|
|
 |
![]() |
|
Volume 7, Number 2, 2008 — The ARM-Enabled Home
|
 | | | Special ARM-Enabled Home Section | | The Future of Open Cable Systems: Conditional Access Migrates to DCAS |
|
Author:
Mike Borza, Chief Technology Office, Al Hawtin, VP Business Development, Elliptic Semiconductor
Synopsis:
The United States Federal Communications Commission (FCC) has mandated a more open cable television system that would free the consumer from having to purchase or lease a set-top box (STB) from a single manufacturer or cable system operator. One of the problems that needed to be addressed was the number of proprietary, incompatible conditional access systems that different operators had deployed.
Recently, the FCC issued new requirements to migrate to an open system that will support flexible, downloadable security services. The industry response has been the development of a new architecture called Downloadable Conditional Access System (DCAS). This article outlines one DCAS implementation that employs ARM TrustZone technology as its security foundation.
The United States Federal Communications Commission (FCC) has mandated a more open cable television system that would free the consumer from having to purchase or lease a set-top box (STB) from a single manufacturer or cable system operator. One of the problems that needed to be addressed was the number of proprietary, incompatible conditional access (CA) systems that different operators had deployed. The first attempt to meet this mandate led to the development of the OpenCable standard by CableLabs and the creation of CableCARD slots in consumer electronics such as television sets and some digital video recorders (DVRs). A CableCARD provides subscriber and service authentication and encryption functions for the device it is plugged into, allowing the possibility to use a variety of equipment from different manufacturers with a given cable operator’s services. The volume of CableCARDs deployed has been modest to date, relative to the total number of digital cable STBs, with over four million CableCARDs sold. Factors such as the choice of the expensive PCMCIA format and high license fees to implement the CA specifications, as well as the lengthy standardization process to define CableCARD, have been blamed for this situation. Other factors that have limited adoption of CableCARDs include a deployment model that included a visit to the subscriber’s site by the cable company, to configure the CableCARD with the necessary user credentials, which represented a significant cost burden to the cable MSO and ultimately the consumer.
Conditional Access in DCAS
As a result, the FCC issued new requirements to migrate to an open system that will support flexible, downloadable security services. The industry response has been the development of a new architecture called Downloadable Conditional Access System (DCAS). PolyCipher is the cable industry joint venture owned by Comcast, Time Warner Cable and Cox Communications that has been funded to define the first incarnation of DCAS and is building an initial system using the architecture shown in Figure 1. Subscriber premises equipment that is DCAS-enabled is referred to as a “DCAS host.” DCAS is designed to be low cost to implement, and will be suitable for eventual inclusion in the cable-ready high-definition televisions (HDTVs), for example.
The downloadable aspect of DCAS is quite compelling, as it provides an adaptable security architecture that can be updated should the system be compromised. DCAS has the highly desirable property that subscriber authentication and key management and distribution services are separated from the CA functions that secure access to content. A limited-capability Security Microprocessor (SM) optimized for the first set of functions provides a highly secure environment to store secret identification and authentication credentials. The Transport Processor (TP) provides traditional decoding functions, including the CA descrambling (decryption) capabilities. DCAS requires that both the SM and TP security functions be upgradeable via secure software downloads, eliminating the need for a subscriber site visit or hardware replacement to modify the security design should it be breached by hackers.
The DCAS architecture slices the security design into three distinct and largely severable pieces. There is a security design which encompasses the authentication and validation between the DCAS host and the Authentication Proxy, a security design for the Transport Processor which enforces confidentiality between content distributors and the DCAS host and finally a digital rights management (DRM) design to support authentication and encryption between the DCAS Host and HDTV, DVR and other rendering and media processing devices. These pieces of functionality will likely be phased in over time. For example, the DRM element may be later deployed, after successful tests and consumer trials of the basic DCAS concept.
Evolution to Modern HDTV Set-top Box Architecture
Traditionally, proprietary conditional access functions were integrated into the STB. With CableCARD came the possibility to augment these proprietary CA systems with portable security modules, liberating consumers from hardware lock-in. Now as digital video, both standard-definition (SD) and HDTV, enter the market and are aggregated with other data services such as Internet access and Voice Over Internet Protocol (VOIP) provided on the cable network, the architecture of the STB is maturing significantly. Two-way cable and enhanced user interfaces allow more sophisticated service offerings, including network Personal Video Recorder (nPVR), Video on Demand (VOD), Movies on Demand (MOD) and others. Cable customers are now able to enjoy enhanced video and audio programming, available more readily through a variety of subscription and pay-per-use purchase models and on a flexible schedule to suit consumers’ needs. Moving away from provider-based CA modules to a model in which the CA system can be provisioned and managed flexibly over the network is one attribute that distinguishes DCAS. The flexibility engendered in DCAS makes it possible for multiple CA systems, whether Mediacipher or PowerKey, to be simultaneously and dynamically supported, providing many different services purchased by consumers from a multitude of sources.
A number of vendors offer SoC products for the set-top box market. Architecture for a modern CableCARD-ready STB is similar to that shown in Figure 2. The security model in STBs has become much more rigorous and complex over the years, involving several hardware security elements. These designs may be greatly enhanced through the use of the ARM® TrustZone® security technology.
A number of security features are present in this system. Security block number 1 in the architecture is used to provide proprietary CA decryption of media transport streams. The transport stream source may be a digital signal feed delivered over a network, e.g., QAM-modulated RF input or Ethernet on an Internet Protocol (IP) input, delivered to a digital STB. The STB’s TP demultiplexes and decodes the transport stream for the selected video/audio service. This medium speed encryption core decrypts (or descrambles) the media stream with the required cipher, typically DES or 3DES, depending on the country and/or service operator the set-top box will be used in. Bit rates for the cipher cores are approximately 200 Mbps as multiple, encrypted HDTV streams are required in high-definition architectures.
Security block number 2 is more general purpose in nature and is usually tailored to fit the specifics of the peripherals attached to the set-top box. Decrypted media content derived from transport streams may be sent out to a peripheral or hard disk on USB, Ethernet or through the SATA interface. This resource relies primarily on the AES cipher in modes such as cipher-block-chaining (CBC) or XTS (XEX-based Tweaked Code Book). AES mode, which is the new standard for storage security, is specified by the IEEE p1619 standard. Peak rates through this part of the system security design can be very high but are usually configured for a 400 Mbps rate to meet the needs of USB 2.0 storage solutions.
Security block 3 supports the High Definition Multimedia Interface (HDMI), and increasingly Digital Transmission Content Protection (DTCP), links for secure distribution of media streams to devices such as HDTV monitors, surround sound receivers and DVD recorders. These links can require very high-performance ciphers capable of supporting uncompressed HD video rates of up to 5 Gbps. The High Bandwidth Digital Content Protection (HDCP) cipher required for HDMI is capable of supporting this bit rate and is operated in encrypt only mode in the set-top box.
Last but not least, security block 4 is the key derivation and secure key storage facility for the device. This block offers a public key acceleration engine which speeds asymmetric cryptography used in key negotiation and subscriber authentication algorithms. A hardware true random number generator (TRNG) offers a continuous stream of random numbers, which are required in many asymmetric algorithms. An Elliptic Key-wrap Module (EKM) is combined with on-chip non-volatile memory to create a secure key repository, which greatly enhances the overall security of the SoC.
Designers can augment the security architecture in software through the ARM TrustZone technology. TrustZone is a processor virtualization technology that allows the segregation of processor resources into secure and un-secured instances. Figure 3 illustrates the TrustZone model.
TrustZone technology offers designers the ability to segregate sensitive information, such as keys and other security credentials, into a security partition that greatly enhances the robustness of the security design without adding significant numbers of gates or memory. Before the arrival of TrustZone technology, designers often implemented dual CPU systems with one processor designated as a general purpose media processor for codecs, communications and user interface, while the second processor was configured as a secure processor, which ensured that keys and other secrets were only accessed by known processes running on the main processor. This architecture is extremely secure but has significant cost, software complexity, area and power overheads.
The obvious advantage to a TrustZone system is that there is only one processor, one instance of the cache and other overhead. ARM has implemented TrustZone through architectural extensions that include:
• Secure Monitor Mode to provide a “gate keeper” for access to secure state
• Controlled entry points to the Secure Monitor through a dedicated new instruction and exception trapping
• Secure bit in the core to control access to specified resources only when the processor is running in the secured state;
• Additions to the page tables in the secure state to limit access to secure memory only by processes running inside the TrustZone execution environment
• Cache that tags lines with security information to enforce security domain separation
• Security state exposed on the SoC bus to permit implementation of security-aware memory and peripherals
• Ability to carefully restrict and control debug access to secure software
With TrustZone technology, it is now possible to assign security resources and secrets between the unsecured partition and the secured partition to enhance the security design. Figures 4 and 5 illustrate the two different views of the set-top box SoC architecture that are available when TrustZone technology is used.
As is illustrated in the block diagram, when the processor is operating in secure mode (Figure 4), the core may have visibility to all the key contexts in each of the cores, the NVM keys and the phase 0 secure boot loader which does the initial cryptographic verification of the boot loader and operating system stored in external Flash. Algorithms for mutual authentication and key derivation are all run in the TrustZone secure mode, and key store memories are accessible only while the system is operating in this mode.
As shown in Figure 5, after the boot process is complete, the processor runs in mission mode and the NVM key store resources and boot ROM are no longer visible to the processor. TrustZone technology provides a mailbox mechanism through which applications access security resources, for example, to pass network data to the PKA block to implement subscriber authentication protocols. The processor switches between its TrustZone-enabled mode and user space to provide access to protected cores.
By contrast, a DCAS implementation splits the functionality required into two separate devices. The block diagram of the two devices is shown in Figure 6. This separation is a requirement for DCAS-certified implementations.
The security blocks are now divided between the two devices in the architecture. The SM stores device credentials, including keys and certificates, and has both symmetric and asymmetric capabilities in its security engine. It is similar to a smart card, with the major difference that its security design can be updated through download of new secure code loads and credentials from authorized network servers. The SM can be located right inside the DTV, STB or other media device depending on the final requirements specified by the cable operator. The Transport Processor (TP) has two fixed security blocks – one is used for high-speed decryption of the content from the transport stream (through a conditional access descrambler) and the other security block designed for local security such as storage on hard disks, across USB or Firewire and for DRM. As before, this security block includes symmetric algorithms such as a multi-mode AES core, 3DES and SHA. All keys for the symmetric ciphers and hashes are derived from algorithms that are run on the SM. The SM and TP communicate through an encrypted or physically secure channel to protect program and content keys.
In the DCAS architecture, designers can once again take advantage of TrustZone technology to enhance the security architecture. Protection of the TP communication processes with the SM, as well as actual security operations on content streams, is logically suited to operation inside TrustZone technology. This can simplify the system design and reduce overall system cost for STB, PVR, HDTV and other next generation media devices.
In Summary
Implementation of DCAS by cable operators will provide benefits for consumers in the form of greater choice of hardware devices and compatibility between different cable system operators when it is fully deployed. It also benefits equipment providers by opening up previously proprietary systems. The software-upgradeable nature of DCAS means that content and programming providers can enjoy adaptable protection of their products and services, in essence protecting them from hacks of proprietary systems that have gone on in the past. While SoC designers in this arena face some initial challenges to established practices, their products will ultimately have greater applicability to the rapidly evolving cable and network-based media distribution industries.
|
Author: Mike Borza and Al Hawtin, Elliptic Semiconductor |
|
|
|
