[Cryptography] End-to-End, One-to-Many, Encryption Question
John McCormac
jmcc at hackwatch.com
Sun Jun 15 05:59:47 EDT 2014
On 12/06/2014 01:49, Kent Borg wrote:
>
> An attempt to restate the question:
>
> Is there a way to encrypt once with key A, super-encrypt with key B1
> (not knowing any other keys), and finally decrypt with key C1 (not
> knowing any other keys)? Or, super-encrypt with key B2, then decrypt
> with key C2?
>
> In some respect this is a satellite TV problem subscription problem,
> with an on-demand component.
>
A lot of the satellite TV Conditional Access systems depend on
implementing session/limited time keys and a heartbeat system (a
subscriber ID had to be in a data stream (encrypted) of IDs sent out by
the headend and if not the smartcard/decoder would stop decoding). Some
of the thinking was geared towards breaking down the subscribers and
their smartcards/set top boxes into groups so that a compromise of a
card in one group would effectively be limited to that group only and
would not spread to other groups. (
http://www.google.com/patents/US20020133701 ) The intial theory behind
the use of smartcards in satellite TV systems was focused on each
smartcard issue having a limited (6 months) lifespan before being
replaced. It was supposed to have provided a moving target for attackers
rather than the sitting duck that previous systems had become. Upgrading
the non-smartcard systems generally involved a complete hardware
replacement of the subscriber's set top box/decoder and consequently the
countermeasures were limited to tweaks and patches that didn't break the
system. As the subscriber numbers grew in the smartcard based systems,
the logistics and costs of such replacements grew accordingly so that
the smartcard lifespan increased. This proved fatal for some systems.
News Datacom had a few patents on such systems because of a
vulnerability that I wrote about in the early 1990s that is still being
exploited today. ( http://www.google.com/patents/US7436953
http://www.google.com/patents/US5590200 ) This is one patent that deals
with more recent countermeasures:
http://www.google.com/patents/US20130031576
Many smartcard based systems have been vulnerable to having the
decrypted key (the decoder sends the encrypted key to the subscriber's
smartcard and the smartcard, if enabled, decrypts the key and returns it
to the decoder) shared so that one smartcard can effectively run a
multitude of decoders. The initial solution was to introduce a card
pairing approach so that only one smartcard could be used with a single
decoder. That seems to have had a few problems. Other approaches have
been to encrypt traffic across the vulnerable smartcard/decoder interface.
Many CA systems approach the problem by using multiple keys with limited
lifespans and a heartbeat type system (an Alice originated encrypted
datastream that includes only encrypted valid subscriber IDs or
hashes/entitlement management data) with the Charlie key being used with
validation data (and or entitlement management data) from the Alice
datastream to produce the required Charlie session key to decrypt the
data). With CA systems, since the end-user theoretically did not have
access to the decrypted entitlement management data and the smartcard
was supposed to be a blackbox, it was possible for Alice to set the
entitlements for Charlie's smartcard/access. The Fiat-Shamir Zero
Knowledge proof was used with one early smartcard based CA system
(VideoCrypt) to have the card autheticate itself to the decoder and
prove it was not a fake card but it apparently had implementation
issues. However in a system where keys are being shared, the attacker
would only need to send the correct response data along with the key
data because a real card is effectively being used in parallel in all
decoders.
Alice's real problem in such a system is in detecting which Charlies
have been compromised and are sharing the same key to decrypt the data.
From a Conditional Access point of view, such a cloud based system
would have higher risks because the software used by Charlie-[0-n] would
be, theoretically, in the hands of an attacker and would potentially be
easier to reverse-engineer as there are no hardware elements involved.
Unlike a CA system, it might be a lot easier to exclude a compromised
Charlie from this system because it would have elements (IP addresses
etc) that could be used to control access.
It does seem to be more a key handling/entitlements system problem than
a purely cryptographic one. It might be a good thing to read some of the
specification documents on satellite TV Conditional Access systems to
see how such systems are implemented. Closing the loop (having each
Charlie autheticate/connect with Bob or Alice) would be one way of
helping solve this problem. A time sensitive element would also be
essential for securing such a system. That way any compromise short of a
catastrophic failure would be a finite lifespan compromise. But if it is
critical data that's at risk, then any compromise might be considered
catastrophic.
Regards...jmcc
--
**********************************************************
John McCormac * e-mail: jmcc at hosterstats.com
MC2 * web: http://www.hosterstats.com/
22 Viewmount * Domain Registrations Statistics
Waterford * And Historical DNS Database.
Ireland * Over 392 Million Domains Tracked.
IE * http://www.hosterstats.com/blog
**********************************************************
More information about the cryptography
mailing list