Common Scrambling Algorithm
Encyclopedia
The Common Scrambling Algorithm (or CSA) is the encryption algorithm used in the DVB digital television
broadcasting for encrypting video streams.
CSA was specified by ETSI and adopted by the DVB consortium in May 1994.
only, and this would have made it difficult to reverse engineer
existing implementations.
In 2002 FreeDec was released, implementing CSA in software. Though released as binary
only, disassembly
revealed the missing details and allowed reimplementation of the algorithm in higher-level programming language
s.
With CSA now publicly known in its entirety, cryptanalysts started looking for weaknesses.
When used in encryption mode the data are first encrypted using the 64 bits block cipher in CBC mode
, starting from packet end.
The stream cipher is then applied from packet start.
The first 64 bits of data are used as initialization vector
during this phase and are left unchanged.
The stream cipher then generates 2 bits of pseudo-random stream on each round which are xored starting at bit 64 of the packet.
in Europe and elsewhere, and is used by many satellite television providers. No attack has yet been published, however.
is 64 bit
s, which allows for many different possibilities of encryption. A brute force attack
taking 1 μs for each try, through all possible key words, would take around 300,000 years, on average. This could be reduced by using the predictable parts of the encrypted message to rule out potential keys, however this would require cryptanalysis of both stream cipher and block cipher algorithms at the same time which is a complicated task.
time.
Theoretical implementation in a FPGA that would consist of 42 hw-threads that each would test 1 key per clock-cycle. At a clock-rate of 50Mhz this would allow the key to be found in ~19 days since we would expect, on average, to find the key after 247 tries for a 248 key. The problematic part in this would be to determine when a valid key was found since that would involve checking the decrypted data for known things like MPEG-headers which could be hard to implement efficiently enough to fit in a today commercially available FPGA. One possible way to reduce the needed complexity in the FPGA could be to have a multi-layer approach where the first one just discards all keys that are known to be invalid with quite simple checks and one or more that checks for additional information.
Most CA systems use short lived keys which are replaced every few seconds, making such implementation useless until computational power increase dramatically. Moreover, the usual 48 bits key length may still be increased to 64 bits in the future to improve system strength, as this is not a limitation of the algorithm.
Digital television
Digital television is the transmission of audio and video by digital signals, in contrast to the analog signals used by analog TV...
broadcasting for encrypting video streams.
CSA was specified by ETSI and adopted by the DVB consortium in May 1994.
History
CSA was largely kept secret until 2002. The patent papers gave some hints, but important details, like the layout of the so-called S-boxes, remained secret. Without these free implementations of the algorithm were out of question. Initially, CSA was to remain implemented in hardwareHardware
Hardware is a general term for equipment such as keys, locks, hinges, latches, handles, wire, chains, plumbing supplies, tools, utensils, cutlery and machine parts. Household hardware is typically sold in hardware stores....
only, and this would have made it difficult to reverse engineer
Reverse engineering
Reverse engineering is the process of discovering the technological principles of a device, object, or system through analysis of its structure, function, and operation...
existing implementations.
In 2002 FreeDec was released, implementing CSA in software. Though released as binary
Executable
In computing, an executable file causes a computer "to perform indicated tasks according to encoded instructions," as opposed to a data file that must be parsed by a program to be meaningful. These instructions are traditionally machine code instructions for a physical CPU...
only, disassembly
Disassembler
A disassembler is a computer program that translates machine language into assembly language—the inverse operation to that of an assembler. A disassembler differs from a decompiler, which targets a high-level language rather than an assembly language...
revealed the missing details and allowed reimplementation of the algorithm in higher-level programming language
Programming language
A programming language is an artificial language designed to communicate instructions to a machine, particularly a computer. Programming languages can be used to create programs that control the behavior of a machine and/or to express algorithms precisely....
s.
With CSA now publicly known in its entirety, cryptanalysts started looking for weaknesses.
Description of the cipher
The CSA algorithm is composed of two distinct ciphers: a block cipher and a stream cipher.When used in encryption mode the data are first encrypted using the 64 bits block cipher in CBC mode
Block cipher modes of operation
In cryptography, modes of operation is the procedure of enabling the repeated and secure use of a block cipher under a single key.A block cipher by itself allows encryption only of a single data block of the cipher's block length. When targeting a variable-length message, the data must first be...
, starting from packet end.
The stream cipher is then applied from packet start.
Block cipher
The block cipher process 64 bits blocks in 56 rounds. It uses 1 byte from expanded key on each round.Stream cipher
The first 32 round of the stream cipher are used for initialization and do not generate any output.The first 64 bits of data are used as initialization vector
Initialization vector
In cryptography, an initialization vector is a fixed-size input to a cryptographic primitive that is typically required to be random or pseudorandom...
during this phase and are left unchanged.
The stream cipher then generates 2 bits of pseudo-random stream on each round which are xored starting at bit 64 of the packet.
Weaknesses
Were CSA to be broken, encrypted DVB transmissions would be decipherable, regardless of any proprietary conditional access (CA) system used. This could seriously compromise paid digital television services, as DVB has been standardised on for digital terrestrial televisionDigital terrestrial television
Digital terrestrial television is the technological evolution of broadcast television and advance from analog television, which broadcasts land-based signals...
in Europe and elsewhere, and is used by many satellite television providers. No attack has yet been published, however.
Cryptanalysis
Like other encryption algorithms, a weak spot arises inasmuch that parts of the message are known or at least easily predictable, like MPEG headers. The length of the keyKey (cryptography)
In cryptography, a key is a piece of information that determines the functional output of a cryptographic algorithm or cipher. Without a key, the algorithm would produce no useful result. In encryption, a key specifies the particular transformation of plaintext into ciphertext, or vice versa...
is 64 bit
Bit
A bit is the basic unit of information in computing and telecommunications; it is the amount of information stored by a digital device or other physical system that exists in one of two possible distinct states...
s, which allows for many different possibilities of encryption. A brute force attack
Brute force attack
In cryptography, a brute-force attack, or exhaustive key search, is a strategy that can, in theory, be used against any encrypted data. Such an attack might be utilized when it is not possible to take advantage of other weaknesses in an encryption system that would make the task easier...
taking 1 μs for each try, through all possible key words, would take around 300,000 years, on average. This could be reduced by using the predictable parts of the encrypted message to rule out potential keys, however this would require cryptanalysis of both stream cipher and block cipher algorithms at the same time which is a complicated task.
Brute force approach
While CSA algorithm uses 64-bit keys, most of the time only 48 bits of key are unknown, since bytes 3 and 7 are used as checksum bytes in CA systems, and may be easily recalculated. This allow reducing the brute force searchBrute-force search
In computer science, brute-force search or exhaustive search, also known as generate and test, is a trivial but very general problem-solving technique that consists of systematically enumerating all possible candidates for the solution and checking whether each candidate satisfies the problem's...
time.
Theoretical implementation in a FPGA that would consist of 42 hw-threads that each would test 1 key per clock-cycle. At a clock-rate of 50Mhz this would allow the key to be found in ~19 days since we would expect, on average, to find the key after 247 tries for a 248 key. The problematic part in this would be to determine when a valid key was found since that would involve checking the decrypted data for known things like MPEG-headers which could be hard to implement efficiently enough to fit in a today commercially available FPGA. One possible way to reduce the needed complexity in the FPGA could be to have a multi-layer approach where the first one just discards all keys that are known to be invalid with quite simple checks and one or more that checks for additional information.
Most CA systems use short lived keys which are replaced every few seconds, making such implementation useless until computational power increase dramatically. Moreover, the usual 48 bits key length may still be increased to 64 bits in the future to improve system strength, as this is not a limitation of the algorithm.