Rec. ITU-T J.1028 (07/2019) - Downloadable conditional access system for unidirectional networks – Terminal system
Summary
History
FOREWORD
Table of Contents
Introduction
1 Scope
2 References
     3.1 Terms defined elsewhere
     3.2 Terms defined in this Recommendation
4 Abbreviations and acronyms
5 Conventions
6 Terminal system
     6.1 Terminal system architecture
     6.2 One-way DCAS APIs
     6.3 Terminal security chipset
          6.3.1 Terminal security chipset workflow
          6.3.2 Root key derivation module
          6.3.3 Key ladder
               6.3.3.1 The 3-level key mechanism
               6.3.3.2 Challenge response
          6.3.4 OTP area
     6.4 Hardware security module
          6.4.1 HSM architecture
          6.4.2 HSM activation
          6.4.3 Key ladder processing module
          6.4.4 Algorithm tools
          6.4.5 Secure storage
               6.4.5.1 Locked storage area
               6.4.5.2 Activating storage area
               6.4.5.3 CA storage area
          6.4.6 Secure authenticated channel (SAC)
     6.5 Security implementation mechanism (SIM)
          6.5.1 The SIM of a terminal security chipset
          6.5.2 The SIM of HSM
Annex A  Security mechanism of one-way DCAS client software downloading  and bootloading
     A.1 Basic principles of chain of trust
     A.2 Bootup signature verification
     A.3 Downloading and replacing DCAS client software
     A.4 Key management
     A.5 Security requirements of the bootloader
     A.6 Performance requirements of bootloader and terminal security chipset
Annex B  One-way DCAS APIs
     B.1 Java APIs
          B.1.1 APIs type
               B.1.1.1 APIs for CAS manager
                    B.1.1.1.1 The upper layer APIs of terminal software platform
                    B.1.1.1.2 The bottom-layer APIs of terminal software platform
                    B.1.1.1.3 Extension application APIs
                    B.1.1.1.4 Detachable security device APIs
               B.1.1.2 Network APIs
               B.1.1.3 MPEG section filter APIs
               B.1.1.4 Non-volatile storage APIs
          B.1.2 APIs invoking sequence
          B.1.3 APIs description
          B.1.4 Package org.ngb.net.cas.module
               B.1.4.1 Interface org.ngb.net.cas.module.CASModule
                    B.1.4.1.1 Methods
                         B.1.4.1.1.1 startDescrambling
                         B.1.4.1.1.2 updateDescrambling
                         B.1.4.1.1.3 stopDescrambling
                         B.1.4.1.1.4 getCAInfo
                         B.1.4.1.1.5 setCAInfo
               B.1.4.2 Interface org.ngb.net.cas.module.CASDataUtils
                    B.1.4.2.1 Description
                    B.1.4.2.2 Methods
                         B.1.4.2.2.1 getCAInfo
                         B.1.4.2.2.2 setCAInfo
                         B.1.4.2.2.3 getData
                         B.1.4.2.2.4 setData
               B.1.4.3 Interface org.ngb.net.cas.module.CADescriptor
                    B.1.4.3.1 Description
                    B.1.4.3.2 Methods
                         B.1.4.3.2.1 getCASystemId
                         B.1.4.3.2.2 getPid
                         B.1.4.3.2.3 getPrivateData
               B.1.4.4 Interface org.ngb.net.cas.module.CAServiceComponentInfo
                    B.1.4.4.1 Description
                    B.1.4.4.2 Methods
                         B.1.4.4.2.1 getDescramblerContext
                         B.1.4.4.2.2 getCADescriptor
                         B.1.4.4.2.3 getComponentStreamPIDs
                         B.1.4.4.2.4 getComponentStreamTypes
                         B.1.4.4.2.5 getServiceIdentifiers
               B.1.4.5 Interface org.ngb.net.cas.module.CASPacketListener
                    B.1.4.5.1 Description
                    B.1.4.5.2 Methods
                         B.1.4.5.2.1 casPacketArrived
               B.1.4.6 Interface org.ngb.net.cas.module.CASSession
                    B.1.4.6.1 Description
                    B.1.4.6.2 Constants – Session Types
                         B.1.4.6.2.1 TYPE_PRESENTATION
                         B.1.4.6.2.2 TYPE_RECORDING
                         B.1.4.6.2.3 TYPE_BUFFERING
                    B.1.4.6.3 Methods
                         B.1.4.6.3.1 getType
                         B.1.4.6.3.2 getNetworkInterface
                         B.1.4.6.3.3 getAssociatedService
                         B.1.4.6.3.4 getServiceContext
               B.1.4.7 Interface org.ngb.net.cas.module.CAStatus
                    B.1.4.7.1 Description
                    B.1.4.7.2 Methods
                         B.1.4.7.2.1 isSuccess
                         B.1.4.7.2.2 getCAToken
               B.1.4.8 Interface org.ngb.net.cas.module.CATListener
                    B.1.4.8.1 Methods
                         B.1.4.8.1.1 catUpdate
               B.1.4.9 Interface org.ngb.net.cas.module.CATNotifier
                    B.1.4.9.1 Description
                    B.1.4.9.2 Methods
                         B.1.4.9.2.1 registerCATListener
                         B.1.4.9.2.2 unregisterCATListener
               B.1.4.10 Class org.ngb.net.cas.module.CASModuleManager
                    B.1.4.10.1 Description
                    B.1.4.10.2 Methods
                         B.1.4.10.2.1 getInstance
                         B.1.4.10.2.2 registerCASmodule
                         B.1.4.10.2.3 updateCASystemId
                         B.1.4.10.2.4 sendDescramblingEvent
                         B.1.4.10.2.5 unregisterCASModule
                         B.1.4.10.2.6 getChipControllers
                         B.1.4.10.2.7 setCurrentController
                         B.1.4.10.2.8 setCCIBits
                         B.1.4.10.2.9 setServiceListFilter
                         B.1.4.10.2.10 registerCASPacketListener
                         B.1.4.10.2.11 unregisterCASPacketListener
                         B.1.4.10.2.12 getDetachableSecurityDevices
                         B.1.4.10.2.13 receiveOsdMsg
                         B.1.4.10.2.14 showFingerMsg
                         B.1.4.10.2.15 receiveTuningAlert
                         B.1.4.10.2.16 getCATNotifier
               B.1.4.11 Class org.ngb.net.cas.module.CASPermission
                    B.1.4.11.1 Description
                    B.1.4.11.2 Methods
                         B.1.4.11.2.1 CASPermission
                         B.1.4.11.2.2 CASPermission
          B.1.5 Package org.ngb.net.cas.controller
               B.1.5.1 Interface org.ngb.net.cas.controller.DescramblerContext
                    B.1.5.1.1 Description
                    B.1.5.1.2 Methods
                         B.1.5.1.2.1 loadCW
                         B.1.5.1.2.2 overrideChipController
               B.1.5.2 Interface org.ngb.net.cas.controller.Chipcontroller
                    B.1.5.2.1 Description
                    B.1.5.2.2 Constants
                         B.1.5.2.2.1 SCHEME_TDES
                         B.1.5.2.2.2 SCHEME_AES
                         B.1.5.2.2.3 PROCESSING_MODE_REGULAR
                         B.1.5.2.2.4 PROCESSING_MODE_POST_PROCESSING
                    B.1.5.2.3 Methods
                         B.1.5.2.3.1 getPublicId
                         B.1.5.2.3.2 getChipType
                         B.1.5.2.3.3 getChipControllerProperty
                         B.1.5.2.3.4 authenticate
                         B.1.5.2.3.5 encryptData
                         B.1.5.2.3.6 decryptData
               B.1.5.3 Class org.ngb.net.cas.controller.Key
                    B.1.5.3.1 Description
                    B.1.5.3.2 Methods
                         B.1.5.3.2.1 Key
                         B.1.5.3.2.2 getKeyValue
                         B.1.5.3.2.3 isEncrypted
               B.1.5.4 Class org.ngb.net.cas.controller.CWKey
                    B.1.5.4.1 Description
                    B.1.5.4.2 Constant
                         B.1.5.4.2.1 PARITY_EVEN
                         B.1.5.4.2.2 PARITY_ODD
                    B.1.5.4.3 Methods
                         B.1.5.4.3.1 CWKey
                         B.1.5.4.3.2 getParity
               B.1.5.5 Class org.ngb.net.cas.controller.CASTEEManager
                    B.1.5.5.1 Description
                    B.1.5.5.2 Methods
                         B.1.5.5.2.1 sendCommandToTEE
          B.1.6 Package org.ngb.net.cas.event
               B.1.6.1 Interface org.ngb.net.cas.event.CASEventListener
                    B.1.6.1.1 Description
                    B.1.6.1.2 Methods
                         B.1.6.1.2.1 receiveCASEvent
                         B.1.6.1.2.2 receiveCASOSDEvent
                         B.1.6.1.2.3 receiveCASFingerEvent
               B.1.6.2 Interface org.ngb.net.cas.event.CASAppInfo
                    B.1.6.2.1 Description
                    B.1.6.2.2 Methods
                         B.1.6.2.2.1 getAID
                         B.1.6.2.2.2 getOID
               B.1.6.3 Interface org.ngb.net.cas.event.CASEventInfo
                    B.1.6.3.1 Description
                    B.1.6.3.2 Constant
                         B.1.6.3.2.1 TYPE_PRESENTATION
                         B.1.6.3.2.2 TYPE_RECORDING
                         B.1.6.3.2.3 TYPE_BUFFERING
                    B.1.6.3.3 Methods
                         B.1.6.3.3.1 getType
                         B.1.6.3.3.2 getNetworkInterface
                         B.1.6.3.3.3 getAssociatedService
                         B.1.6.3.3.4 getServiceContext
               B.1.6.4 Class org.ngb.net.cas.event.CASEventManager
                    B.1.6.4.1 Description
                    B.1.6.4.2 Methods
                         B.1.6.4.2.1 getInstance
                         B.1.6.4.2.2 addListener
                         B.1.6.4.2.3 removeListener
          B.1.7 Package org.ngb.net.cas.detachable
               B.1.7.1 Interface DetachableSecurityDevice
                    B.1.7.1.1 Description
                    B.1.7.1.2 Methods
                         B.1.7.1.2.1 open
                         B.1.7.1.2.2 close
                         B.1.7.1.2.3 reset
                         B.1.7.1.2.4 sendData
                         B.1.7.1.2.5 registerListener
                         B.1.7.1.2.6 removeListener
               B.1.7.2 Interface DetachableSecurityDeviceListener
                    B.1.7.2.1 Description
                    B.1.7.2.2 Fields
                         B.1.7.2.2.1 DEVICE_IN
                         B.1.7.2.2.2 DEVICE_OUT
                         B.1.7.2.2.3 DEVICE_ERROR
                    B.1.7.2.3 Methods
                         B.1.7.2.3.1 receiveDeviceStatus
                    B.1.7.2.3.2 receiveData
     B.2 Javascript APIs
          B.2.1 Overview
          B.2.2 APIs calling sequence
          B.2.3 Class JSDCAS.CASDescriptor
               B.2.3.1 getCasId
               B.2.3.2 getPid
               B.2.3.3 getPrivateData
          B.2.4 Class JSDCAS.CASEcmEvent
               B.2.4.1 getEcmData
               B.2.4.2 getError
               B.2.4.3 getTableId
               B.2.4.4 isTimeout
          B.2.5 Class JSDCAS.CASEmmEvent
               B.2.5.1 getEmmData
               B.2.5.2 getError
               B.2.5.3 getTableId
               B.2.5.4 isCatUpdateNotification
          B.2.6 Class JSDCAS.CASFilter
               B.2.6.1 getBitmapMask
               B.2.6.2 getBitmapValue
               B.2.6.3 getOffset
          B.2.7 Class JSDCAS.CASM
               B.2.7.1 getCASModuleManager
               B.2.7.2 getTeeController
          B.2.8 Class JSDCAS.CASModule
               B.2.8.1 getCasId
               B.2.8.2 onCasPacketEvent
               B.2.8.3 onEcmEvent
               B.2.8.4 onInbandEmmEvent
               B.2.8.5 onStartDescrambling
               B.2.8.6 onStopDescrambling
          B.2.9 Class JSDCAS.CASModuleManager
               B.2.9.1 Enums
               B.2.9.2 Methods
                    B.2.9.2.1 disableDescramblingRequests
                    B.2.9.2.2 enableDescramblingRequests
                    B.2.9.2.3 fetchDataFromCasHeadend
                    B.2.9.2.4 registerCASModule
                    B.2.9.2.5 removeCASModule
                    B.2.9.2.6 sendCommandToSTB
                    B.2.9.2.7 sendDataToHeadend
                    B.2.9.2.8 sendDescramblingEvent
                    B.2.9.2.9 sendFreeTextOSD
                    B.2.9.2.10 setCCIBits
                    B.2.9.2.11 setData
                    B.2.9.2.12 setPinCode
                    B.2.9.2.13 setServiceListFilter
                    B.2.9.2.14 startCasPacketLoading
                    B.2.9.2.15 startEcmLoading
                    B.2.9.2.16 startInbandEmmLoading
                    B.2.9.2.17 stopCasPacketLoading
                    B.2.9.2.18 stopEcmLoading
                    B.2.9.2.19 stopInbandEmmLoading
          B.2.10 Class JSDCAS.CASPacketEvent
               B.2.10.1 getCableModemFilter
               B.2.10.2 getPacketData
               B.2.10.3 getPacketHeader
               B.2.10.4 getSourceURL
          B.2.11 Class JSDCAS.CASSession
               B.2.11.1 GetCasDescriptor
               B.2.11.2 getChannelNumber
               B.2.11.3 getNetworkId
               B.2.11.4 getOperationType
               B.2.11.5 getProgramNumber
               B.2.11.6 getServiceIdentifier
               B.2.11.7 getSessionId
               B.2.11.8 getStreamPath
               B.2.11.9 getStreamPIDs
               B.2.11.10 getStreamTypes
               B.2.11.11 getTransmitterScrambingMode
               B.2.11.12 getTransportStreamId
               B.2.11.13 getTunerId
          B.2.12 Class JSDCAS.CASStatus
               B.2.12.1 Status Value List
               B.2.12.2 Methods
                    B.2.12.2.1 getCasToken
                    B.2.12.2.2 getMajorContentProblem
                    B.2.12.2.3 getStatusData
                    B.2.12.2.4 isSuccess
          B.2.13 Class JSDCAS.TeeController
               B.2.13.1 Methods
                    B.2.13.1.1 sendCommandToTEE
          B.2.14 Class JSDCAS.TeeRetVal
               B.2.14.1 Returned Value List
               B.2.14.2 Method
                    B.2.14.2.1 getOriginCode
                    B.2.14.2.2 getResponseData
                    B.2.14.2.3 getReturnCode
     B.3 HSM driver APIs
          B.3.1 Data types and structures
               B.3.1.1 Basic data types
               B.3.1.2 Enums returned
          B.3.2 APIs definitions
               B.3.2.1 TEE_HSM_GetSoftwareVersion
               B.3.2.2 TEE_HSM_GetHsmGeneralInfo
               B.3.2.3 TEE_HSM_GetHsmDiagnosticInfo
               B.3.2.4 TEE_HSM_GetHsmCapabilities
               B.3.2.5 TEE_HSM_GetHsmLastTimeStamp
               B.3.2.6 TEE_HSM_GetHsmActivationInfo
               B.3.2.7 TEE_HSM_GenerateActivationRequest
               B.3.2.8 TEE_HSM_SetMessage
               B.3.2.9 TEE_HSM_OpenSac
               B.3.2.10 TEE_HSM_Read
               B.3.2.11 TEE_HSM_Write
               B.3.2.12 TEE_HSM_ReadPositionParameters
               B.3.2.13 TEE_HSM_ReadPublicSecureStorage
               B.3.2.14 TEE_HSM_WritePublicSecureStorage
               B.3.2.15 TEE_HSM_ChangeCwEncryptionScheme
               B.3.2.16 TEE_HSM_GenerateCW
               B.3.2.17 TEE_HSM_CloseSac
     B.4 Positioning module APIs (Beidou)
          B.4.1 Data types and structures
               B.4.1.1 Basic data types
               B.4.1.2 Enums teturned
          B.4.2 APIs definitions
               B.4.2.1 TEE_Beidou_GetSoftwareVersion
               B.4.2.2 TEE_Beidou_GetPositionParameters
               B.4.2.3 TEE_Beidou_GetSignalParameters
               B.4.2.4 TEE_Beidou_ CalculateDistance
     B.5 Other GP extension APIs
          B.5.1 Cryptography and signature verification APIs
               B.5.1.1  Data types and structures
                    B.5.1.1.1 Basic data types
                    B.5.1.1.2 Enums returned
               B.5.1.2 APIs definitions
                    B.5.1.2.1 TEE_SM2_Verify
                    B.5.1.2.2 TEE_Perform_SM3
                    B.5.1.2.3 TEE_SM2_Encrypt
                    B.5.1.2.4 TEE_Perform_CRC
                    B.5.1.2.5 TEE_GenerateRandom
                    B.5.1.2.6 TEE_SM4_Encrypt
                    B.5.1.2.7 TEE_SM4_Decrypt
          B.5.2 Memory Management APIs
               B.5.2.1 Data Types and Structures
                    B.5.2.1.1 Basic Data Types
                    B.5.2.1.2 Enums returned
               B.5.2.2 APIs definitions
                    B.5.2.2.1 TEE_MemFill
                    B.5.2.2.2 TEE_MemMove
          B.5.3 Miscellaneous APIs
               B.5.3.1 Data Types and Structures
                    B.5.3.1.1 Basic data types
                    B.5.3.1.2 Enums returned
               B.5.3.2 APIs definitions
                    B.5.3.2.1 TEE_Printf_Func
     B.6 Security Chipset Key Ladder Driver APIs
          B.6.1 Data types and structures
               B.6.1.1 Basic data types
               B.6.1.2 Enums returned
          B.6.2 APIs definitions
               B.6.2.1 TEE_KLAD_Init
               B.6.2.2 TEE_KLAD_Delnit
               B.6.2.3 TEE_KLAD_GetChipId
               B.6.2.4 TEE_KLAD_GetResponseToChallenge
               B.6.2.5 TEE_KLAD_SetDescrambler
               B.6.2.6 TEE_KLAD_StopDescrambler
Annex C  HSM functional specification
     C1 Overview
     C.2 HSM basic functionalities
          C.2.1 Activation
          C.2.2 Secure authenticated channel
          C.2.3 CA secure storage
               C.2.4 Key ladder process
          C.2.5 Dependencies on SAC and activation
     C.3 Typical activation flow
          C.3.1 General overview
          C.3.2 Get Software Version
          C.3.3 Get Public Data
          C.3.4 Generate Activation Request Message
          C.3.5 Set Primary Activation Message
          C.3.6 Re-activate and deactivate
          C.3.7 Auxiliary Data Message
          C.3.8 Read Activation Data
          C.3.9 Read Location Data
          C.3.10 Read Last Valid Timestamp
          C.3.11 Deactivation Message
     C.4 Secure authenticated channel (SAC)
          C.4.1 Overview
          C.4.2 Handshake
          C.4.3 Communication
     C.5 Message formats
          C.5.1 Activation Request Message
          C.5.2 Primary Activation Message
          C.5.3 Auxiliary Data Message
          C.5.4 Deactivation Message
          C.6 Certificate formats
Bibliography