CCOOMMPPAARRIINNGG TTHHEE SSEECCUURRIITTYY OOFF PPAAYY--TTVV SSYYSSTTEEMMSS FFOORR UUSSEE IINN AAUUSSTTRRAALLIIAA _L_a_w_r_e_n_c_e _B_r_o_w_n Centre for Communications Security Research Department of Computer Science University College, UNSW, Australian Defence Force Academy Canberra ACT 2600. Australia. AAbbssttrraacctt A Pay-TV system is one in which a TV transmission is delivered to consumers in a form from which only subscribers can benefit. A key technical issue that needs to be resolved is which of the competing technical alternatives for providing a pay-TV system should be used. The various options in a pay-TV service, such as basic service, premium channel and pay-per-view can all be provided by using suitable scrambling and key management schemes. This paper will review the various technical alterna- tives which may be used to provide a secure pay-TV service for use in Australia. The comparison between them will concentrate on their security aspects, and particular emphasis will be placed on the current generation of higher security schemes. 11.. IInnttrroodduuccttiioonn A Pay-TV system is one in which a TV transmission is delivered to consumers in a form from which only subscribers can benefit. Several recent reports [Sau89], [DDD89] have recommended that pay-TV be allowed in Australia. A key technical issue that needs to be resolved is which of the competing technical alter- natives for providing a pay-TV system should be used. A single system is desirable, since numerous previous fiascos, eg quad sound or video disk, with consumer electronics have shown that competing standards hinder consumer acceptance. Unfortunately, it appears that the same fate awaits pay-TV in Europe at pre- sent, due to the presence of at least four incompatible schemes to be used there [Fox89b]. The various options in a pay-TV service, such as basic service, premium channel and pay-per- view [DDD89], can all be provided by using suitable scrambling and key management schemes. This paper will review the various technical alternatives which may be used to provide a secure pay-TV service for use in Australia. The comparison between them will concentrate on their security aspects, and particular emphasis will be placed on the current generation of higher security schemes. A Pay-TV signal has to be delivered to the consumer in a form such that non-subscribers are unable to benefit from it. There are four major components that need to be considered in the design of such a scheme. These are illustrated in Fig 1, and detailed below. TTRR CCSS9900//1133 CCoommppaarriinngg tthhee SSeeccuurriittyy ooff PPaayy--TTVV SSyysstteemmss LL.. BBrroowwnn +o Delivery System - the means by which the TV signal is transmitted to the consumers. Possible systems include: VHF/UHF transmission, MDS (Microwave Distribution Schemes), DBS (Direct Broadcast from Satellite), or Cable (either Coax or Optical Fibre) +o Transmission Standard - the way in which the video, sound, and possibly data components of the TV signal are combined for transmission, and is independent of the actual deliv- ery system used. +o Scrambling Technology - the way in which the video, sound and data components of the TV signal should be scrambled so that non-subscribers gain no benefit from them. +o Key Management and Distribution Method - the way in which the keys which are required by subscribers to descramble the Pay-TV signal are created and distributed to sub- scribers only. Although interelated, these components are fairly independent of each other. However, certain combinations have been chosen or proposed for use in practical schemes. This report will first discuss the various technical components, and will then look at combinations of them proposed for use. TV src -> scrambler -> tx encoder -> delivery -> rx decode -> descrambler -> TV | | |-> Key Distribution ->| Fig 1 here: 22.. TTeecchhnniiccaall IIssssuueess 22..11.. DDeelliivveerryy SSyysstteemm Deals with the means by which the TV signal is transmitted to the consumers. Possible systems include: VHF/UHF transmission, MDS (Microwave Distribution Schemes), DBS (Direct Broadcast from Satellite) [Kon88], or Cable (either Coax or Optical Fibre) [DDD89]. The implications resulting from the choice of delivery system include the number of channels, the cost of the additional receiving equipment, and the bandwidth limitations imposed by the various systems. The last is the most signifi- cant from the point of view of the scrambling scheme. The num- ber of channels, and the additional equipment costs, are -- 22 -- MMaayy 66,, 11999999 TTRR CCSS9900//1133 CCoommppaarriinngg tthhee SSeeccuurriittyy ooff PPaayy--TTVV SSyysstteemmss LL.. BBrroowwnn summarised in [Sau89 p 29]. In brief, they range from one extra for UHF, several extra for MDS and DBS, to very many for cable systems, with costs ranging from very cheap for UHF, to moder- ate (order $500 to $1000) for all the others. The bandwidth limitations range from 7MHz for VHF/UHF and older coax cable schemes, to 10MHz for MDS and newer coax cable schemes, to 20MHz+ for DBS and optical fibre schemes. 22..22.. TTrraannssmmiissssiioonn SSttaannddaarrddss The Transmission Standard defines the way in which the video intensity and colour, sound, and possibly data components of the TV signal are combined for transmission to the recipient. It is independent of the actual delivery system used, though bandwidth limitations restrict the use of some transmission standards via some delivery systems. There are two methods of combining these components for transmission, either they can be sent on different (but related) frequencies - termed ffrreeqquueennccyy ddiivviissiioonn mmuullttiipplleexxiinngg, or they may be sent sequentially on the same frequency at different times - termed ttiimmee ddiivviissiioonn mmuullttii-- pplleexxiinngg, which implies time compression of the components to fit them together. These are shown in Fig 2, and are detailed below. grab from Gardiner Fig 3 & 4 Fig 2 here 22..22..11.. FFrreeqquueennccyy DDiivviissiioonn MMuullttiipplleexxiinngg Traditionally, direct TV broadcasts on VHF/UHF have used fre- quency division multiplexing (FDM) in standards such as PAL (eg in Australia, UK), NTSC (eg in USA, Canada, Japan), or SECAM (eg in Europe, USSR). The receivers required for these schemes are comparatively simple, and most colour TV receivers in use are for one of these standards. These standards originally provided for analog video intensity and colour, and analog sound only. Subsequently they have been extended to carry digi- tal data (such as teletext), and digital sound (if needed for scrambling or other uses) by using the vertical retrace inter- val (the invisible part of the picture). In terms of future development of High Definition Television (HDTV), since much more information needs to be transmitted, a new standard is required. Due to pressure from the US and -- 33 -- MMaayy 66,, 11999999 TTRR CCSS9900//1133 CCoommppaarriinngg tthhee SSeeccuurriittyy ooff PPaayy--TTVV SSyysstteemmss LL.. BBrroowwnn Japan, some compatible extensions of NTSC may be used for HDTV there. In Europe HDTV research has concentrated on using exten- sions to the newer Time Division Multiplexing standards, under the auspices of the Eureka project. In the Australian context, since PAL is used for broadcast TV, any Pay-TV scheme must eventually produce a PAL TV signal for display on the current domestic receivers. This could be achieved either by transmitting the Pay-TV signal using PAL (plus some scrambling scheme), or by using a convertor to translate the Pay-TV signal (after descrambling) into PAL (as is done with the Aussat B-MAC). 22..22..22.. TTiimmee DDiivviissiioonn MMuullttiipplleexxiinngg Newer TV delivery systems, especially for DBS use, have chosen time division multiplexing (TDM) schemes, in particular the MAC (Multiple Analog Component) standards. These include B-MAC (Aussat in Australia), C-MAC, D2-MAC (Europe DBS), and D-MAC (UK DBS). This was done because of problems found with the use of the traditional standards in DBS applications, in particular problems of intermodulation between the intensity and colour components of the image [Gar88]. These newer standards all have digital sound and data, as well as analog video intensity and colour components. In all of these standards, the video compo- nents are identical, they differ in the number and format of the digital sound and data components. The formats in use are: +o B-MAC - used in Australia for DBS from Aussat, and in some US DBS services. This is a proprietary standard, owned by Scientific Atlantic, who provide the decoders for it. It provides 6 digital sound channels, a 9.6kbit digital data channels, plus a control data channels for the associated scrambling scheme, along with the analog video. This for- mat requires the use of a 20MHz wide channel, and thus is restricted to satellite or optical fibre delivery systems. Since it is already in use, decoders exist for it in Aus- tralia [Luc85], [DDD84], [Bri88]. +o C-MAC - the original European DBS proposed standard. It provided 8 digital sound channels, user and control data channels, along with the video. However the provision of this number of digital data channels required the use of a 20MHz wide channel, and thus is restricted to satellite or optical fibre delivery systems [LFM84]. It has been sup- planted by two related variants, D2-MAC and D-MAC. +o D2-MAC - was developed originally in Germany, and simply halves the number of digital sound channels to 4 from the C-MAC standard, but is otherwise identical. It can be transmitted in full on a 10MHz channel (available on DBS, UHF, and newer cable systems), or in slightly degraded form on older 7MHz cable systems. Several decoders for it exist, and it is to be used for some DBS services in Europe [Fox89b], [Bre89]. -- 44 -- MMaayy 66,, 11999999 TTRR CCSS9900//1133 CCoommppaarriinngg tthhee SSeeccuurriittyy ooff PPaayy--TTVV SSyysstteemmss LL.. BBrroowwnn +o D-MAC - was developed in the UK, again from C-MAC. It retains all the digital sound channels but changes the way they are encoded in order to reduce the bandwidth to fit a 10 MHz channel. It is thus compatible with all distribu- tion schemes except the older cable or VHF/UHF transmis- sion systems. Several decoders also exist for it, and it is to be used by DBS services into the UK. A D-MAC signal may be fairly easily converted into a D2-MAC signal by deleting alternate sound channels, and reencoding them [Gar88], [Bre89], [EEE88], [Lam88]. Since the majority of domestic televisions have no provision for handling these MAC standards, they have to be converted into a suitable standard (one of PAL, NTSC or SECAM) for use on these sets. Such decoders are now (or will shortly be) avail- able at reasonable cost. In Europe future HDTV broadcast standards will most likely be based on these MAC standards, as they were devised with exten- sion to HDTV a consideration [For88]. 22..33.. SSccrraammbblliinngg TTeecchhnnoollooggyy Scrambling Technology describes the way in which the video, sound and data components of the TV signal are scrambled such that non-subscribers gain no benefit from them. These tech- niques may be separated into those used on the video signal, and those on the sound. Data, if present is generally handled by one or the other of these depending on whether it has been combined with the video signal (on the vertical blanking inter- val in a form similar to that used for teletext), or supplied as a separate digital data stream. A general discussion of var- ious scrambling techniques may be found in [LFM84], [ElS88], [Eme88]. 22..33..11.. VViiddeeoo Techniques for analog video scrambling may be partitioned into low and high security schemes. The low security schemes are the ones generally in use on the older cable systems, and for which methods of breaking them have become fairly well known. They include: +o reverse traps and traps. A trap which removes pay channels is installed before the signal is supplied to the con- sumer, and is removed only when they pay a subscription. Alternatively, pay channels may have a interfering signal sent with them, which needs to be removed by a trap filter supplied only to subscribers. It may be defeated by illic- itly removing or adding a trap, as required. +o sync suppression - where the sync information in the video signal is suppressed, blurring the start location of each line. There are a number of variants of this including sine wave, pulse, and tri-level systems. A reference sig- nal is transmitted on either the sound sub-carrier, or a separate sub-carrier to recover these signals. All are -- 55 -- MMaayy 66,, 11999999 TTRR CCSS9900//1133 CCoommppaarriinngg tthhee SSeeccuurriittyy ooff PPaayy--TTVV SSyysstteemmss LL.. BBrroowwnn insecure, and decoders exist to break them. [CCC86]. +o total video inversion - where the video intensity signal is inverted. The descrambler is only provided to sub- scribers. However building such a descrambler is fairly easy. +o random line video inversion - here a selection of lines have their video inverted, whilst others are normal. The selection of lines is done by some algorithm based on a key sent either with the TV signal, or supplied sepa- rately. It is usually combined with sync suppression, and the sync information is replaced by the control data to decode the signal. This is the most secure of the lower security scrambling schemes. The high security schemes are now coming into use on DBS and the latest cable services. The decoders for these are more com- plex, but they provide a much greater level of security. The electronics needed to convert a MAC transmission signal into PAL or NTSC, can be easily extended to include one of these scrambling options. This is why most of the newer MAC schemes come with one of the following scrambling options as standard. These methods may be used either on PAL/NTSC type signals, or on MAC schemes. However when used on PAL/NTSC schemes, they may be more susceptible to noise on the delivery system, and result in a lower quality recovered picture than when used on MAC schemes unless special care is taken with the receiver design1 [ElS88]. +o time reversal - where randomly selected lines are trans- mitted in reverse order. This method may not totally obscure the picture, but does render it fairly unwatch- able. It is appropriate for services which may wish to "tease" the user, but is not suitable for services which should be totally obscured unless subscribed to. +o line translation - is where the length of the padding at the start of each line is altered, with the effect of ran- domly moving the start position of each line when viewed scrambled. The size of translation is determined by a psuedo-random generator controlled by a key distributed to subscribers only. The average translation over a frame equals the correct line blanking interval, so that the size of a TV frame is as normal. This method is used in the Australian B-MAC system, and it has a high level of security2. ____________________ 1 from private discussions with a Communications Engineer from the Dept. of Transport and Communications. 2 I have been told that a Dept. of Transport and Communica- tions engineer has succeeded in descrambling the picture with- out the key, but only the video is recovered, and not well. It is unlikely that this would pose a commercial threat. -- 66 -- MMaayy 66,, 11999999 TTRR CCSS9900//1133 CCoommppaarriinngg tthhee SSeeccuurriittyy ooff PPaayy--TTVV SSyysstteemmss LL.. BBrroowwnn +o line rotation (or line cut and rotation) - where each line of video is cut, and the sections interchanged. Generally with PAL transmissions only one cut is used, whilst with MAC transmissions two cuts are used, one in each of the luminance and chrominance sections [LFM84]. This method does totally obscure the picture transmitted. This is the technique to be used by some of the European DBS services [Fox88], [Fox89b], [Fox89a]. +o line shuffling - is a method whereby lines of the picture are randomly shuffled in order before transmission. This is probably the most secure method of scrambling available for analog video, but a decoder for it requires a full frame buffer, a costly item at present. A variant parti- tions the frame into a number of blocks of lines, and only shuffles lines within a block. This reduces the amount of memory required, and thus the cost of the decoder. It is the method used by the Fordray scheme. The sequence of keys which control the above scrambling algo- rithms are generally created using either a pseudo random num- ber generator, or by using DES in a cycling mode, and fre- quently reinitialized with a key provided by the key management system. These techniques are also used to encrypt digital sound and data, and are detailed below. 22..33..22.. AAuuddiioo Scrambling methods for the audio or sound channel may be fur- ther divided into analog and digital methods [ElS88]. Sound is traditionally transmitted as an analog component in FDM distri- bution schemes, and thus analog sound scrambling tends to be used on the older cable networks. Analog methods include: +o spectral inversion - whereby the intensities at various frequencies are inverted (ie intensity of highest fre- quency becomes the lowest and vica versa). This is a low security method which was used on some early cable sys- tems, but is easily defeated. +o time segmentation - where the sound is partitioned into segments which are then shuffled. Depending on how good the decoder hardware is, there may be problems in the recovered sound. Digital sound transmission is used on all of the TDM distribu- tion schemes. It may also be added to the older FDM schemes, usually in the vertical retrace and sync periods, along with other data. The NICAM 728 standard developed by the BBC, and for which a number of decoders exist, is becoming used in Europe for this [ElS88] if it is required. If the sound is transmitted digitally, then well known digital stream encryp- tion technology may be used. A stream cipher adds the digital data to a key stream provided by some generator. whilst the receiver reverses this operation. The two most common classes of generators used are: -- 77 -- MMaayy 66,, 11999999 TTRR CCSS9900//1133 CCoommppaarriinngg tthhee SSeeccuurriittyy ooff PPaayy--TTVV SSyysstteemmss LL.. BBrroowwnn +o pseudorandom number generators - with a frequent key update. This is the faster of the two alternatives pre- sented here, but can be less secure unless a good choice of generator is made (either non-linear feedback shift registers, or multiplexed linear feedback shift registers should be used), and the key is changed fairly frequently (of order seconds) [WrE86]. This is handled by the key distribution scheme as detailed in the next section. +o a block cipher used in a stream mode. Most commonly DES is the block cipher of choice if the algorithm is public, otherwise a proprietary cipher may be used. This method is considerably slower than using a pseudorandom genera- tor, but is believed to be very secure. However the cost of high speed DES chips will probably preclude its use as the primary encryption scheme (it will most likely be used as part of the key distribution scheme). These schemes are very high security, and are unlikely to be broken directly, unless the keys are obtained illicitly (a problem considered in the next section). 22..44.. KKeeyy MMaannaaggeemmeenntt aanndd DDiissttrriibbuuttiioonn MMeetthhoodd This deals with algorithms by which the keys which are required by subscribers to descramble the Pay-TV signal are created and distributed to the subscribers only. The issue of subscriber management, that is, the receipt of customer subscriptions, and equipment authorizations via an Equipment Authorization Centre, is outside the scope of this report. Some of the issues are canvassed in [Cut88], [Edw84]. There are three broad categories of key distribution methods: physical unit installation, broadcast addressing of decoders, or smart card tokens. +o physical unit installation - in low security systems, either a trap is, or is not installed in the cable leading to a subscribers premises, or decoders are only provided to subscribers. In any case, since a physical unit is involved, it may be tampered with or duplicated. This is not regarded as a suitable option on modern systems. +o broadcast addressing of decoders - is where part of the control data transmitted with the pay tv signal is addressed to specific decoders, supplying them with the keys necessary to receive particular programs. In these schemes every decoder has a special key, stored in tamper- proof hardware, which is used to secure messages sent to it. These messages provide, via one of several methods, the keys needed to descramble the services subscribed to [Cut88]. The tamper-proof device in these decoders is functionally very similar to that provided in a smart- card, which can be viewed as a replaceable tamper-proof device. They perform very much the same function. Varia- tions of this method are used in the Australian B-MAC -- 88 -- MMaayy 66,, 11999999 TTRR CCSS9900//1133 CCoommppaarriinngg tthhee SSeeccuurriittyy ooff PPaayy--TTVV SSyysstteemmss LL.. BBrroowwnn scheme, and in the D-MAC, and D2-MAC Eurocipher schemes. Problems can occur with these schemes when very large (millions) of decoders need to be addressed. Various solu- tions to these problems are being incorporated in the sys- tems in use, which involve grouping sets of decoders and addressing them as a group in a single message [Mas84], [Mas88]. +o smart card tokens - may be used either as an alternative to broadcasting keys along with the Pay-TV service, or as a replaceable tamper-proof device in the decoders in con- junction with over-air authorization. In the first case a smart card is purchased which contains the session key for a given month. Since a smart-card is a tamper proof device, these keys are secure from reading and copying in general. These keys would be updated when the subscriber purchases more time. It can also be used to store a notional value for pay-per-view services purchased on impulse by the subscriber, which need to be renewed when they run out. This is the scheme to be used by the Euro- crypt system. In the second alternative, the smart card is used as a replaceable tamper-proof device, to provide additional anti-piracy control. However the use of a smart card involves additional expense, both in the provi- sion of the cards, and of the interface to them in the decoder [Edw84], [WrE86]. 33.. SSyysstteemmss PPrrooppoosseedd oorr IInn UUssee A number of pay-TV schemes are in use, or proposed at present. This section will ignore the lower security schemes used on the older cable networks in the US, and concentrate on the more recent higher security schemes. The technology choices are sum- marised and compared in Table 1, and detailed below. Discret-1 A system used in the SECAM-L Canal Plus network in France. It uses line translation to scramble the video signal, and spectral inversion to scramble the sound. This provides a moderate level of security, with a number of decoders available. Variants are used by Suisse-Romande in Switzer- lande using PAL-B/G, and by the BBC in the UK using PAL-I for downloading medical programs [ElS88], [Hun89]. Matsushita A system used by Filmnet in Europe for DBS via the Astra satellite. It uses video inversion of alternate frames plus sync suppression to scramble the video. Control data authorizing decoders is carried on a separate sub-carrier. I believe the sound is not scrambled. As implemented at present, it is not a very secure system, and decoders exist to bypass it [Hun89], [Gre89]. Video-cipher I This system uses line shuffling to scramble the video sig- nal, controlled by a DES derived shuffling key. The sound -- 99 -- MMaayy 66,, 11999999 TTRR CCSS9900//1133 CCoommppaarriinngg tthhee SSeeccuurriittyy ooff PPaayy--TTVV SSyysstteemmss LL.. BBrroowwnn is transmitted digitally, and is encrypted also using DES. This scheme is used on some US CBS satellite network feeds, but the decoder is too expensive for use in a Pay- TV scheme. Video-cipher II This was developed for cable schemes and is widely used in the US. It uses random line inversion and sync stripping to scramble the video signal, along with a shift of the colour burst signal to scramble the colour information. Sound is transmitted digitally, encrypted using DES, dur- ing the vertical retrace and sync intervals, along with the control data to recover the signal. This is a fairly secure system, save for a flaw in the key distribution mechanism which has been exploited by some illegal decoders in the US [Hsi88], [Eme88]. Eurocypher This is a modification of the Videocipher II scheme [Egl89], [Fox89b]. It is to be used for the UK DBS ser- vice, and has been converted to use the D-MAC transmission standard. Active line rotation is used to scramble the video, and pseudorandom generators are used to encrypt the sound and generate the video scrambling keys. The keys to initialize the pseudorandom generators are to be transmit- ted over the air, Decoders are expected to cost about _L-100-. addressed to each decoder (or group of encoders). Eurocrypt This scheme uses line rotation to scramble the video sig- nal, and encryption of the digital sound using a pseudo- random number generator [Hun89]. It is to be used by some European DBS services, using the D-MAC transmission stan- dard. The keys used to descramble the video signal will be distributed using a smart-card, which will need to be changed at regular intervals. Decoders are expected to cost about _L-100-. Palcrypt (also known as videocrypt). This system is to be used by Sky TV for its encrypted Astra DBS services. It is a vari- ant of Eurocrypt adapted for the PAL delivery system, which also uses smart cards to provide the authorization keys [Fox89a]. Decoders are expected to cost about _L-100-. AUSSAT B-MAC The B-MAC scheme, as implemented in Australia via Aussat, includes a scrambling system. It uses line translation to scramble the video MAC components, controlled by a pseudo- random generator, also used to scramble the digital sound. Keys are distributed over the air, addressed to each decoder individually. The security of this scheme depends on the key distribution encryption scheme, which uses a proprietary algorithm (said to be very secure) [DDD84]. Fordray Scheme This is a system recently developed in Australia by -- 1100 -- MMaayy 66,, 11999999 TTRR CCSS9900//1133 CCoommppaarriinngg tthhee SSeeccuurriittyy ooff PPaayy--TTVV SSyysstteemmss LL.. BBrroowwnn Fordray Electronics for use in either DBS, Cable or MDS delivery systems. It is based on the PAL transmission standard, using the same bandwidth 5MHz, as it, and suf- fering no worse degradation that a conventional PAL signal in the same circumstances. It uses line shuffling and selective video inversion of blocks of 52 lines, con- trolled by keys sent during the vertical blanking inter- val. Decoders are authorized over the air, and may be placed in a hierarchy of groups to handle the problem of addressing large numbers of decoders. Provision is also made for a smartcard interface for pay-per-view applica- tions, though payments may also be authorized over the air. The security of this scheme should be very high, and the decoders are quite cheap ($120 to $200 in quantity)3. There are some other systems under development, but technical details on them, to enable a comparison to be made, are unavailable to the author at present. +----------------------------------------------------------------------------------------+ | Table 1 - A Comparison of Modern Pay-TV Schemes | +---------------++---------++-----------------------------++----------------------++-----+ | Scheme ||Transmit || Scrambling || Key Management ||Cost | | ||Standard || System || System || | +---------------++---------++-----------------+-----------++-----------+----------++-----+ | || ||Technology | Security ||Technology | Security || | +---------------++---------++-----------------+-----------++-----------+----------++-----+ |Discret-1 ||SECAM/ ||line translation | mid ||over air | mid ||low | | ||PAL || | || | || | +---------------++---------++-----------------+-----------++-----------+----------++-----+ |Matsushita ||PAL ||video inversion/ | low ||over air | low ||low | | || ||sync suppression | || | || | +---------------++---------++-----------------+-----------++-----------+----------++-----+ |Videocipher I ||NTSC ||line shuffling | very high ||over air | high ||high | +---------------++---------++-----------------+-----------++-----------+----------++-----+ |Videocipher II ||NTSC ||line inversion/ | high ||over air | high4 ||low | | || ||sync suppression | || | || | +---------------++---------++-----------------+-----------++-----------+----------++-----+ |Eurocypher ||D-MAC ||line rotation | high ||over air | high ||low | +---------------++---------++-----------------+-----------++-----------+----------++-----+ |Eurocrypt ||D-MAC ||line rotation | high ||smartcard | high ||low | +---------------++---------++-----------------+-----------++-----------+----------++-----+ |Palcrypt ||PAL ||line rotation | high ||smartcard | high ||low | +---------------++---------++-----------------+-----------++-----------+----------++-----+ |AUSSAT ||B-MAC ||line translation | high ||over air | high4 ||mid | +---------------++---------++-----------------+-----------++-----------+----------++-----+ |Fordray ||PAL ||line shuffling/ | very high ||over air/ | high ||low | | || ||line inversion | ||smartcard | || | +---------------++---------++-----------------+-----------++-----------+----------++-----+ ____________________ 3 these details were obtained from a conversation with War- wick Ford, Managing Director of Fordray Electronics, Orange, NSW. -- 1111 -- MMaayy 66,, 11999999 TTRR CCSS9900//1133 CCoommppaarriinngg tthhee SSeeccuurriittyy ooff PPaayy--TTVV SSyysstteemmss LL.. BBrroowwnn 44.. CCoonncclluussiioonn In this survey paper I have considered the various alternatives available for the provision of a pay-TV service in Australia. In particular, the technical alternatives available for the delivery, transmission, scrambling and key management compo- nents are presented. Then a selection of systems in, or pro- posed for, use are compared, with a particular emphasis on their security. AAcckknnoowwlleeddggeemmeennttss To George Gerrity, Andrzej Gos'cin'ski, and Mike and Cathy New- berry, for their help and suggestions. Thank you. This work has been supported by Telecom Australia Research Con- tract 7027. RReeffeerreenncceess [Bre89] M. D. Brett, "A Multi-Standard MAC Decoder," _E_l_e_c_t_r_o_n_i_c _T_e_c_h_n_o_l_o_g_y, vol. 23, pp. 36-38, |February.| 1989. [Bri88] M. Bridle, "Satellite Broadcasting in Australia," _I_E_E_E _T_r_a_n_s_a_c_t_i_o_n_s _o_n _B_r_o_a_d_c_a_s_t_i_n_g, vol. 34, no. 4, pp. 425-429, |December.| 1988. [CCC86] _D_e_s_c_r_a_m_b_l_e_r _M_a_n_u_a_l, Cabletronics, 1986. [Cut88] D. J. Cutts, "Subscription Management in Satellite TV Services in Europe - Structure and Objectives," _I_n_t_e_r_n_a_t_i_o_n_a_l _B_r_o_a_d_c_a_s_t_i_n_g _C_o_n_v_e_n_t_i_o_n _1_9_8_8, vol. 293, pp. 333-335, IEE, London, 1988. [DDD84] "_T_r_a_n_s_m_i_s_s_i_o_n _S_t_a_n_d_a_r_d _f_o_r _t_h_e _H_o_m_e_s_t_e_a_d _a_n_d _C_o_m_m_u_n_i_t_y _B_r_o_a_d_c_a_s_t_i_n_g _S_a_t_e_l_l_i_t_e _S_e_r_v_i_c_e _(_H_A_C_B_S_S_)," DOC 511, Department of Communications, |November.| 1984. [DDD89] "Pay Television Systems and Technology," in _F_u_t_u_r_e _d_i_r_e_c_t_i_o_n_s _f_o_r _P_a_y _T_e_l_e_v_i_s_i_o_n _i_n _A_u_s_t_r_a_l_i_a, Dept. Transport and Communications, Canberra, Australia, 1989. Nat. Lib NL 384.55470994 A 93839. [Edw84] S. M. Edwardson, "Scrambling and Encryption for Direct Broadcasting by Satellite," _S_e_c_u_r_e _C_o_m_m_u_n_i_c_a_t_i_o_n_s _S_y_s_t_e_m_s, vol. 231, pp. 71-78, IEE, London, |February.| 1984. ____________________ 4 these schemes can be partially broken due to design flaws, but not in a commercially significant manner. -- 1122 -- MMaayy 66,, 11999999 TTRR CCSS9900//1133 CCoommppaarriinngg tthhee SSeeccuurriittyy ooff PPaayy--TTVV SSyysstteemmss LL.. BBrroowwnn [Egl89] D. Eglise, "Eurocypher," _E_l_e_c_t_r_o_n_i_c_s _a_n_d _W_i_r_e_l_e_s_s _W_o_r_l_d , p. 366, |April.| 1989. [EEE88] _I_T_T _s_a_t_e_l_l_i_t_e _c_h_i_p_s _f_o_r _B_S_B, p. 778, Electronics and Wireless World, |August.| 1988. [ElS88] S. R. Ely and S. R. Shuttleworth, "Conditional Access Scrambling Techniques for Terrestrial UHF Television Broadcasts," _I_n_t_e_r_n_a_t_i_o_n_a_l _B_r_o_a_d_c_a_s_t_i_n_g _C_o_n_v_e_n_t_i_o_n _1_9_8_8, vol. 293, pp. 318-322, IEE, London, 1988. [Eme88] D. Emery, "_S_c_r_a_m_b_l_i_n_g _o_f _P_a_y _T_V _c_h_a_n_n_e_l_s," USEnet news article from sci.crypt, rec.video, 3 May 1988. [For88] R. J. Forrest, "Commercial Satellite Broadcasting for Europe," _I_E_E_E _T_r_a_n_s_a_c_t_i_o_n_s _o_n _B_r_o_a_d_c_a_s_t_i_n_g, vol. 34, no. 4, pp. 443-447, |December.| 1988. [Fox88] B. Fox, "Coded television adds to the turmoil in broadcasting," _N_e_w _S_c_i_e_n_t_i_s_t , 5 November 1988. [Fox89a] B. Fox, "Satellite Broadcasters clutter up the Living Room," _N_e_w _S_c_i_e_n_t_i_s_t , p. 40, 14 |January.| 1989. [Fox89b] B. Fox, "DBS - Countdown to Chaos," _E_l_e_c_t_r_o_n_i_c_s _a_n_d _W_i_r_e_l_e_s_s _W_o_r_l_d , pp. 154-155, |February.| 1989. [Gar88] P. N. Gardiner, "The UK D-Mac/Packet Standard for DBS," _I_E_E_E _T_r_a_n_s_a_c_t_i_o_n_s _o_n _C_o_n_s_u_m_e_r _E_l_e_c_t_r_o_n_i_c_s, vol. 34, no. 1, pp. 128-136, |February.| 1988. [Gre89] M. Greatorex, "Analogue De-Scrambler: Experimental De-Scrambler for the Matsushita Encryption Scheme," _E_l_e_c_t_r_o_n_i_c_s _a_n_d _W_i_r_e_l_e_s_s _W_o_r_l_d , pp. 364-365, |April.| 1989. [Hsi88] J. C. Hsiung, "C-Band DBS: an Analysis of the US Scrambling Issue," _T_e_l_e_c_o_m_m_u_n_i_c_a_t_i_o_n_s _P_o_l_i_c_y , pp. 77-86, March 1988. [Hun89] F. Huntingford, "Scrambling Television," _E_l_e_c_t_r_o_n_i_c_s _a_n_d _W_i_r_e_l_e_s_s _W_o_r_l_d , pp. 362-363, |April.| 1989. [Kon88] Y. Konishi, "Special Issue on Satellite Broadcasting," _I_E_E_E _T_r_a_n_s_a_c_t_i_o_n_s _o_n _B_r_o_a_d_c_a_s_t_i_n_g, vol. 34, no. 4, pp. 421-424, |December.| 1988. [Lam88] R. Lambley, "Multi-MAC for Astra," _E_l_e_c_t_r_o_n_i_c_s _a_n_d _W_i_r_e_l_e_s_s _W_o_r_l_d , pp. 504-505, |May| 1988. [LFM84] N. Lodge, B. Flannaghan and R. Morcom, "Vision Scrambling of C-Mac DBS Signals," _S_e_c_u_r_e _C_o_m_m_u_n_i_c_a_t_i_o_n_s _S_y_s_t_e_m_s, vol. 231, pp. 59-65, IEE, London, |February.| 1984. [Luc85] K. Lucas, "B-Mac: a Transmission Standard for Pay DBS," _S_M_P_T_E _J_o_u_r_n_a_l , pp. 1166-1172, |November.| -- 1133 -- MMaayy 66,, 11999999 TTRR CCSS9900//1133 CCoommppaarriinngg tthhee SSeeccuurriittyy ooff PPaayy--TTVV SSyysstteemmss LL.. BBrroowwnn 1985. [Mas84] A. G. Mason, "A Pay-Per-View Conditional Access System for DBS by Means of Secure Over-Air Credit Transmissions," _S_e_c_u_r_e _C_o_m_m_u_n_i_c_a_t_i_o_n_s _S_y_s_t_e_m_s, vol. 231, pp. 66-70, IEE, London, |February.| 1984. [Mas88] A. G. Mason, "Conditional Access for Broadcasting," _I_n_t_e_r_n_a_t_i_o_n_a_l _B_r_o_a_d_c_a_s_t_i_n_g _C_o_n_v_e_n_t_i_o_n _1_9_8_8, vol. 293, pp. 328-332, IEE, London, 1988. [Sau89] J. Saunderson, "_T_o _P_a_y _o_r _N_o_t _t_o _P_a_y_?," Report, House of Representatives Standing Committee on Transport, Communications and Infrastructure, Canberra, Australia, |November.| 1989. [WrE86] D. T. Wright and S. M. Edwardson, "Key Management in Broadcast Conditional Access Systems," _S_e_c_u_r_e _C_o_m_m_u_n_i_c_a_t_i_o_n_s _S_y_s_t_e_m_s, vol. 269, pp. 104-109, IEE, London, |October.| 1986. -- 1144 -- MMaayy 66,, 11999999