DETAILS.TXT

Some technical details about Videocrypt
---------------------------------------

Markus Kuhn -- 1996-05-06


In this file, I'll collect some of the details known or assumed about
the Videocrypt pay-TV access control system. Consider it as some kind
of frequently asked questions list with answers about the system.


1  Basic principle

Videocrypt encodes the TV image by cutting each line of the image in
two pieces at some cut point and then exchanges these two line
fragments in the broadcasted pictures. For example, if a line like

   0123456789

passes the encoder, the output might look like

   4567890123

where the digits represent the pixels of the image. There are 256
possible cut points and there are no cut points directly near the image
border (the miniumum distance from the margin is about 12-15% of the
image width) which is the reason why you sometimes still can see
vertical patterns even on an encrypted image. The sound is currently
not encrypted.

Several times per second, a computer at the broadcasting station
generates a 32 byte long message which is broadcasted encoded together
with forward error correction information in the first invisible lines
of the TV signal similar to teletext. About every 2.5 seconds, one of
these 32-byte messages is processed in the encoder by a secret hash
algorithm which transforms the 32-byte message into a 60-bit value.
These 60 bits are then used by a second algorithm in order to determine
the 8-bit cut point coordinates for each line for the next 2.5 seconds.
No details about this second algorithm are known, but think of it just
as some kind of 60-bit pseudo random number generator (PRNG) were the
60-bit output from the secret hash function is used as a start value
(seed).

The decoder receives the 32-byte messages and other data together with
the TV signal, applies some error correction algorithms and passes all
32-byte packets to the smart card in the decoder's card slot. The smart
card implements the same secret hash function and answers with the same
60-bit value as the one which is used in the encoder. By using this
60-bit answer from the card, the decoder hardware can generate with the
same PRNG the same cut point sequence as the encoder and can so
reconstruct the original image by again exchanging the two line
fragments. The secret hash function is a cryptographically strong
system which is designed so that it is extremely difficult to guess the
algorithm of this function by looking at many pairs of 32-byte/60-bit
values.

Apart from being the source for the generation of the 60-bit PRNG seed,
the 32-byte messages from the broadcasting station contain card numbers
so that individual cards can be addressed and they contain commands
like activation, deactivation and pay-per-view account modification. In
addition, the 32-byte packets contain a digital signature (currently 4
bytes) that allows the card to test whether the 32-byte messages really
originate from the encoder and have not been generated by someone
analysing the card. Again, this digital signature like the hash
function has been designed so that it is difficult to find out how to
generate a correct signature by looking at enough examples. This
prevents choosen-text attacks, where someone tries to probe the secret
hash function with very carefully selected 32-byte messages and this
prevents hackers to generate new activation commands for the card.

In early 1993, someone managed to get access to the secret hash
functions of several stations which use Videocrypt (e.g., British Sky
Broadcasting, Adult Channel, JSTV, BOB, Red Hot TV). Most of these
systems used the same hash and signature algorithm and the only
difference between the stations was a 32-byte secret key table. It is
not known, how it was possible to get this information. Either someone
from the company who manufactured the cards (News Datacom Ltd.)
released this information or it was possible for someone to read out
the EEPROM contents of the card processor (very difficult, but
theoretically possible). With this knowledge it was then quite easily
possible for the original hackers to produce 'clone cards'. These are
simple PCBs with a cheap microcontroller (e.g. one of Microchip's PIC
family), which implements only the secret hash function and serial I/O
procedures in its EPROM and answers with the correct 60-bit values to
32-byte messages just as the real cards do. For several channels, clone
cards are still available, but BSkyB distributed new 09 series cards in
spring 1994 and switched on 1994-05-18 to a new secret hash and
signature function. On 1995-10-31, BSkyB switched again to the new 10
series cards with another new hash algorithms. Each time, all clone
cards stopped to work and it took a long time to get access to the new
secret hash algorithm.

The clone cards didn't implement any interpretation procedures for card
activation, deactivation and pay-per-view functions, so their software
is considerably simpler than the one in the real cards. This resulted
in some tiny differences between the reaction of the clone card
software and the reaction of the original card software on pathological
32-byte messages. These differences were used in counter measures
(commonly referred to as ECMs) against clone cards several times in
1993 and 1995 by BSkyS and News Datacom in order to deactivate clone
cards, but it was quite easy each time to find out these tiny bugs in
the clone card software and correct it.

There are two microprocessors in a typical Videocrypt decoder. An Intel
8052 microcontroler manages the communication between the smart card
and the rest of the system. As the software of this processor is not
read protected, it was also possible to reprogram this chip (by using
the EPROM version 8752BH) so that the hash algorithm is performed
inside the decoder. Then no external card is needed at all for the
channels for which the hash algorithm was implemented in the 8752. The
second processor is a Motorola 6805 variant and its internal ROM
contents can't be read out easily. The Motorola decodes the data that
comes with the TV signal, applies error correction algorithms to this
data, exchanges the 32-byte messages and 8-byte answers with the Intel
processor and controls the PRNG and the on-screen display hardware.

There are also Videocrypt II decoders available. These work almost like
the Videocrypt decoders and the only important difference is a new
software in the Intel and Motorola processor. Videocrypt II decoders
get their data from other invisible TV lines than Videocrypt, and it is
possible to broadcast a signal encrypted in a way that allows both
Videocrypt and Videocrypt II to decode it with different smart cards.

More detailed basic information about Videocrypt has been published in
the European patent EP 0 428 252 A2 ("A system for controlling access
to broadcast transmissions"). You can order a copy for little money
(about 10 DM) from the European Patent Office (Schottenweldgasse 29,
A-1072 Wien, Austria) if you are interested.


2  Security of the Videocrypt system

The system is very secure, because all secret parts that are essential
to a successful decryption are located in the smart card and if the
card's secret hash algorithm/key becomes known, it can easily be
replaced by just sending new cards to the subscribers. This card
exchange can also be used if details about the format of the commands
hidden in the 32-byte sequences sent to the card become known which
allows together with the knowledge of the signature algorithm to
generate new activation messages and to filter out deactivation
messages.

There are however at least two obvious security flaws of the system
which can't be removed by new smart card generations:

  - The dialog between the card and the decoder is the same synchronously
    for all Videocrypt decoders switched to this channel. I.e., the decoder
    doesn't add any card specific or decoder specific information to the
    traffic. This makes it possible to use one card for several decoders.
    E.g. it is possible to record the 32-byte messages broadcasted by
    the station during an evening with a PC, then send these messages to
    someone else with an original card who asks his card for the 60-bit
    answers to all the recorded messages. If this person then sends
    these 60-bit answers back, then you can use this data in order
    to descramble the VCR recorded program of this evening (delayed data
    transfer). However, decoding VHS recorded encrypted signals produces
    minor color distortions and a few VCRs don't preserve the Videocrypt
    data stream in the first invisible lines that accompanies the TV
    signal. It is also possible to distribute the 60-bit answers from
    one card in real-time with cables to many decoders in a house or
    with radio signals to many decoders in a larger region.

  - The simple cut-and-exchange encryption method and the fact that two
    consecutive lines in an image are almost always nearly identical
    makes it possible to try all 256 possible cut points and to select
    the one which causes both lines to fit together best. This method
    has alreday been implemented on fast PC's with framegrabbers which
    load the image into the memory and display it corrected on the computer
    screen (many seconds per frame), on parallel supercomputers which
    allow almost real-time decryption and with special hardware that
    achieves real-time decryption. Howevery, with this decoding method,
    there are severe image quality losses and many additional problems
    which together with the high hardware costs required (much higher
...