Professional Documents
Culture Documents
Analysis of The Nagravision Video Scrambling Method: Markus G. Kuhn 23 August 1998
Analysis of The Nagravision Video Scrambling Method: Markus G. Kuhn 23 August 1998
23 August 1998
Abstract
The Kudelski Nagravision pay-TV conditional access system can
be practically broken by image processing algorithms that rearrange
the lines of a eld based on statistical properties of typical TV images.
With some knowledge about the limitations of the scrambling hard-
ware one can reconstruct the scrambled TV image in real-time without
knowledge of the cryptographic secret stored in the subscriber smart-
card.
Draft Technical Report $Id: nagra.tex,v 1.11 2000-10-11 11:40:53+01 mgk25 Exp $
1 Introduction
Pay-TV broadcasters employ conditional access systems to ensure that only
TV viewers who have payed a subscription fee and who have in return
received a decoder box can watch the TV channel. The Nagravision [1]
conditional access system for PAL television developed by Kudelski SA,
Cheseaux, Switzerland, is used for instance by the pay-TV broadcasters
Premiere (Germany), Teleclub (Switzerland), Canal+ (France, Spain), and
Cinemania (Spain). Like with other hybrid video scrambling systems such as
EuroCrypt [2, 3] or VideoCrypt [4], Nagravision sends a digitally encrypted
control word over the radio interface to the decoder in order to control the
descrambling of an analog TV signal. The control word is decrypted in a
(i) =
(r
+t
i) mod 256 there exists exactly one pair of numbers a and b such that
u(a + bi) = u
r)t
1
and b = t
t
1
do
the job, because u(a + bi) = (r + t(a + bi)) mod 256 = (r + t((r
r)t
1
+
t
t
1
i)) mod 256 = (r + (r
r) +t
i) mod 256 = (r
+t
i) mod 256 = u
(i).
Equivalent transformations are possible in the set V
S
of functions v. However,
there could exist more than one pair of numbers a and b such that v(a+bi) =
v
V
S
. This can happen with certain
pathological substitution tables S. For instance, if S(i) = 0 for all i, then
any pair (a, b) will result in v(a +bi) = v
,y
, the average absolute dierence E(|C
x,y
C
x
,y
|) is smaller
or alternatively the normalized correlation E(C
x,y
C
x
,y
)/
E(C
2
x,y
)E(C
2
x
,y
)
is larger if the two pixels are direct neighbors than if they are many lines
apart. The permuted lines can be sorted back into an arrangement close to
their original order just by rearranging them in a way that maximizes the
similarity (correlation) between neighbor lines.
M. Kuhn: Analysis of the Nagravision Video Scrambling Method 6
3.1 Reconstructing the Permutation
Let C
x,y
be the luminosity or even the whole three-dimensional color vector of
the pixel (x,y) in the scrambled eld, where as before negative line numbers
refer to pixels in the preceding eld. Then the matrix K IR
288288
shall be
the correlation matrix for a eld, dened as
K
i,j
=
k
C
k,i33
C
k,j33
k
|C
k,i33
|
2
k
|C
k,j33
|
2
.
K
i,j
is a measure for the similarity of lines i 33 and j 33. Obviously
K
i,j
= K
j,i
and K
i,i
= 1, therefore we only have to determine K
i,j
for all
1 i < j 288. Exchanging two lines i 33 and j 33 in the image
C corresponds in K to swapping the contents of the lines i and j, plus
swapping the columns i and j. The goal of rearranging the lines of C to form
the original image corresponds to permuting lines and columns in K to bring
the largest values as close as possible to the diagonal, so that we maximize
the value of a prot function such as
G(K) =
287
i=1
K
i,i+1
.
This corresponds to nding the permutation matrix P that maximizes the
value G(PKP
T
). P relates to the permutation p that we want to reconstruct
by P
p(i)+33,i
= 1 for all i and all other P
i,j
are zero.
In an alternative formulation of the same problem, we look at an undirected
graph G
K
with nodes N
i
(32 i 254), of which each corresponds to
a eld line i in the scrambled image. The edge connecting N
i
and N
j
in
this graph has the value K
i+33,j+33
for all i and j. We then look for a
Hamiltonian path (i.e., a path that visits all nodes exactly once) of the form
N
p(0)
, . . . , N
p(287)
, that fulls the previously stated conditions for p and whose
sum of edge labels is maximal. Finding such a path is a variant of the
Traveling Salesman Problem [10, 11], which unfortunately is known to be NP-
complete, although there exist a number of useful approximation algorithms.
3.2 Reconstructing the Substitution Table
One possible way of determining S is to reverse engineer a Nagravision de-
coder and read the entire table out of its non-volatile memory. Since this
procedure might be illegal in some regions, alternative approaches might be
M. Kuhn: Analysis of the Nagravision Video Scrambling Method 7
attempted. A logic analyzer can be used to just observe the sequence of
accesses to the line buers B
i
, which results in a large recorded collection of
functions v V
S
.
If we assume that opening the decoder is also not acceptable for legal reasons,
we can use a PC video adapter to perform a chosen cipher image attack in
which we send to the decoder a test image that contains genuine encrypted
control word information in the vertical blank interval and that uses a redun-
dant binary code to mark every line with its eld line number. We record the
descrambled test image and by reading the sequence of line number markers
in there, we get the permutation p. If no access to a Nagravision decoder
at all is allowed or possible, we can also attempt to use one of the Traveling
Salesman approximation algorithms to determine samples of p from the cor-
relation matrix of scrambled TV images alone as described in the previous
section.
In both cases, we have to transform the observed permutations p into buer
access functions v before we can extract S. This can be accomplished with
the following simple algorithm, provided that the given p is error-free: We
set b
i
:= i 32 for all 0 i 31. Then for each line 0 j 254 that the
decoder outputs, we nd the i for which b
i
= p(j) and we set both v(j) := i
and b
i
:= j. As a nal check, we verify that after these 255 steps we have
b
i
= p(255 +i) for all 0 i 31.
In this way, we collect a number of members of V
S
. Any of these reconstructed
functions v(i) = S((r + ti) mod 256) for 0 i 254 shows all values of S
except for one, but permuted by unknown parameters r and t. We just pick
one v and chose our reconstructed table
S such that
S(i) := v(i) for all
0 i 254. We then reconstruct another buer access function v
and
search for parameters a and b such that v
i=1
|C
x
i
,p(y
i
)
C
x
i
,p(y
i
+1)
|
is minimal. The (p(y
i
), p(y
i
+ 1)) pairs are precalculated for all 2
15
(r, t)
pairs for increased eciency. Once this (r, t) pair has been identied, the
corresponding permutation function is used to rearrange all lines in realtime.
A potentially much more ecient approach could be a binary subdivision
search instead of a linear search over all 2
15
possible (r, t) tuples. To im-
plement this, we need a preparatory phase in which for a given substitution
table S we build a binary decision tree. Each node in this decision tree lists
a number of test pixel coordinates (x
i
, y
i
) and we branch to the left or the
right subtree depending on whether H for these test pixels is above or below
a threshold. Each leave of this tree is labeled with the (r, t) tuple that shall
be used as the most likely candidate. A carefully built decision tree should
be roughly balanced such that the maximum depth is not much over 15.
3.3.2 Using the SECAM Color Carrier
For Nagravision scrambled SECAM signals, there exists a simple alternative
to looking at pixel luminosity correlations. In SECAM, color is encoded on a
frequency modulated carrier in form of the two dierence signals RY (red
minus luminance) and B Y (blue minus luminance) [8, 9]. The modulated
R Y and B Y signals are added on alternating lines, where R Y uses
M. Kuhn: Analysis of the Nagravision Video Scrambling Method 9
a 4.406 MHz = 282 15.625 kHz carrier and BY uses a 4.250 MHz = 272
15.625 kHz carrier to allow the TV receiver to synchronize its color decoder.
The unmodulated color carrier signal is present on the front and back porch
in the horizontal blanking interval and since it is permuted together with the
active line, it is easy to see whether a scrambled line is in the descrambled eld
an odd or even numbered line. The sequence of 4.406 MHz and 4.250 MHz
color carrier frequencies in the back porch of a scrambled SECAM signal is
characteristic for the (r, t) pair that has been used to scramble this eld.
A pirate decoder only has to form a bit string representing the sequence of
carrier frequencies found in the back porches of the lines 255286 and use
this bit string as the key in a hash-table lookup to access the (r, t) pair
that descrambles this sequence correctly into one with alternating carrier
frequencies. This (r, t) pair is then used to descramble the remaining eld
correctly.
Commercial hardware implementations of this attack became available in
France around 1995 [13]. As a counter measure, the broadcaster Canal+
uploaded a new substitution table S that ensures that the sequence of the
color carrier frequencies is always alternating and therefore does not leak
information about the (r, t) pair. An improved version of the attack looks
not only at the frequency but also at the phase of the color carrier in the back
porch. The SECAM color carrier is phase shifted by 180