On Fri, Apr 08, 2005 at 12:21:35AM +0100, Stephen Boddy wrote: > Sorry, perhaps I'm being dense here, but if you were not using a "trusted" > platform, and had access to the keys and the algorithms for decryption with > the keys, couldn't the software just ignore revocation list?
That's why this is done in hardware. We have 3 components. (Though I have not read the depths of the cablecard spec, this is how most of these systems are designed to work.) There is the cablecard itself, provided and authorized by the cable company with the keys needed to be able to decrypt video streams, and programmable by the cable company to say what streams you are allowed to decrypt -- ie. have you paid for HBO, PPV program, etc. This is locked hardware, you can't get into it except through its official interfaces (or with fancy cracking equipment.) There is the hardware/slot the cablecard plugs into. This is part of some 3rd party vendor's box -- a TV set, a Tivo, a PCI Card in a Windows MCE box. It does the hardware interfaces to the cablecard, and feeds the cablecard the encrypted stream of data the user has tuned. (Those streams include commands to enable and disable functionality for example.) Then there is the software that control the "slot." The cablecard won't hand over the keys to decrypt a video stream to just any slot or software. It wants proof that the hardware and software its talking to are "approved." To get approved, you must be certified, and then they give you some keys signed by their root certificate which the cablecard is coded to trust. Don't have such a certificate, or have a revoked one, and the cablecard won't help you, you can't decrypt the streams. What I haven't read in depth here is they might have moved around some of the levels where some of this happens. Since all the levels are certified and trusted, you can _in theory_ do things at any level, but since the software level is the least robust, you prefer to do the security at the lower hardware levels. You are forced to feed the encrypted streams into the cablecard, and those streams include commands to enable and revoke access. You can't really stop them from getting through to it. All of this is generally designed for "secure" boxes like a Tivo or other commercial PVR. MCE will be the big exception if it doesn't run under palladium. One trick they could pull is they could make a PCI slot card with some TCPA functions. The card could contain, for example, ram, in which only trusted software is allowed into the ram, and only programs executing out of the ram can access the keys. The ram would be slow, of course, but it would not be asked to do too much. Presumably the card would feature decryption hardware. Or the card must simply be able to instrument the PCI bus to be able to be sure the PC itself is not compromised. With DMA it could do hashes of regular system ram and assure it's still running trusted code, that sort of thing. I don't know what tricks they plan, or if they need any of these tricks, because they may feel key revocation is sufficient security. It probably is.
_______________________________________________ mythtv-users mailing list [email protected] http://mythtv.org/cgi-bin/mailman/listinfo/mythtv-users
