[mythtv-users] SiliconDust to Announce CableCard Product at CES [RUMOR]

Brian Wood beww at beww.org
Thu Jan 7 16:43:38 UTC 2010


On Thursday 07 January 2010 09:39:41 am Devin Heitmueller wrote:
> On Thu, Jan 7, 2010 at 11:33 AM, Ronald Frazier <ron at ronfrazier.net> wrote:
> >> But that's the same basic idea, even if there is another device in the
> >> chain. The question is how it gets decrypted. I'm assuming the
> >> decryption key is passed from the cable card to the PC only through an
> >> authenticated chain, but as I just explained, it wouldn't be difficult
> >> to extract the key and pretend to be the windows system (ie: rather
> >> than a man-in-the-middle attack, you are simply killing Alice and
> >> sending in your look-alike replacement.
> >
> > To be clear...I'm not thinking for a second that I'm more clever than
> > the engineers that designed this system. It's just, as someone very
> > interested in tech security topics, I'm very curious how they think
> > they've solved this. It seems you'd have to carry the authentication
> > chain right past the PC to the end device. Perhaps HDCP can provide
> > this server, but if that were so I don't see what all the fuss up to
> > now about "only certified system can use cablecard" is all about,
> > because in such a case, the decryption key would be passed through
> > encrypted for the HDCP display device, and there was never any threat
> > from the PC.
> 
> From an academic standpoint, if you are interested in the topic you
> really should look at the OCUR spec (freely available), as it
> describes in detail how the encryption and key management works
> between the headend and the OCUR device, as well as what requirements
> are put on PC vendors interested in interfacing the OCUR device.  The
> requirements are specific enough to extrapolate at a high level what
> would be required to meet those requirements.
> 
> It's an interesting read, if for no other reason as it gives you an
> idea how they did give considerable thought as to how to
> prevent/mitigate all the attack vectors that most security
> professionals would come up with (at least they covered most of the
> obvious attacks I thought of and I used to design high-security
> encryption hardware for a living).

Now if they would just put as much time and effort into creating programming 
that's worth paying for, instead of ways to protect the crap they're putting 
out now.

It's like the telcos spending more to calculate and implement billing than 
they do on actually providing the service.


More information about the mythtv-users mailing list