Classifications

• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
  • H04N7/00—Television systems
  • H04N7/16—Analogue secrecy systems; Analogue subscription systems
  • H04N7/162—Authorising the user terminal, e.g. by paying; Registering the use of a subscription channel, e.g. billing
  • H04N7/163—Authorising the user terminal, e.g. by paying; Registering the use of a subscription channel, e.g. billing by receiver means only
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
  • H04N21/00—Selective content distribution, e.g. interactive television or video on demand [VOD]
  • H04N21/40—Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
  • H04N21/41—Structure of client; Structure of client peripherals
  • H04N21/418—External card to be used in combination with the client device, e.g. for conditional access
  • H04N21/4181—External card to be used in combination with the client device, e.g. for conditional access for conditional access
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
  • H04N21/00—Selective content distribution, e.g. interactive television or video on demand [VOD]
  • H04N21/40—Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
  • H04N21/45—Management operations performed by the client for facilitating the reception of or the interaction with the content or administrating data related to the end-user or to the client device itself, e.g. learning user preferences for recommending movies, resolving scheduling conflicts
  • H04N21/462—Content or additional data management e.g. creating a master electronic programme guide from data received from the Internet and a Head-end or controlling the complexity of a video stream by scaling the resolution or bit-rate based on the client capabilities
  • H04N21/4627—Rights management associated to the content

Definitions

• the invention relates to the management of a pool of set-top boxes and / or descramblers of a multimedia stream, particularly in pay television, and the management of a homologous park of security processors, such as smart cards.
• This association check well known as a matching check, consists of limiting the use of one or more terminals with one or more cards. Various reasons may impose such a limitation: -
• a choice of manufacture and / or management of these devices is to form inseparable pairs of a terminal and a card
• a card (respectively a terminal) must refuse to work with an unofficial terminal (or card); • a set of terminals and cards must only allow access to certain services or the services of a single operator; for example, under de promotional campaigns of a terminal manufacturer buying a decoder may be associated with a promotional offer of 1 subscription preloaded into a usable only card in the terminal. In all these cases, however, there is the problem of verification of the pairing between the terminal and the card.
• WO-99/57901 proposes a procedure for verifying a pairing between a terminal and a security processor.
• this procedure is conducted with the terminal, which then verifies that a value stored in the security processor corresponds to a value stored in a memory of the terminal.
• the present invention improves the situation.
• a security processor when paired with a terminal, is arranged to cooperate with this terminal for supplying thereto data to a decoding and / or descrambling a multimedia stream that receives' the terminal according to the conditions secure access associated with this stream.
• the method according to the invention then comprises: a) a step of assigning pairing values in which at least one first value is stored in a memory of a terminal and at least one second value corresponding to said first value, in a memory of a security processor intended to be matched to the terminal, and b) a matching control step, prior to the verification of the conditions of secure access, ' in which the security processor is arranged to reading and comparing said first and second values match, then continue 'or stop its operation with said terminal, depending on the comparison of the first and second values pairing.
• the pairing is "control procedure carried out by the processor. security, so • that the computer program stored in a memory 'of the security processor, which provides control of pairing is inaccessible to unauthorized persons.
• a second value corresponding to a first value is meant the fact that there exists a predetermined function that can uniquely relate the first match value to the second pairing value.
• the security processor simply checks whether the first and second match values are identical. Alternatively, only the first bytes of the match values can be compared, while subsequent bytes can advantageously be used to identify version or serial numbers, or the like, of the terminal and / or the security processor.
• Another embodiment consists in providing, in step a), a terminal matching value consisting of a series of bytes, such as a sequence of characters, and a pairing value in the security processor. which is the cryptographic digest of this sequence of bytes, condensed obtained by a one-way function as well known in the state of the art.
• the security processor recalculates the digest of the sequence of bytes transmitted to it by the terminal and simply checks whether the calculated digest and the stored digest are identical. This embodiment is particularly advantageous when the sequence of bytes constituting the first matching value is too long to be stored in the security processor.
• the first matching value is transmitted "in clear" from the terminal to the security processor, which means that it is not necessary to provide any encryption / decryption procedure to transfer this first matching value, according to a simple and advantageous embodiment.
• first and second matching values correspond to an identifier of the type of security processor.
• each of said first and second matching values corresponds to the association of a security processor type identifier and a terminal type identifier.
• the aforementioned identifier of the type of security processor comprises a trademark of the technical system, typically the - access control system, shared by the terminal and the security processor, for example the registered trademark "VIACCESS" of the Applicant and, following step b), one can then provide a 'step of displaying the identifier stored in the memory of the terminal on a terminal display unit and / or on a TV screen connected at the terminal. It will thus be understood that the use of this identifier and its reproduction in the terminal is accompanied, in this preferred embodiment, by the reproduction of the mark of said technical system.
• certain security processors are allowed to overcome the pairing control.
• step a) at least one pairing activation indicator is stored in the memory of the security processor whose value triggers or not the comparison of the pairing values, and, in step b), the security processor is arranged to read the value of this indicator, compare the value read with a reference value and trigger or not the verification of correspondence between the matching values, according to this comparison.
• the matching control of step b) can be performed on all or part of the matching values and that said indicator specifies which part (s) of the values of matching - must carry the matching control of step b).
• said indicator specifies whether the pairing control is disabled or whether it relates to one or the other or both identifiers of this combination.
• the processor ' Upon insertion of the security processor (e.g. a smart card) in a counterpart reader of the terminal, the processor ', Security initializes and automatically starts a control routine pairing opposite a corresponding routine in the terminal.
• the present invention also aims at such a routine in the security processor and such a corresponding routine in the terminal, in particular a computer program product intended to be stored in the memory of a security processor and including instructions for setting it.
• the present invention also relates to the system comprising a terminal and a security processor, matched to the terminal and arranged to cooperate with the terminal to provide or not to the latter secure access data for decoding and / or descrambling. a multimedia stream that the terminal receives.
• the security processor also checks the pairing between the terminal and the security processor and, for this purpose, is arranged to read and compare, preferably under the control of a matching activation indicator. , a first match value stored in a terminal memory and a second value. pairing stored in a memory of the security processor, then continue or stop cooperation with the terminal to verify the access data, secure, based on the comparison of the first and second pairing values.
• FIG. 1 schematically represents the elements of the system within the meaning of the invention
• FIG. 2 illustrates the steps of a general method involving step b) of pairing control of the process in the sense of the invention
• FIG. 3 illustrates the storage of identifiers for 'implementation of step a) of the process identifiers assignment within the meaning of the invention
• FIGS. 4A and 4B illustrate flowcharts for implementing the pairing control step and representative of the algorithms of a computer program product within the meaning of the invention.
• the access control system comprises equipment at the head end of the network (not shown) which associates content with access conditions (authorizations and / or constraints). These contents are encrypted and then put online or broadcast via a distribution network 4 (satellite broadcast, cable, transfer over a broadband link eg xDSL, or others).
• a distribution network 4 switched broadband link eg xDSL, or others.
• a user has a terminal 1 capable of managing this type of content whose access is protected.
• the terminal 1 presents the conditions of access to the access control system which verifies them, for example by comparing them with the access rights of the user, and authorizes or denies said access.
• the access rights and the authorization logic are generally stored in a secure module, such as a smart card 2.
• a secure module such as a smart card 2.
• security processor 2 or indistinctly “card to chip 2 "such a secure module.
• the present invention proposes a mechanism for associating a group of smart cards with a group of terminals.
• the method within the meaning of the invention makes it possible to restrict the use of a fleet of smart cards to a set of terminal terminals.
• the decoders can not make 'their services when they are implemented with a counterpart park smart cards after checking matching, accept or not to work with these decoders.
• the present invention proposes a solution according to which the card, itself, verifies that information, representative of the group of cards and / or terminals, is present in the terminal.
• Verification that a group of terminals and a group of cards are allowed to be used together can be performed by various solutions.
• these mechanisms even if they can respond to the strong authentication between two entities, are heavy to manage (secret management, initialization, distribution of secrets) and require significant computing and memory capabilities.
• the present invention proposes a simple mechanism, based on the sharing of a particular piece of information referred to as a matching value (typically an alphanumeric string) between a group of cards and a group of terminals.
• a terminal provides the connected map with its matching value by a simple protocol that does not use cryptographic techniques and the map compares this received value to its own match value.
• the method in the sense of the invention uses a technique of a limited security level.
• it can be applied in conjunction with another, strong authentication method between terminal and card based on cryptography powerful, method to which it brings the adequacy control of a park of terminals to a park of cards.
• the simplicity of implementation of this pairing control remains very advantageous, insofar as the matching control is performed by the card, which provides a certain degree of protection as explained above.
• the implementation of the invention does not use data exchanged in encrypted form and does not require, in the exchange of these data between terminal and card, the use of encryption / decryption algorithms in the memory of the terminal and / or in the memory of the card.
• one pairing control mechanism according to the invention is configurable, lockable and / or releasable, thus providing a remarkable flexibility in the use of the method.
• the terminal 1 is connected to the network 4 and, for example, to a television 3. It may comprise a display screen 11, as well as a reader 12 of a smart card 2. As at least the messages that the terminal transmits to the smart card, for the pairing control, are "in clear", it can be expected to display all or part of these messages on the screen of the television 3 and / or on the display screen 11 of the terminal.
• an initialization sequence of the card is automatically performed by a procedure called "ATR sequence" (for "Answer to Reset”).
• ATR sequence for "Answer to Reset”
• the procedure for putting the card into service in the terminal continues with the implementation of an exchange protocol, where appropriate secure, messages between the terminal and the card, the processing on both sides of these messages for controlled access to multimedia content.
• these messages transmitted between card and terminal can be:
• the pairing control procedure in the sense of the invention occurs between the initialization of the card and the implementation of message exchanges as described above.
• the matching control conditions the use of the card to access services and, in particular, the processing of ECM messages by the card.
• a card that supports the pairing method within the meaning of the invention has a software function adapted to this purpose. method and in its memory of a matching value and an indicator of activation of the matching control.
• the first step 21, following the insertion of the card 2 into the reader 12 of the terminal, consists of an initialization of the card which continues automatically by the test 22 of the indicator of activation of the matching control stored in the card.
• step 23 an internal flag to a value allowing card processing of ECM messages: this makes it possible to operate the card in any terminal without prior pairing.
• step a) the matching control is preferentially effective and conditions the processing of the ECM messages. So, step b
• the card sets (step 24) said internal indicator to a value specifying that the ECM messages should not be processed: thus the card 2 does not treat • no ECM message transmitted by the terminal, as long as step b) of control 1 matching within the meaning of the invention was not performed. Then, the card performs the matching check (test 25). During this pairing check step, the card 2 receives from the terminal the matching value thereof and then verifies the correspondence between the terminal matching value and the match value stored in the card. In case of non-correspondence between these pairing values (arrow N at the output of the test 25), a matching error situation 26 is detected and the cooperation between the terminal and the card can then stop at this step.
• the card does not process any ECM message. On the other hand, if the .
• the test match control procedure 25 reaches a positive conclusion (arrow ' Y ' ), the card sets (step 27) the aforementioned internal flag to a value allowing processing by the ECM message card.
• test 25 the verification of the correspondence between the matching values can be done according to different methods, such as for example the simple equality or the equality of the cryptographic digest of the value of pairing the terminal and the map matching value. This verification may also include all or only part of each matching value, depending on the value of the matching activation flag.
• the card is likely to receive ECM messages transmitted by the terminal. From the insertion of the card 2 into the terminal 1, the card ignores (step 29) any received ECM message (step 28) until the pairing check has been performed. Then, after the internal indicator has been set, following the test 22, to a value authorizing (step 23) or not authorizing (step 24) the processing of the ECM messages, the card takes into account the ECMs received from the terminal . Thus, upon receiving an ECM (step 30), the card tests the internal indicator (test 31).
• the card does not process this ECM and sends back to the terminal a pairing error message (step 34) specifying that the terminal and the card are not matched. In this case, the terminal can not descramble / decode the intended content and may display a mismatch message to the user (step 36).
• the value of said internal indicator specifies that the processing of an ECM is authorized (arrow Y of the test 31)
• the card proceeds with the processing of the ECM (step 32) in accordance with the functionalities of the control system of the ECM. access used by the card. As a result of this ECM processing, the card returns to the terminal the data consecutive to this processing (step 33).
• the processing of the ECM is normally carried out without it being modified in any way by the matching method: the data consecutive to this processing and received by the terminal (step 35). ) are mainly those 'which will allow the terminal to descramble / decoding the content transmitted by the network 4 or may be error messages if the descrambling / decoding is not allowed by the access conditions present in the ECM.
• These matching values may consist of the same single information shared by the terminal and the card. They may also consist of a pair of information, one relating to the card such as an identification of the type of card denoted id (CAR), the other relating to the terminal such as an identification of the type of terminal noted id (STB). While being easily transposable to the case of simple information, the operation of the method is described below in the case where the pairing values consist of a pair of information. It is also obvious that the method is directly applicable in the case where the matching values are the combination of more than two pieces of information.
• CAR identification of the type of card denoted id
• STB identification of the type of terminal noted id
• the terminal 1 comprises a memory MEM1 for storing preferentially:
• STB characteristic identifier of the type of terminal
• id (CAR) I a characteristic identifier of the type of security processor, denoted id (CAR) I.
• the identifier id (STB) I is characteristic of the type of the terminal. It allows to target the type of terminals with which a card can work as part of this pairing. The interest of this identifier id (STB) I appears for example in the case where a manufacturer distributing terminals provides a promotional offer associating its terminal and a pre-authorized chip card for a particular service, the card not having only work with this type of terminal as part of this promotional offer.
• the identifier id (CAR) I is characteristic of the type of security processor. It preferably contains a string of characters, such as, more particularly, a mark of the access control system shared by the terminal and the security processor.
• the terminal 1 is programmed to always present to the map, as a matching value, the terminal type identifier id (STB) 1 and the security processor type identifier id (CAR) I. These two identifiers are always presented by the clear terminal, during the pairing control step b). In addition, it can be expected to display one and / or the other of these identifiers Id (STB) I and Id (CAR) I on the screen of the television 3 and / or on the screen of 11 display of the terminal 1 during the pairing check.
• the matching value consists of a simple information
• the identifier id (CAR) I contains more especially the mark of the access control system supported by the card.
• this simple identifier is always presented in clear by the terminal to the card and can be displayed on the screen of the television 3 and / or on the display screen 11 of the terminal.
• the access to contents is authorized by the security processor 2, at least on the condition that the latter 2 belongs to the park that is matched to the park of the set-top terminals, which is controlled by the correspondence of the values id (STB) I and id (STB) 2 between them on the one hand, and by the correspondence of the values id (CAR) I and id (CAR) 2 between them on the other hand.
• the identifier assigning step a) so storing in a memory MEM2 processor '2 security type identifier. terminal id (STB) 2 and a card type identifier id (CAR) 2.
• this memory of the security processor 2 is non-volatile (for example of the E2PROM type).
• the security processor 2 can be paired with the terminal 1, the identifiers id (STB) I and id (STB) 2, on the one hand, and the identifiers id (CAR) I and id (CAR) 2, on the other hand, must match each other.
• the pairing between the card park and the terminal park can be controlled solely by the. security processor identifiers id (CAR) I and id (CAR) 2 which must then match.
• the values of two parameters VP (STB) and VP (CAR) are stored in the memory of the card MEM2. The combination of these two parameters constitutes the pairing activation indicator mentioned above. The values of these two parameters VP (STB) and VP (CAR) will be read as soon as the card is initialized to start or not the pairing control procedure (test 22).
• the value of the VP (STB) parameter will be tested to trigger or not the ID matching check procedure for terminal types id (STB) l and id (STB) 2, on the one hand, and the value of the parameter VP (CAR) will be tested to trigger or not the procedure for checking the correspondence of identifiers relating to the type of security processor Id (CAR) I and id (CAR) 2, of somewhere else.
• the roles of these parameter values VP (STB) and VP (CAR) will be described in detail with reference to FIGS. 4A and 4B.
• the values stored in the id (STB) 2, id (CAR) 2, VP (STB) and VP (CAR) cards can be modified globally or individually by receiving messages of the EMM type.
• the modification of at least one of these values in the card (step 37) makes it take them into account at the next initialization of the card or, preferably, that the card perform the pairing check again as after initialization (step 37 of Figure 2) with the latest values id (STB)! and id (CAR) I received from terminal.
• these values are in no way searchable in the memory of the card, just as card identification values are never accessible to a subscriber using the terminal.
• the match activation flag VP consists of a single part. VP (CAR) which alone is stored in the card and which alone is considered to decide whether the pairing control is to be performed.
• the card can access the EMM.
• it can only access the ECM messages if the procedure of. control 1 pairing was successful, in which case the treatment of ECM by the card can be made.
• the value of the VP (STB) parameter defines whether the match check should be performed on the terminal IDs id (STB) I and id (STB) 2, and the value of the parameter VP (CAR) defines whether the match check must be performed on the security processor type identifiers id (CAR) I and id (CAR) 2.
• Figure 4A illustrates the role of these parameters in the test 22 of the match activation flag. If the value of the VP (STB) parameter defines that the match check should not be - performed on terminal type ids (STB) I and id (STB) 2
• VP (CAR) defines that the match check should not be performed on security processor type IDs id (CAR) I and id (CAR) 2 (arrow N of test 42), so the result of test 22 is that the matching control shall not be performed, which corresponds to the output N of the overall test 22. In all other cases, the values of the parameters VP (STB) and VP (CAR), the matching control shall be performed, which corresponds to the output Y of the global test 22.
• Figure 4B illustrates the role of these parameters in the test where the matching check is performed. If the value of the VP (STB) parameter defines that the match check must be performed on the terminal type IDs id (STB) I and id (STB) 2 (arrow Y of the test 43), the match of the two identifiers id (STB)! and id (STB) 2 is tested (test 44). If these two identifiers do not match (arrow N of the test 44), the matching control is negative (arrow N of the overall test .25).
• STB the value of the VP (STB) parameter defines that the match check must be performed on the terminal type IDs id (STB) I and id (STB) 2 (arrow Y of the test 43)
• the match of the two identifiers id (STB)! and id (STB) 2 is tested (test 44). If these two identifiers do not match (arrow N of the test 44), the matching control is negative (arrow N of
• test 25 does not have to take into account the case where neither the correspondence of the identifiers of the type of terminals nor that of the security processors are to be tested since this case was rejected during the test 22.
• test 25 is equivalent if we first consider the identifiers of security processors (tests 45 and 46) and the terminal identifiers (tests 43 and 44).
• the broadcast of EMM messages and / or the initial storage in step a) parameter values may or may not allow the security processor to cooperate with any type of terminal to trigger the pairing check.
• the terminal for example from an earlier version, does not provide the matching check procedure (and therefore does not provide an identifier id (STB) l and / or id (CAR) T at board initialization)
• the EMM messages can unlock the pairing control process by assigning the particular values mentioned above to the VP (STB) and VP (CAR) parameters.
• the security processor may be provided to broadcast an EMM message modifying the identifiers relating to the cards, so. to adapt these cards to a new fleet of terminals, or the value of identifiers relating to the types of terminals, under the authority of the suppliers of terminal type identifiers, if the chain alphanumeric identifying these types of terminals must evolve.
• the identifiers id (STB) 2, id (CAR) 2 and the parameter values VP (STB) and VP (CAR) are stored in step a) in FIG. the memory of the card, as global data of the card, for example in the issuer entity of a smart card as identified for example in the standard UTE C 90-007 (Annex 1, section 6) .
• the identifiers and values stored in the card are not searchable using a read command of data stored in the card.
• a function operated by the card and which consists of presenting the identifier id (STB) 2 and / or id (CAR) 2 can give information on the internal state of the authorization of the pairing.
• the terminal will be able to provide directly.
• the ECM and EMM messages allowing the card to proceed to the control of the access rights.
• the simplest embodiment of the invention consists in providing that the pairing value stored in memory of the security processor, on the one hand, and in memory of the terminal, on the other hand, consists of a single piece of information, preferably the identifier of the security processor.
• the parameter values relating to the type of VP card (CAR) and / or the type of terminal VP (STB), although they offer appreciable flexibility for the implementation of the matching control method in the sense of of the invention may not be used in a simplified variant.

Landscapes

• Engineering & Computer Science (AREA)
• Multimedia (AREA)
• Signal Processing (AREA)
• Computer Security & Cryptography (AREA)
• Databases & Information Systems (AREA)
• Two-Way Televisions, Distribution Of Moving Picture Or The Like (AREA)
• Storage Device Security (AREA)

Applications Claiming Priority (2)

Publications (1)

Family

ID=34955094

Family Applications (1)

Country Status (4)

Families Citing this family (2)

Family Cites Families (2)

• 2005
  • 2005-03-23 FR FR0502896A patent/FR2883683B1/fr not_active Expired - Fee Related
• 2006
  • 2006-03-03 EP EP06726025A patent/EP1862004A1/de not_active Ceased
  • 2006-03-03 WO PCT/FR2006/000493 patent/WO2006100361A1/fr not_active Ceased
  • 2006-03-09 TW TW095107940A patent/TW200639671A/zh unknown

Non-Patent Citations (1)

Also Published As

Similar Documents

Legal Events