CI Plus Limited Liability Partnership (LLP)www.ci-plus.com
CI Plus Overview
11th November 2011
2 / 29 www.ci-plus.com - CI Plus LLPfile: ci-plus_overview.ppt
Table of ContentPage:
• One Page Overview of CI Plus 3• History of Common Interface 4• Requirements & Scope with CI Plus 8• CI Plus System Overview 10• CI Plus Specification 11
- SAC (Secure Authenticated Channel)- Authentification - Protection of TS (Transport Stream)
with CC (Content Control)- URI (Usage Rules Information)- Revocation, Shunning- Interactivity with MHP CA API
• CI Plus Administration 21- CI+ LLP, Certificate Agent & Test Center- CI+ Documentation- Flow Chart of Certification & Licensing- Licensee Overview
• Summary 26• Document History 27• Abbreviations 28
CA Conditional AccessCAM CA ModuleCI Common InterfacePCMCIA Personal Computer Memory
Card International AssociationSC Smart Card
SC
PCMCIA
CI-CAM
CA
CI
Disclaimer:All text and images that are presented herein are just for illustration purposes about the principles of CI Plus. The presentation may contain inaccuracies or errors. It does not necessarily reflect the most recent status of technical and licence relevant documents of CI Plus.
3 / 29 www.ci-plus.com - CI Plus LLPfile: ci-plus_overview.ppt
Issue with v1 and Solution with• 1997-02 Quite old standard EN 50221 (DVB-CI v1) with unencrypted CAM output• 2006-09 Closed DVB TM-CIT group after missing consensus
• 2007-07 CI+ Forum founded by 6 companies • 2008-01 CI Plus Spec v1.0 with encrypted CAM output• 2008-11 CI+ forum replaced by CI Plus LLP• 2009-03 Appointment of Trustcenter & Test facility
• 2011-04 DVB adopts future development of CI Plus specification• 2011-05 SMiT becomes 7th partner in CI Plus LLP
IDTV
additional Usage Rules for A/D output and storage
EncryptedTV Signal
Encrypted
Copy of originaldigital contentis impossible!
x
PCMCIA Interface
x
One Page Overview
STB, Recorder, ...
not encrypted
encrypted
Encrypted
4 / 29 www.ci-plus.com - CI Plus LLPfile: ci-plus_overview.ppt
History of Common Interface (CI)1997-02: Standard DVB CI v1 (EN 50221)1999-11: Extension ETSI TS 101 6992002-01: EU directive for CI in IDTV with > 30cm2006-09: Start of DVB TM-CIT group (to close security gaps with new CI v2 ...)
Closed after missing consensus on technology
2007-07: Founding CI+ Forum by 6 companies2007-12 CI Plus Specification draft 2008-01 CI Plus Specification v1.02008-11 Disbanding of CI+ Forum & creation of
CI Plus LLP (UK Limited Liability Partnership)2009-02 CI Plus Specification v1.12009-02 TC TrustCenter GmbH appointed2009-03 DTV Labs Ltd. appointed test facility2009-05 CI Plus Specification v1.22010-12 Negotiations about continuation of specification under DVB2011-01 CI Plus Specification v1.3
2011-04 DVB adopts development of CI Plus spec beyond v1.32011-05 SMiT becomes 7th partner in CI Plus LLP
5 / 29 www.ci-plus.com - CI Plus LLPfile: ci-plus_overview.ppt
DVB-CI & CI Plus - Usage for SD/HDTV
Set-Top-Box withintegrated Decrypton-System
(Only for few contentused or permitted)
SDTV
SDTV
SDTV
Smart Card with DVB-CI
Smart Card with CI+
Smart Card Displayor IDTV
6 / 29 www.ci-plus.com - CI Plus LLPfile: ci-plus_overview.ppt
DVB CI - First Generation Standard v1
• CI-Module used with smartcard containing key-informationen• CI-Module remove the encryption of protected content• The output of CI-Module is unencrypted• Due to this, most content providers prefer integrated
solutions because of higher security
EncryptedTelevion Signal
CI-Module
Smartcard
No Encryption
Copy of original
digital contentis possible
Plasma / LCD IDTV
EncryptedTelevion Signal
PCMCIA Interface
7 / 29 www.ci-plus.com - CI Plus LLPfile: ci-plus_overview.ppt
CI Plus - Protection of Content• Based on existing DVB-CI Standard• Main requirement: achieving the same level of security as embedded solutions• CI Plus Modul and Receiver
- Calculation & Usage of a secure key for content protection- Secure, authentificated channel for critical system messages
• The output of modul is encrypted• Only certified devices are supported
Plasma / LCD IDTV
Smartcard
Local Encryption
EncryptedTelevision Signal
EncryptedTelevision Signal
Copy oforiginal
digital contentis not possible!
CI Plus Module
PCMCIA Interface
8 / 29 www.ci-plus.com - CI Plus LLPfile: ci-plus_overview.ppt
CI Plus - Scope of Protection
CA Conditional AccessCC Content Control
9 / 29 www.ci-plus.com - CI Plus LLPfile: ci-plus_overview.ppt
CI Plus - Scope of Compatibility
Host
CA Module(CAM)
DVB CI CI Plus
Host inDVB-CI mode
Module inDVB-CI mode*
Host & ModuleCI Plus mode
Host & ModuleDVB-CI mode
* DVB-CI mode operation permitted by network operator
10 / 29 www.ci-plus.com - CI Plus LLPfile: ci-plus_overview.ppt
CI Plus - System Overview
CA Conditional AccessCC Content ControlCI Common InterfaceCAM Conditional Access Module
11 / 29 www.ci-plus.com - CI Plus LLPfile: ci-plus_overview.ppt
CI Plus - Specification History2007-12 Specification Draft2008-01 Specification v1.02009-02 Specification v1.12009-05 Specification v1.2
• Change number 002, effective 2009-04-23 (Security Extension)- Summary: Errata of v1.1, CICAM CIS CI Plus compatibility advertisement
• Change number 005, effective 2011-03-01 (Security Extension)- Summary: Security fix for CI Plus Host to check for “Brand ID” in a CI Plus CICAM device certificate during authentication.
2011-01 Specification v1.3• Change number 007, effective 2012-08-01
- Summary: Extensions of PVR related functionality, CAS protected recording removed, Parental Control Clarifications, Low Speed Communication Resource, Extended CI Tuning Resource, Operator Profile
2011-10 Specification v1.3.1• Change number 013, effective 2012-08-01
- Summary: Errata of v1.3, implementation guidelines
12 / 29 www.ci-plus.com - CI Plus LLPfile: ci-plus_overview.ppt
CI Plus - Specification v1.3Chapter: Pages:
1-3 Scope, References, Definitions, ... 194 System Overview 45 Theory of Operation 476 Authentication Mechanisms 167 Secure Authenticated Channel 128 Content Key Calculations 59 Public Key Infrastr. & Certificate Details 910 Host Service Shunning 511 Command Interface 2212 CI Plus Application Level MMI 1213 CI Plus MMI Resource 414 Other CI Extensions 52
Annex A...N 109Total: 316
file: ci_plus_specification_v1.3.pdfdate: 2011-01-14
13 / 29 www.ci-plus.com - CI Plus LLPfile: ci-plus_overview.ppt
CI Plus - Specification v1.3 ChangeKey changes of v1.3 compared to v1.2
• Extensions to PVR related functionality. • CAS protected recording removed. • Parental Control Extensions & Clarifications. • Optimization of Low Speed Communication Resource & IP support. • Extension to CI Tuning Resource to support Cable VOD Applications. • Introduction of an Operator Profile.
Change Notice with References• prng_seed per manufacturer [5.3]• URI version 2 [5.7.5.2]• Digital Only Token [5.7.5.3]• Content license [5.10]• Parental Control [5.11]• Recording and Storage [5.12]• Host Authentication [Table 6.3, step 13, item d]• Certificates, Service operator ID [9.3.6]• Host shunning, SDT absent [10.4]• Version 2 of CC resource [11.3]• SAS APDU clarifications [11.4, Annex M.2.1]• MHEG profile extensions [12.8]• Low Speed Communications v3 [14.1]• IP connection by name [14.2.1.2]• Application MMI clarifications [14.4]• Application MMI File Caching [14.5]• Host Control v2 [14.6]• Operator Profile [14.7, Annex N]• APDU clarifications [Annex E]• CIS Feature Identification [G.3.2]• Removal of PVR Resource [v1.2, 15]
Details of changes:
file: ciplus_change_notice_007.pdfdate: 2011-01-21
file: 2011-03-10_ci-plus_specification_v1.3_diff_v1.2.pdfdate: 2011-03-10
14 / 29 www.ci-plus.com - CI Plus LLPfile: ci-plus_overview.ppt
CI Plus - Protocols1. Compare CI+ versions supported by IDTV and CAM.2. If both sides have the same auth key, they have
performed a successful authentication with each other.3. CI+ CAM and IDTV authenticate each other to make sure
the opposite device is a valid CI+ device.4. The Secure Authenticated Channel (SAC) is used
for transmission of security-related messages between CAM and IDTV.
5. Usage Rules Information (URI) version negotiation to find a URI version that is supported on both sides.
6. URI transmission and acknowledgement used by CAM to send a set of usage rules information to the IDTV.
7. Content Control (CC) key calculation used by both sides to calculate keys for scrambling /descrambling of transport stream (TS).
8. System Renewability Message (SRM) transmission and acknowledgement is used from CI+ CAM to transfer SRM for HDCP and DTCP-IP to the IDTV.
Host Capability Evaluation
Auth Key Verification
Authentication
SAC Key Calculation
URI Version Negotiation
URI Acknowledgement
CC Key Calculation
SRM Acknowledgement
1.
2.
3.
4.
5.
6.
7.
8.
15 / 29 www.ci-plus.com - CI Plus LLPfile: ci-plus_overview.ppt
CI Plus - Transport Stream Output ProtectionHost and CICAM Capabilities:
• DES-56-ECBData Encryption Standard, 56-bit key, Electronic Code Book (USA 1999-10, Federal Information Processing Standards, FIPS 46-3)
• AES-128-CBCAdvanced Encryption Standard, 128-bit key, Cipher Block Chaining(USA 2000-10, National Institute of Standards and Technology, NIST, FIPS 197)
16 / 29 www.ci-plus.com - CI Plus LLPfile: ci-plus_overview.ppt
CI Plus - AuthenticationSupported Authentication Phases per Service Mode:
• Basic Service Mode• Registered Service Mode
- Requires upstream communication to HE (Head End)
example:
DH = Diffie-Hellman key exchange
17 / 29 www.ci-plus.com - CI Plus LLPfile: ci-plus_overview.ppt
CI Plus - Devices & external Interfaces
AnaloguePAL / NTSC / SECAMRGB / YUV / S-Video
DigitalHDMI / HDCP
DTCP-IP
IDTV Signals / Interfaces
Devices
time shifted recording(optional)
STB/PVR
CI Plus
Display
Encrypted Content, paired to receiver:the content cannot be copied without authorization..
18 / 29 www.ci-plus.com - CI Plus LLPfile: ci-plus_overview.ppt
CI Plus - Usage Rules Information (URI)URI initial default value for host, e.g. after channel change:
• protocol version = 0x01• emi_copy_control_info = 0b11 (Encryption Mode Indicator)• aps_copy_control_info = 0b00 (Analog copy Protection System)• ict_copy_control_info = 0b0 (Image Constraint Trigger/Token)• rct_copy_control_info = 0b0 (Redistribution Control Trigger)• rl_copy_control_info = 0b000000 (Retention Limit, default 90 min)• reserved bits = 0b0
URI Mapping Table:• Analog Output (MV, APS, CGMS, ICT) • Digital Output (HDCP, DTCP, SPDIF)• Digital Storage (AACS, CPRM, VCPS)
see e.g. Digital Transmission Content Protection, www.dtcp.com• Specification 2007-10, rev 1.51
URIURI
Analog Digital Digital Storage
19 / 29 www.ci-plus.com - CI Plus LLPfile: ci-plus_overview.ppt
CI Plus - Mechanisms of Revocation
Host Service Shunning• Host shunning state determined from Service Descriptor Table (SDT)• Shunning active: Service can only be descrambled by CI+ Module• Shunning non active: Service can be descrambled by DVB-CI or CI+ Module
Host Revocation• Certificate Revocation List (CRL) transmitted to CICAM black-lists a host• Certificate White List (CWL) can revert a previous revocation of a host• Level of revocation granularity:
1. Unique host2. Range of hosts3. Certain model4. Certain brand
Revocation by CAS• Possible, but out of CI Plus specification scope
20 / 29 www.ci-plus.com - CI Plus LLPfile: ci-plus_overview.ppt
CI Plus - Additional Interactivity with ConsumerCI Plus Browser
• Enables to CI Plus modules to display graphics with menues, pictures, logos, ... in a common methodon all CI Plus receivers/displaysAllows easy interaction with default remote control
Support of MHP CA API• Enables to the broadcasted MHP applikation to communicate
with a CA Smartcard inside the CI Plus module
Country- and Language Support• Enables CI Plus modules to use the same language in menues,
which is already defined by user in the receiver setting.
21 / 29 www.ci-plus.com - CI Plus LLPfile: ci-plus_overview.ppt
CI Plus - LLP, Certificate Agent & Test CenterCI Plus LLP contact details:
• CI Plus LLP, www.ci-plus.com, • Pannell House, Park Street, Guildford, Surrey GU1 4HN, UK• CI Plus LLP registered (no OC341596) in England & Wales
CI Plus LLP authorized Certificate Agent: • TC TrustCenter GmbH, www.trustcenter.de• Sonninstrasse 24-28, 20097 Hamburg, Germany
Tel/Fax: +49.40.808026-0/-126Mail: [email protected]
CI Plus LLP approved Test Facility:• Digital TV Labs Ltd., www.digitaltv-labs.com• Venturers House, King Street, Bristol, BS1 4PB, UK
Tel/Fax: +44.117.915-4018/-4088Mail: [email protected]
22 / 29 www.ci-plus.com - CI Plus LLPfile: ci-plus_overview.ppt
CI Plus - DocumentationDocuments on www.ci-plus.com
• CI Plus Specification v1.3- Detailed Specification for Receiver and Module
with change notes 002, 005 & 007• Supplementary Specification v1.3
- Requirements for host revocation/shunning• Implementations Guidelines v1.0• Registration Application
- Application for test and registration of a device• CI Plus Logo Guidelines & Archive• Test Specification v1.0
- Definition of test- and registration processDocuments on www.trustcenter.de
• On-Boarding Guideline• Interim License Agreement (ILA)
- Compliance and Robustness Rule...• Certificate Supply Agreement (CSA)• Forms: Identification, Administrator Authorization, Brand On-Boarding, Registration Application• Robustness Certification Checklist
www.trustcenter.de/solutions/consumer_electronics.htm
www.ci-plus.com/index.php?page=download
23 / 29 www.ci-plus.com - CI Plus LLPfile: ci-plus_overview.ppt
CI Plus - License Agreement with Exhibits A-L
A: Device Type
B: Robustness Rules
C: Compliance Rules for Host Device
D: Compliance Rules for CICAM Device
E: URI Mapping Table
G: Robustness Rules Checklist
H: Confidentiality Agreement
I: Fee schedule
J: Registration Procedure
K: Change Procedure
L: Revocation Procedure
CICAMDevice
HostDevice
RobustnessRules
ComplianceRules
ConfidentialityAgreement
24 / 29 www.ci-plus.com - CI Plus LLPfile: ci-plus_overview.ppt
CI Plus - Implementation ...
CI Plus LLP(Limited Liability Partnership)
TrustAuthority
(TA)
CertificationAuthority (CA)
Test of Device
DeviceManufacturer
of CI PlusModule / Host
TCTrust Center
Sign License Agreement€15,000 registration/yearlyReceive License specs and Test technologyAt Website
Public Specification, License Agreement(incl. Compliance and Robustness)
Order Certificates (keys)€ 500/10.000 devices
Device Testing ResultRobustness Checklist€ 5,000/device type
Device RegistrationProduction Credentials
Test Partner
New deviceRobustness Checklist Device Testing
Result
or Self-Test-Registration(after registration of 2 different device types)
Deliver Certificates (keys)
25 / 29 www.ci-plus.com - CI Plus LLPfile: ci-plus_overview.ppt
CI Plus - LicenseesPublication
• Licensees of CI Plus are published with homepage URL on website of TrustCenter• 89 Licensees on 2011-10-10
- 29 Components Licensees- 54 Hosts Licensees- 6 Modules Licensees
www.trustcenter.de/consumer_electronics_licensees_host.htm ww
w.tr
ustc
ente
r.de/
cons
umer
_ele
ctro
nics
_lic
ense
es_h
ost_
mod
ule.
htm
www.trustcenter.de/consumer_electronics_licensees_module.htm
26 / 29 www.ci-plus.com - CI Plus LLPfile: ci-plus_overview.ppt
CI Plus - Summary• CI Plus is based on DVB-CI standard and is downward compatible• Encrypted communication over the CI/CI+ interface
- Secure & authenticated channel for critical system messages- Encrypted transmission of digital content from CI+ modul towards the host device
• Implementation- Licensing & administration of Certificates managed by independant Trust-Center- Certification of end user devices & CI+ modules in a digital TV laboratory
• Future proof with URI (Usage Rules Information) für UPnP, CPCM, CSA3, DTCP, DLNA, ...
STBPVR
LAN Internet
27 / 29 www.ci-plus.com - CI Plus LLPfile: ci-plus_overview.ppt
Document History2009-07-06 Creation and first publication on www.ci-plus.com2011-11-11 Specification v1.3, DVB resumption, SMiT membership, updated CIP contact detail,
licensee overview, reformatting to 16:9
28 / 29 www.ci-plus.com - CI Plus LLPfile: ci-plus_overview.ppt
AbbreviationsAACS Advanced Access Content System aacsla.comAES Advanced Encryption StandardAPI Application Programming InterfaceCA Conditional AccessCAM Conditional Access Module (DVB-CI or CI Plus)CAS Conditional Access System CC Content ControlCDA Content Distributor Agreement (contract with CI Plus)CE Consumer ElectronicsCGMS Copy Generation Management System CI Common InterfaceCIP CI Plus LLP ci-plus.comCIv1 DVB CI version 1.0 dvb.orgCI Plus Common Interface Plus ci-plus.comCM Commercial Module (of DVB)CPRM Content Protection for Recordable Media 4centity.comCRL Certificate Revocation ListCWL Certificate White ListCSA Certificate Supply AgreementDES Data Encryption StandardDLNA Digital Living Network Alliance dlna.orgDOT Digital Only TokenDVB Digital Video Broadcasting dvb.orgDRM Digital Rights ManagementDTCP Digital Transmission Content Protection dtcp.comDTVL Digital TV Labs (CI Plus) digitaltv-labs.comEU Europe europa.euFFW Fast Forward (PVR function)
HDCP High-bandwidth Digital Content ProtectionHDD Hard Disk DriveHDMI High Definition Multimedia Interface hdmi.orgICT Image Constraint TokenIDTV Integrated Digital tuner TelevisionILA Interim License AgreementLCD Liquid Crystal DisplayLLP Limited Liability PartnershipMHP Multimedia Home PlatformMPAA Motion Picture Association of America mpaa.orgPCMCIA Personal Computer Memory Card International AssociationPVR Personal Video RecorderSAC Secure Authenticated ChannelSC Smart CardSDT Service Descriptor TableSOC Selectable Output ControlSMiT Shenzen State Micro Technology Co. Ltd.SPDIF Sony/Philips Digital Interconnect Format STB Set Top BoxTA Trust Authority (e.g TC for CI Plus)TC TrustCenter GmbH trustcenter.deTM Technical Module (of DVB)TS Transport Stream USB Universal Serial BusURI Usage Rules InformationVCPS Video Content Protection System
Version: 2011-11-11
CI Plus Limited Liability Partnership (LLP)www.ci-plus.com
Thank you for your interest
CI Plus LLP www.ci-plus.comDVB www.dvb.org
TC TrustCenter GmbH www.trustcenter.deDigital TV Labs Ltd. www.digitaltv-labs.com