neo50z
11-10-2008, 01:10 PM
Analysis of the Nagravision Video Scrambling Method
Pay-TV broadcasters employ conditional access systems to ensure that only
TV viewers who have payed a subscription fee and who have in return
received a decoder box can watch the TV channel. The Nagravision [1]
conditional access system for PAL television developed by Kudelski SA,
Cheseaux, Switzerland, is used for instance by the pay-TV broadcasters
Premiere (Germany), Teleclub (Switzerland), Canal+ (France, Spain), and
Cinemania (Spain). Like with other hybrid video scrambling systems such as
EuroCrypt [2, 3] or VideoCrypt [4], Nagravision sends a digitally encrypted
control word over the radio interface to the decoder in order to control the
descrambling of an analog TV signal. The control word is decrypted in a
smartcard and converted into the seed value for a random number generator.
This random number generator then controls the image descrambling process
for the next few seconds. Nagravision scrambles the video signal by permuting
the lines within a field. It also inverts the audio spectrum by mixing
it with a 12.8 kHz sine wave carrier to make it unrecognizable. The audio
signal can trivially be descrambled by just inverting its spectrum a second
time; it is not protected by any cryptographic mechanisms.
Like with all hybrid scrambling systems, which digitally control the scrambling
of a video signal that is transmitted in analog form, there are two
different classes of techniques for descrambling the video signal without using
a regular decoder or smartcard:
Microelectronics testing equipment can be used to extract the decryption
algorithm and secret key data from the smartcard and with this
knowledge compatible pirate smartcards and decoders can be manufactured.
Properties of typical TV signals can be used to reconstruct the original
image or the random number seed value that controls the descrambler
which is then used to descramble the entire image in high quality.
This technique makes it unnecessary to break the digital cryptography
or smartcard security aspects of the system and it can be implemented
without using any genuine decoder hardware.
Nagravision uses a surprisingly weak scrambling technique that can rather
easily be defeated without using any cryptographic secrets that might be
stored in the subscriber smartcard. While image processing attacks can only
approximate the original signal for cryptographic scrambling systems such
as VideoCrypt and EuroCrypt, Nagravision allows the attacker to determine
reliably the seed value in such a short time that the clear image can be reconstructed
without any quality loss in real time using standard personal
computers or decoder designs that cost not much more than the official decoder.
The color-carrier sensing pirate decoders for the SECAM version of
Nagravision can easily be defeated by a more carefully designed substitution
table. Whether lasting countermeasures are possible against pixel-correlation
based pirate decoders depends on whether the broadcasters can upgrade the
elded decoders easily to use a larger set of permutation parameters
and whether v can be replaced by a cryptographically strong cipher function.
This paper is work in progress and might still contain errors. I started writing
it in order to get a better understanding of the mathematical properties of
the Nagravision scrambling method and the algorithms used in the various
currently available pirate decoders. These have been designed by individuals who
want to stay anonymous because they are afraid that the work on these
decoders might be considered illegal in their home country (France). I also
wrote this paper to collect and discuss possibly useful ideas and insights
towards more advanced attacks and countermeasures. Since the Nagravision
system is anyway scheduled to be replaced by a DVB conditional access
system, I do not think that publishing my thoughts on the topic can do any
economic harm, but I hope they might be of some educational benefit.
Pay-TV broadcasters employ conditional access systems to ensure that only
TV viewers who have payed a subscription fee and who have in return
received a decoder box can watch the TV channel. The Nagravision [1]
conditional access system for PAL television developed by Kudelski SA,
Cheseaux, Switzerland, is used for instance by the pay-TV broadcasters
Premiere (Germany), Teleclub (Switzerland), Canal+ (France, Spain), and
Cinemania (Spain). Like with other hybrid video scrambling systems such as
EuroCrypt [2, 3] or VideoCrypt [4], Nagravision sends a digitally encrypted
control word over the radio interface to the decoder in order to control the
descrambling of an analog TV signal. The control word is decrypted in a
smartcard and converted into the seed value for a random number generator.
This random number generator then controls the image descrambling process
for the next few seconds. Nagravision scrambles the video signal by permuting
the lines within a field. It also inverts the audio spectrum by mixing
it with a 12.8 kHz sine wave carrier to make it unrecognizable. The audio
signal can trivially be descrambled by just inverting its spectrum a second
time; it is not protected by any cryptographic mechanisms.
Like with all hybrid scrambling systems, which digitally control the scrambling
of a video signal that is transmitted in analog form, there are two
different classes of techniques for descrambling the video signal without using
a regular decoder or smartcard:
Microelectronics testing equipment can be used to extract the decryption
algorithm and secret key data from the smartcard and with this
knowledge compatible pirate smartcards and decoders can be manufactured.
Properties of typical TV signals can be used to reconstruct the original
image or the random number seed value that controls the descrambler
which is then used to descramble the entire image in high quality.
This technique makes it unnecessary to break the digital cryptography
or smartcard security aspects of the system and it can be implemented
without using any genuine decoder hardware.
Nagravision uses a surprisingly weak scrambling technique that can rather
easily be defeated without using any cryptographic secrets that might be
stored in the subscriber smartcard. While image processing attacks can only
approximate the original signal for cryptographic scrambling systems such
as VideoCrypt and EuroCrypt, Nagravision allows the attacker to determine
reliably the seed value in such a short time that the clear image can be reconstructed
without any quality loss in real time using standard personal
computers or decoder designs that cost not much more than the official decoder.
The color-carrier sensing pirate decoders for the SECAM version of
Nagravision can easily be defeated by a more carefully designed substitution
table. Whether lasting countermeasures are possible against pixel-correlation
based pirate decoders depends on whether the broadcasters can upgrade the
elded decoders easily to use a larger set of permutation parameters
and whether v can be replaced by a cryptographically strong cipher function.
This paper is work in progress and might still contain errors. I started writing
it in order to get a better understanding of the mathematical properties of
the Nagravision scrambling method and the algorithms used in the various
currently available pirate decoders. These have been designed by individuals who
want to stay anonymous because they are afraid that the work on these
decoders might be considered illegal in their home country (France). I also
wrote this paper to collect and discuss possibly useful ideas and insights
towards more advanced attacks and countermeasures. Since the Nagravision
system is anyway scheduled to be replaced by a DVB conditional access
system, I do not think that publishing my thoughts on the topic can do any
economic harm, but I hope they might be of some educational benefit.