. The key partition module 5121 receives the transformed binary key T.sub.i(K)=1011 and partitions it into the two personalized round keys, PRK.sup.i.sub.1=10 and PRK.sup.i.sub.2=11. The confusion modules 712 have been personalized by a specific arrangement of order of the columns to process a personal round key PRK into the correct output. Another receiver will have differently personalized confusion modules and will not be able to decrypt the ciphertext with the transformed key for receiver i.

    [0098] In FIG. 15, ciphertext C=11 is input to the first block cipher round module 4131. Diffusion module 611 uses a lookup table to change the input value C=11 into 10. The personalized confusion module 712 uses a lookup table to convert the value 10 into 01 using the first personal round key value 10 to select the appropriate column of the lookup table. Intermediary result C.sub.1=01 is input to the second block cipher round module 4132. Diffusion module 611 uses a lookup table to change the input value C.sub.1=01 into 11. The personalized confusion module 712 uses a lookup table to convert the binary value 11 into 10 using the second personal round key value 11 to select the appropriate column of the lookup table. Final result M=10 is the descrambled message.

    [0099] An alternative embodiment of a block cipher as personalized descrambler module is shown in FIG. 16, wherein the confusion functionality in each block cipher round function 4141, 4142 is preprogrammed with a set of transformation tables. Each transformation table applies a data transformation, depending on the personalized round key PRK.sup.i.sub.r that is input to the block cipher round 4141, 4142. In the example of FIG. 16 a transformed input binary key T.sub.i(K)=0110 is partitioned into two personalized round keys PRK.sup.i.sub.1=01 and PRK.sup.i.sub.2=10 in a key partitioning module 5121. In the personalized confusion modules 713, each bit of the personalized round key PRK indicates whether the corresponding table should be used or not. In this way, the personalized confusion module 713 generates the correct output.

    [0100] In FIG. 16, a two-bit ciphertext C=11 is input to the first block cipher round module 4141. A diffusion module 611 transforms the ciphertext into binary value 10, which is input to the personalized confusion module 713. Personalized round key PRK.sup.i.sub.1=01 is used by the personalized confusion module 713 of the first block cipher round module 4141 to determine which transformation tables are to be applied to the binary input 10. The first bit of PRK.sup.i.sub.1 equals 0, which is interpreted as not to use the first transformation table. The second bit of PRK.sup.i.sub.1 equals 1, which is interpreted as to transform the input 10 to 01 in accordance with the second transformation table. The binary value 01 is provided to the second block cipher round module 4142, where the diffusion module 611 first transforms the data from 01 into 11. This data is input to the personalized confusion module 713 of the second block cipher round module 4142. The first bit of PRK.sup.i.sub.2 equals 1, which is interpreted as to transform the input 11 to 10 in accordance with the first transformation table. The second bit of PRK.sup.i.sub.2 equals 0, which is interpreted as not to use the second transformation table on the result after the first transformation table. The output of the second block cipher round module 4142 is the final result of the personalized descrambler 315, thus the descrambled message equals M=10.

    [0101] Different receivers with a block cipher as shown in FIG. 16 are typically preprogrammed with different personalized confusion modules, i.e. with a different set of transformation tables in the personalized confusion modules, and will therefore advantageously not be able to decrypt the input ciphertext C with an intercepted transformed input binary key T.sub.i(K) of other receivers.

    [0102] It is to be understood that the invention is not limited to two-bit data operations with two block cipher rounds as shown in the various examples. For example, AES block ciphers typically use a 128-bit cipher block size and a key size of 128, 192 or 256 bits in 10, 12 or 14 block cipher rounds. For example, DES block ciphers typically use a 64-bit cipher block size and a 56-bit key size in 16 block cipher rounds.

    [0103] The following exemplary embodiments show how a personalized descrambler may be secured using personalized whitebox descramblers based on stream ciphers.

    [0104] FIG. 18 shows and example of a personalized whitebox stream cipher module 316. Preprocessed key related data T.sub.i(K) is input to the personalized stream cipher module 316. T.sub.i(K) contains a preprocessed key K that has been preprocessed by a setup function and a key expansion function in a preprocessing module 811 external to the personalized stream cipher module 316. Moreover, the preprocessed key K is transformed. T.sub.i(K) is input to a XOR module 415 for descrambling a ciphertext C. Similar to the working of the tables in the personalized confusion modules of the block cipher embodiments, the XOR tables in the XOR module are personalized to inverse the transformation.

    [0105] FIG. 19 shows an example of an alternative personalized whitebox stream cipher module 317. Preprocessed key related data T.sub.i(K) is input to the personalized stream cipher module 317. T.sub.i(K) contains a preprocessed key K that has been preprocessed by a setup function in a preprocessing module 811 external to the personalized stream cipher module 317. Moreover, the preprocessed key K is transformed. T.sub.i(K) is input to a key expansion module 513 to obtain a personalized expanded key PEK. The PEK is input to a XOR module 416 for descrambling a ciphertext C. Similar to the working of the tables in the personalized confusion modules of the block cipher embodiments, the XOR tables in the XOR module may be personalized to inverse the transformation. Alternatively the key expansion module 513 performs the inverse transformation.

    [0106] The following exemplary embodiment shows how a personalized descrambler may be secured using personalized whitebox descramblers based on a public key cipher.

    [0107] FIG. 21 shows an example of a personalized public key cipher module 318. The value of the key K is hidden by setting T.sub.i(K)=(KK1) in an external preprocessing module 811. A personalized exponentiation module 514 calculates a personalized expanded key PEK=G.sup.(K+K1) mod N using input T.sub.i(K). Thus a personalized version of the public key algorithm is created by varying the value of K1. The obtained expanded personalized key PEK is input to a personalized decipher module 417 for deciphering an input ciphertext C. As part of the deciphering of ciphertext C, the ciphertext C may be modified in modification module 4051 into an intermediate ciphertext C.sub.1 prior to being input to the personalized decipher module 417.

    [0108] FIG. 22 shows a conditional access system 260 of an exemplary embodiment of the invention. A head-end system 250 transmits ECMs, EMMs and a content stream scrambled with a CW (i.e. a ciphertext) to one or more receivers 111 via a distribution network 270. The ECM typically contains one or more encrypted CWs. The ECMs are processed by a secure device 280 that is communicatively connected to the receiver 111. The receiver contains a personalized descrambler 311, 312, 313, 314, 315, 316, 317 or 318. The secure device 280 is e.g. a smartcard and typically contains a secure client 211 as described with FIG. 11. The CWs are preprocessed in a preprocessing module 811 in the head-end system 250 or alternatively in a preprocessing module 811 in the secure client 211.

    [0109] It is to be understood that any feature described in relation to any one embodiment may be used alone, or in combination with other features described, and may also be used in combination with one or more features of any other of the embodiments, or any combination of any other of the embodiments. One embodiment of the invention may be implemented as a program product for use with a computer system. The program(s) of the program product define functions of the embodiments (including the methods described herein) and can be contained on a variety of computer-readable storage media. Illustrative computer-readable storage media include, but are not limited to: (i) non-writable storage media (e.g., read-only memory devices within a computer such as CD-ROM disks readable by a CD-ROM drive, ROM chips or any type of solid-state non-volatile semiconductor memory) on which information is permanently stored; and (ii) writable storage media (e.g., floppy disks within a diskette drive or hard-disk drive or any type of solid-state random-access semiconductor memory or flash memory) on which alterable information is stored. Moreover, the invention is not limited to the embodiments described above, which may be varied within the scope of the accompanying claims.