[Cryptography] End-to-End, One-to-Many, Encryption Question

John McCormac jmcc at hackwatch.com
Sun Jun 15 05:59:47 EDT 2014 

On 12/06/2014 01:49, Kent Borg wrote:
>
> An attempt to restate the question:
>
>   Is there a way to encrypt once with key A, super-encrypt with key B1
> (not knowing any other keys), and finally decrypt with key C1 (not
> knowing any other keys)?  Or, super-encrypt with key B2, then decrypt
> with key C2?
>
> In some respect this is a satellite TV problem subscription problem,
> with an on-demand component.
>

A lot of the satellite TV Conditional Access systems depend on 
implementing session/limited time keys and a heartbeat system (a 
subscriber ID had to be in a data stream (encrypted) of IDs sent out by 
the headend and if not the smartcard/decoder would stop decoding). Some 
of the thinking was geared towards breaking down the subscribers and 
their smartcards/set top boxes into groups so that a compromise of a 
card in one group would effectively be limited to that group only and 
would not spread to other groups. ( 
http://www.google.com/patents/US20020133701 ) The intial theory behind 
the use of smartcards in satellite TV systems was focused on each 
smartcard issue having a limited (6 months) lifespan before being 
replaced. It was supposed to have provided a moving target for attackers 
rather than the sitting duck that previous systems had become. Upgrading 
the non-smartcard systems generally involved a complete hardware 
replacement of the subscriber's set top box/decoder and consequently the 
countermeasures were limited to tweaks and patches that didn't break the 
system. As the subscriber numbers grew in the smartcard based systems, 
the logistics and costs of such replacements grew accordingly so that 
the smartcard lifespan increased. This proved fatal for some systems.

News Datacom had a few patents on such systems because of a 
vulnerability that I wrote about in the early 1990s that is still being 
exploited today. ( http://www.google.com/patents/US7436953 
http://www.google.com/patents/US5590200 ) This is one patent that deals 
with more recent countermeasures: 
http://www.google.com/patents/US20130031576

Many smartcard based systems have been vulnerable to having the 
decrypted key (the decoder sends the encrypted key to the subscriber's 
smartcard and the smartcard, if enabled, decrypts the key and returns it 
to the decoder) shared so that one smartcard can effectively run a 
multitude of decoders. The initial solution was to introduce a card 
pairing approach so that only one smartcard could be used with a single 
decoder. That seems to have had a few problems. Other approaches have 
been to encrypt traffic across the vulnerable smartcard/decoder interface.

Many CA systems approach the problem by using multiple keys with limited 
lifespans and a heartbeat type system (an Alice originated encrypted 
datastream that includes only encrypted valid subscriber IDs or 
hashes/entitlement management data) with the Charlie key being used with 
validation data (and or entitlement management data) from the Alice 
datastream to produce the required Charlie session key to decrypt the 
data).  With CA systems, since the end-user theoretically did not have 
access to the decrypted entitlement management data and the smartcard 
was supposed to be a blackbox, it was possible for Alice to set the 
entitlements for Charlie's smartcard/access. The Fiat-Shamir Zero 
Knowledge proof was used with one early smartcard based CA system 
(VideoCrypt) to have the card autheticate itself to the decoder and 
prove it was not a fake card but it apparently had implementation 
issues. However in a system where keys are being shared, the attacker 
would only need to send the correct response data along with the key 
data because a real card is effectively being used in parallel in all 
decoders.

Alice's real problem in such a system is in detecting which Charlies 
have been compromised and are sharing the same key to decrypt the data. 
 From a Conditional Access point of view, such a cloud based system 
would have higher risks because the software used by Charlie-[0-n] would 
be, theoretically, in the hands of an attacker and would potentially be 
easier to reverse-engineer as there are no hardware elements involved. 
Unlike a CA system, it might be a lot easier to exclude a compromised 
Charlie from this system because it would have elements (IP addresses 
etc) that could be used to control access.

It does seem to be more a key handling/entitlements system problem than 
a purely cryptographic one. It might be a good thing to read some of the 
specification documents on satellite TV Conditional Access systems to 
see how such systems are implemented. Closing the loop (having each 
Charlie autheticate/connect with Bob or Alice) would be one way of 
helping solve this problem. A time sensitive element would also be 
essential for securing such a system. That way any compromise short of a 
catastrophic failure would be a finite lifespan compromise. But if it is 
critical data that's at risk, then any compromise might be considered 
catastrophic.

Regards...jmcc
-- 
**********************************************************
John McCormac  *  e-mail: jmcc at hosterstats.com
MC2            *  web: http://www.hosterstats.com/
22 Viewmount   *  Domain Registrations Statistics
Waterford      *  And Historical DNS Database.
Ireland        *  Over 392 Million Domains Tracked.
IE             *  http://www.hosterstats.com/blog
**********************************************************

More information about the cryptography mailing list