[mythtv-users] cablecard

Brad Templeton brad+myth at templetons.com
Fri Apr 8 01:05:03 UTC 2005


On Fri, Apr 08, 2005 at 12:21:35AM +0100, Stephen Boddy wrote:
> Sorry, perhaps I'm being dense here, but if you were not using a "trusted" 
> platform, and had access to the keys and the algorithms for decryption with 
> the keys, couldn't the software just ignore revocation list?

That's why this is done in hardware.   We have 3 components. (Though I have not
read the depths of the cablecard spec, this is how most of these systems are
designed to work.)

There is the cablecard itself, provided and authorized by the cable company
with the keys needed to be able to decrypt video streams, and programmable by
the cable company to say what streams you are allowed to decrypt -- ie. have
you paid for HBO, PPV program, etc.   This is locked hardware, you can't get
into it except through its official interfaces (or with fancy cracking equipment.)

There is the hardware/slot the cablecard plugs into.  This is part of some 3rd
party vendor's box -- a TV set, a Tivo, a PCI Card in a Windows MCE box.  It
does the hardware interfaces to the cablecard, and feeds the cablecard the
encrypted stream of data the user has tuned.  (Those streams include commands
to enable and disable functionality for example.)

Then there is the software that control the "slot."

The cablecard won't hand over the keys to decrypt a video stream to just any
slot or software.   It wants proof that the hardware and software its talking
to are "approved."   To get approved, you must be certified, and then they
give you some keys signed by their root certificate which the cablecard is
coded to trust.   Don't have such a certificate, or have a revoked one, and
the cablecard won't help you, you can't decrypt the streams.

What I haven't read in depth here is they might have moved around some of
the levels where some of this happens.   Since all the levels are certified
and trusted, you can _in theory_ do things at any level, but since the software
level is the least robust, you prefer to do the security at the lower hardware
levels.

You are forced to feed the encrypted streams into the cablecard, and those
streams include commands to enable and revoke access.  You can't really stop
them from getting through to it.


All of this is generally designed for "secure" boxes like a Tivo or other commercial
PVR.   MCE will be the big exception if it doesn't run under palladium.


One trick they could pull is they could make a PCI slot card with some TCPA functions.
The card could contain, for example, ram, in which only trusted software is allowed
into the ram, and only programs executing out of the ram can access the keys.
The ram would be slow, of course, but it would not be asked to do too much.  Presumably
the card would feature decryption hardware.

Or the card must simply be able to instrument the PCI bus to be able to be sure the
PC itself is not compromised.  With DMA it could do hashes of regular system ram
and assure it's still running trusted code, that sort of thing.   I don't know
what tricks they plan, or if they need any of these tricks, because they may
feel key revocation is sufficient security.  It probably is.


More information about the mythtv-users mailing list