CI Plus Overview

11th November 2011

www.ci-plus.com CI Plus Limited Liability Partnership (LLP)

Table of Content
Page:
One Page Overview of CI Plus 3
History of Common Interface 4
Requirements & Scope with CI Plus 8 PCMCIA
CI Plus System Overview 10 CI
CI Plus Specification 11
- SAC (Secure Authenticated Channel) CA
- Authentification
CI-CAM
- Protection of TS (Transport Stream)
with CC (Content Control)
- URI (Usage Rules Information) SC
- Revocation, Shunning
- Interactivity with MHP CA API CA Conditional Access
CAM CA Module
CI Plus Administration 21 CI Common Interface
PCMCIA Personal Computer Memory
- CI+ LLP, Certificate Agent & Test Center Card International Association
SC Smart Card
- CI+ Documentation
- Flow Chart of Certification & Licensing
- Licensee Overview
Disclaimer:
Summary 26 All text and images that are presented herein are just for illustration
Document History 27 purposes about the principles of CI Plus. The presentation may
contain inaccuracies or errors. It does not necessarily reflect the most
Abbreviations 28 recent status of technical and licence relevant documents of CI Plus.

2 / 29 file: ci-plus_overview.ppt www.ci-plus.com - CI Plus LLP

Issue with v1 and Solution with One P
age O
v er v i
ew
1997-02 Quite old standard EN 50221 (DVB-CI v1) with unencrypted CAM output
2006-09 Closed DVB TM-CIT group after missing consensus

2007-07 CI+ Forum founded by 6 companies

2008-01 CI Plus Spec v1.0 with encrypted CAM output
2008-11 CI+ forum replaced by CI Plus LLP
2009-03 Appointment of Trustcenter & Test facility

2011-04 DVB adopts future development of CI Plus specification

2011-05 SMiT becomes 7th partner in CI Plus LLP

Encrypted

PCMCIA Interface
not encrypted
Copy of original
digital content
Encrypted is impossible!
TV Signal
IDTV
additional Usage Rules for A/D output and storage x x
encrypted
STB, Recorder, ...
3 / 29 file: ci-plus_overview.ppt www.ci-plus.com - CI Plus LLP
History of Common Interface (CI)
1997-02: Standard DVB CI v1 (EN 50221)
1999-11: Extension ETSI TS 101 699
2002-01: EU directive for CI in IDTV with > 30cm
2006-09: Start of DVB TM-CIT group (to close security gaps with new CI v2 ...)
Closed after missing consensus on technology
2007-07: Founding CI+ Forum by 6 companies
2007-12 CI Plus Specification draft
2008-01 CI Plus Specification v1.0
2008-11 Disbanding of CI+ Forum & creation of
CI Plus LLP (UK Limited Liability Partnership)
2009-02 CI Plus Specification v1.1
2009-02 TC TrustCenter GmbH appointed
2009-03 DTV Labs Ltd. appointed test facility
2009-05 CI Plus Specification v1.2
2010-12 Negotiations about continuation of specification under DVB
2011-01 CI Plus Specification v1.3
2011-04 DVB adopts development of CI Plus spec beyond v1.3
2011-05 SMiT becomes 7th partner in CI Plus LLP
4 / 29 file: ci-plus_overview.ppt www.ci-plus.com - CI Plus LLP
DVB-CI & CI Plus - Usage for SD/HDTV
Set-Top-Box with
integrated Decrypton-System

SDTV
Smart Card
Display
or IDTV
SDTV
(Only for few content
used or permitted) Smart Card with DVB-CI

SDTV Smart Card with CI+

5 / 29 file: ci-plus_overview.ppt www.ci-plus.com - CI Plus LLP

DVB CI - First Generation Standard v1

CI-Module used with smartcard containing key-informationen

CI-Module remove the encryption of protected content
The output of CI-Module is unencrypted
Due to this, most content providers prefer integrated
solutions because of higher security
Smartcard

Encrypted Encrypted
Televion Signal Televion Signal
CI-Module
Copy
of original
digital content
is possible
PCMCIA Interface

No Encryption

Plasma / LCD IDTV

6 / 29 file: ci-plus_overview.ppt www.ci-plus.com - CI Plus LLP

CI Plus - Protection of Content
Based on existing DVB-CI Standard
Main requirement: achieving the same level of security as embedded solutions
CI Plus Modul and Receiver
- Calculation & Usage of a secure key for content protection
- Secure, authentificated channel for critical system messages
The output of modul is encrypted
Only certified devices are supported Smartcard

Encrypted Encrypted
Television Signal Television Signal
CI Plus Module

PCMCIA Interface
Copy of
original
digital content
is not possible!
Local
Encryption
Plasma / LCD IDTV

7 / 29 file: ci-plus_overview.ppt www.ci-plus.com - CI Plus LLP

CI Plus - Scope of Protection

CA Conditional Access
CC Content Control

8 / 29 file: ci-plus_overview.ppt www.ci-plus.com - CI Plus LLP

CI Plus - Scope of Compatibility

CA Module DVB CI CI Plus

(CAM)

Host

Host & Module

DVB-CI mode Module in
DVB-CI mode* * DVB-CI mode operation

permitted by network operator

Host in
DVB-CI mode Host & Module
CI Plus mode

9 / 29 file: ci-plus_overview.ppt www.ci-plus.com - CI Plus LLP
CI Plus - System Overview

CA Conditional Access
CC Content Control
CI Common Interface
CAM Conditional Access Module

10 / 29 file: ci-plus_overview.ppt www.ci-plus.com - CI Plus LLP

CI Plus - Specification History
2007-12 Specification Draft
2008-01 Specification v1.0
2009-02 Specification v1.1
2009-05 Specification v1.2
Change number 002, effective 2009-04-23 (Security Extension)
- Summary: Errata of v1.1, CICAM CIS CI Plus compatibility advertisement
Change number 005, effective 2011-03-01 (Security Extension)
- Summary: Security fix for CI Plus Host to check for Brand ID in a CI Plus CICAM device certificate during authentication.
2011-01 Specification v1.3
Change number 007, effective 2012-08-01
- Summary: Extensions of PVR related functionality, CAS protected recording removed, Parental Control Clarifications,
Low Speed Communication Resource, Extended CI Tuning Resource, Operator Profile
2011-10 Specification v1.3.1
Change number 013, effective 2012-08-01
- Summary: Errata of v1.3, implementation guidelines

11 / 29 file: ci-plus_overview.ppt www.ci-plus.com - CI Plus LLP

CI Plus - Specification v1.3
Chapter: Pages:
1-3 Scope, References, Definitions, ... 19
4 System Overview 4
5 Theory of Operation 47
6 Authentication Mechanisms 16
7 Secure Authenticated Channel 12
8 Content Key Calculations 5
9 Public Key Infrastr. & Certificate Details 9
10 Host Service Shunning 5
11 Command Interface 22
12 CI Plus Application Level MMI 12
13 CI Plus MMI Resource 4
14 Other CI Extensions 52
Annex A...N 109 file: ci_plus_specification_v1.3.pdf
date: 2011-01-14
Total: 316

12 / 29 file: ci-plus_overview.ppt www.ci-plus.com - CI Plus LLP

CI Plus - Specification v1.3 Change
Key changes of v1.3 compared to v1.2
Extensions to PVR related functionality.
CAS protected recording removed.
Parental Control Extensions & Clarifications.
Optimization of Low Speed Communication Resource & IP support.
Extension to CI Tuning Resource to support Cable VOD Applications.
Introduction of an Operator Profile.
Change Notice with References
prng_seed per manufacturer [5.3]
URI version 2 [5.7.5.2]
Digital Only Token [5.7.5.3]
Content license [5.10] Details of changes:
Parental Control [5.11]
Recording and Storage [5.12]


Host Authentication [Table 6.3, step 13, item d]
Certificates, Service operator ID [9.3.6]
file: ciplus_change_notice_007.pdf
Host shunning, SDT absent [10.4] date: 2011-01-21
Version 2 of CC resource [11.3]
SAS APDU clarifications [11.4, Annex M.2.1]


MHEG profile extensions [12.8]
Low Speed Communications v3 [14.1]
file: 2011-03-10_ci-plus_specification_v1.3_diff_v1.2.pdf
IP connection by name [14.2.1.2] date: 2011-03-10
Application MMI clarifications [14.4]
Application MMI File Caching [14.5]
Host Control v2 [14.6]
Operator Profile [14.7, Annex N]
APDU clarifications [Annex E]
CIS Feature Identification [G.3.2]
Removal of PVR Resource [v1.2, 15]

13 / 29 file: ci-plus_overview.ppt www.ci-plus.com - CI Plus LLP

CI Plus - Protocols
1. Compare CI+ versions supported by IDTV and CAM.
1. Host Capability Evaluation
2. If both sides have the same auth key, they have
performed a successful authentication with each other.
3. CI+ CAM and IDTV authenticate each other to make sure 2. Auth Key Verification
the opposite device is a valid CI+ device.
4. The Secure Authenticated Channel (SAC) is used 3. Authentication
for transmission of security-related messages
between CAM and IDTV.
4. SAC Key Calculation

5. URI Version Negotiation

6. URI Acknowledgement

5. Usage Rules Information (URI) version negotiation

to find a URI version that is supported on both sides. 7. CC Key Calculation
6. URI transmission and acknowledgement used by CAM
to send a set of usage rules information to the IDTV. 8. SRM Acknowledgement
7. Content Control (CC) key calculation used by both sides
to calculate keys for scrambling /descrambling of transport stream (TS).
8. System Renewability Message (SRM) transmission and acknowledgement
is used from CI+ CAM to transfer SRM for HDCP and DTCP-IP to the IDTV.

14 / 29 file: ci-plus_overview.ppt www.ci-plus.com - CI Plus LLP

CI Plus - Transport Stream Output Protection
Host and CICAM Capabilities:

DES-56-ECB
Data Encryption Standard, 56-bit key, Electronic Code Book
(USA 1999-10, Federal Information Processing Standards, FIPS 46-3)

AES-128-CBC
Advanced Encryption Standard, 128-bit key, Cipher Block Chaining
(USA 2000-10, National Institute of Standards and Technology, NIST, FIPS 197)

15 / 29 file: ci-plus_overview.ppt www.ci-plus.com - CI Plus LLP

CI Plus - Authentication
Supported Authentication Phases per Service Mode:
Basic Service Mode
Registered Service Mode example:
- Requires upstream communication
to HE (Head End)

DH = Diffie-Hellman key exchange

16 / 29 file: ci-plus_overview.ppt www.ci-plus.com - CI Plus LLP

CI Plus - Devices & external Interfaces

CI Plus IDTV Signals / Interfaces

Devices

Analogue
PAL / NTSC / SECAM
RGB / YUV / S-Video
time shifted recording
(optional)
STB/PVR

Display

Digital
HDMI / HDCP
DTCP-IP

Encrypted Content, paired to receiver:

the content cannot be copied without authorization..

17 / 29 file: ci-plus_overview.ppt www.ci-plus.com - CI Plus LLP

CI Plus - Usage Rules Information (URI)
URI initial default value for host, e.g. after channel change:
protocol version = 0x01
emi_copy_control_info = 0b11 (Encryption Mode Indicator)
aps_copy_control_info = 0b00 (Analog copy Protection System)
ict_copy_control_info = 0b0 (Image Constraint Trigger/Token)
rct_copy_control_info = 0b0 (Redistribution Control Trigger)
rl_copy_control_info = 0b000000 (Retention Limit, default 90 min)
reserved bits = 0b0 Analog Digital Digital Storage

URI Mapping Table:

Analog Output (MV, APS, CGMS, ICT) URI
Digital Output (HDCP, DTCP, SPDIF)
Digital Storage (AACS, CPRM, VCPS)

see e.g. Digital Transmission Content Protection, www.dtcp.com

Specification 2007-10, rev 1.51

18 / 29 file: ci-plus_overview.ppt www.ci-plus.com - CI Plus LLP

CI Plus - Mechanisms of Revocation

Host Service Shunning

Host shunning state determined from Service Descriptor Table (SDT)
Shunning active: Service can only be descrambled by CI+ Module
Shunning non active: Service can be descrambled by DVB-CI or CI+ Module
Host Revocation
Certificate Revocation List (CRL) transmitted to CICAM black-lists a host
Certificate White List (CWL) can revert a previous revocation of a host
Level of revocation granularity:
1. Unique host
2. Range of hosts
3. Certain model
4. Certain brand
Revocation by CAS
Possible, but out of CI Plus specification scope

19 / 29 file: ci-plus_overview.ppt www.ci-plus.com - CI Plus LLP

CI Plus - Additional Interactivity with Consumer
CI Plus Browser
Enables to CI Plus modules to display graphics
with menues, pictures, logos, ... in a common method
on all CI Plus receivers/displays
Allows easy interaction with default remote control

Support of MHP CA API

Enables to the broadcasted MHP applikation to communicate
with a CA Smartcard inside the CI Plus module

Country- and Language Support

Enables CI Plus modules to use the same language in menues,
which is already defined by user in the receiver setting.

20 / 29 file: ci-plus_overview.ppt www.ci-plus.com - CI Plus LLP

CI Plus - LLP, Certificate Agent & Test Center
CI Plus LLP contact details:
CI Plus LLP, www.ci-plus.com,
Pannell House, Park Street, Guildford, Surrey GU1 4HN, UK
CI Plus LLP registered (no OC341596) in England & Wales

CI Plus LLP authorized Certificate Agent:

TC TrustCenter GmbH, www.trustcenter.de
Sonninstrasse 24-28, 20097 Hamburg, Germany
Tel/Fax: +49.40.808026-0/-126
Mail: ciplus@trustcenter.de

CI Plus LLP approved Test Facility:

Digital TV Labs Ltd., www.digitaltv-labs.com
Venturers House, King Street, Bristol, BS1 4PB, UK
Tel/Fax: +44.117.915-4018/-4088
Mail: info@digitaltv-labs.com

21 / 29 file: ci-plus_overview.ppt www.ci-plus.com - CI Plus LLP

CI Plus - Documentation
Documents on www.ci-plus.com
CI Plus Specification v1.3
www.ci-plus.com/index.php?page=download
- Detailed Specification for Receiver and Module
with change notes 002, 005 & 007
Supplementary Specification v1.3
- Requirements for host revocation/shunning
Implementations Guidelines v1.0
Registration Application
- Application for test and registration of a device
CI Plus Logo Guidelines & Archive
Test Specification v1.0
- Definition of test- and registration process
Documents on www.trustcenter.de
On-Boarding Guideline
Interim License Agreement (ILA) www.trustcenter.de/solutions/consumer_electronics.htm
- Compliance and Robustness Rule...
Certificate Supply Agreement (CSA)
Forms: Identification, Administrator Authorization, Brand On-Boarding, Registration Application
Robustness Certification Checklist
22 / 29 file: ci-plus_overview.ppt www.ci-plus.com - CI Plus LLP
CI Plus - License Agreement with Exhibits A-L
A: Device Type
Host
B: Robustness Rules Device

C: Compliance Rules for Host Device

CICAM
D: Compliance Rules for CICAM Device Device

E: URI Mapping Table

Robustness
G: Robustness Rules Checklist Rules

H: Confidentiality Agreement
Compliance
I: Fee schedule
Rules
J: Registration Procedure
K: Change Procedure
Confidentiality
L: Revocation Procedure Agreement

23 / 29 file: ci-plus_overview.ppt www.ci-plus.com - CI Plus LLP

CI Plus - Implementation ...

CI Plus LLP
Sign License Agreement Test Partner
(Limited Liability Partnership)

15,000 registration/yearly
Receive License specs
At Website
Public Specification,
License Agreement

and Test technology
New device
Robustness Checklist
Device Testing
(incl. Compliance Device Testing Result Result
and Robustness) Robustness Checklist
Device

5,000/device type
Trust
Manufacturer
Authority Test of Device
of CI Plus
(TA)
Module / Host

Device Registration
Production Credentials
or Self-Test-Registration
(after registration of
2 different device types)

Order Certificates (keys)

Certification
500/10.000 devices Deliver Certificates (keys)
Authority (CA)

TC

Trust Center

24 / 29 file: ci-plus_overview.ppt www.ci-plus.com - CI Plus LLP

 CI Plus - Licensees
Publication
Licensees of CI Plus are published with homepage URL on website of TrustCenter
89 Licensees on 2011-10-10
- 29 Components Licensees
- 54 Hosts Licensees
- 6 Modules Licensees

www.trustcenter.de/consumer_electronics_licensees_host_module.htm
www.trustcenter.de/consumer_electronics_licensees_module.htm

www.trustcenter.de/consumer_electronics_licensees_host.htm

25 / 29 file: ci-plus_overview.ppt www.ci-plus.com - CI Plus LLP

CI Plus - Summary
CI Plus is based on DVB-CI standard and is downward compatible
Encrypted communication over the CI/CI+ interface
- Secure & authenticated channel for critical system messages
- Encrypted transmission of digital content from CI+ modul towards the host device
Implementation
- Licensing & administration of Certificates managed by independant Trust-Center
- Certification of end user devices & CI+ modules in a digital TV laboratory
Future proof with URI (Usage Rules Information) fr UPnP, CPCM, CSA3, DTCP, DLNA, ...

Internet LAN

PVR STB

26 / 29 file: ci-plus_overview.ppt www.ci-plus.com - CI Plus LLP

Document History
2009-07-06 Creation and first publication on www.ci-plus.com
2011-11-11 Specification v1.3, DVB resumption, SMiT membership, updated CIP contact detail,
licensee overview, reformatting to 16:9

27 / 29 file: ci-plus_overview.ppt www.ci-plus.com - CI Plus LLP

Abbreviations
AACS Advanced Access Content System aacsla.com HDCP High-bandwidth Digital Content Protection
AES Advanced Encryption Standard HDD Hard Disk Drive
API Application Programming Interface HDMI High Definition Multimedia Interface hdmi.org
CA Conditional Access ICT Image Constraint Token
CAM Conditional Access Module (DVB-CI or CI Plus) IDTV Integrated Digital tuner Television
CAS Conditional Access System ILA Interim License Agreement
CC Content Control LCD Liquid Crystal Display
CDA Content Distributor Agreement (contract with CI Plus) LLP Limited Liability Partnership
CE Consumer Electronics MHP Multimedia Home Platform
CGMS Copy Generation Management System MPAA Motion Picture Association of America mpaa.org
CI Common Interface PCMCIA Personal Computer Memory Card International Association
CIP CI Plus LLP ci-plus.com PVR Personal Video Recorder
CIv1 DVB CI version 1.0 dvb.org SAC Secure Authenticated Channel
CI Plus Common Interface Plus ci-plus.com SC Smart Card
CM Commercial Module (of DVB) SDT Service Descriptor Table
CPRM Content Protection for Recordable Media 4centity.com SOC Selectable Output Control
CRL Certificate Revocation List SMiT Shenzen State Micro Technology Co. Ltd.
CWL Certificate White List SPDIF Sony/Philips Digital Interconnect Format
CSA Certificate Supply Agreement STB Set Top Box
DES Data Encryption Standard TA Trust Authority (e.g TC for CI Plus)
DLNA Digital Living Network Alliance dlna.org TC TrustCenter GmbH trustcenter.de
DOT Digital Only Token TM Technical Module (of DVB)
DVB Digital Video Broadcasting dvb.org TS Transport Stream
DRM Digital Rights Management USB Universal Serial Bus
DTCP Digital Transmission Content Protection dtcp.com URI Usage Rules Information
DTVL Digital TV Labs (CI Plus) digitaltv-labs.com VCPS Video Content Protection System
EU Europe europa.eu
FFW Fast Forward (PVR function) Version: 2011-11-11

28 / 29 file: ci-plus_overview.ppt www.ci-plus.com - CI Plus LLP

Thank you
for your CI Plus LLP www.ci-plus.com
DVB www.dvb.org

interest TC TrustCenter GmbH www.trustcenter.de

Digital TV Labs Ltd. www.digitaltv-labs.com

www.ci-plus.com CI Plus Limited Liability Partnership (LLP)