A cooperative cellular and broadcast conditional access system for Pay-TV systems

This is the author's accepted manuscript. The final published article is available from the link below. Copyright @ 2009 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other users, including reprinting/ republishing this material for advertising or promotional purposes, creating new collective works for resale or redistribution to servers or lists, or reuse of any copyrighted components of this work in other works.The lack of interoperability between Pay-TV service providers and a horizontally integrated business transaction model have compromised the competition in the Pay-TV market. In addition, the lack of interactivity with customers has resulted in high churn rate and improper security measures have contributed into considerable business loss. These issues are the main cause of high operational costs and subscription fees in the Pay-TV systems. As a result, this paper presents the Mobile Conditional Access System (MICAS) as an end-to-end access control solution for Pay-TV systems. It incorporates the mobile and broadcasting systems and provides a platform whereby service providers can effectively interact with their customers, personalize their services and adopt appropriate security measurements. This would result in the decrease of operating expenses and increase of customers' satisfaction in the system. The paper provides an overview of state-of-the-art conditional access solutions followed by detailed description of design, reference model implementation and analysis of possible MICAS security architectures.Strategy & Technology (S&T) Lt

The system architecture of the Pocket Companion

In the Moby Dick project we design the architecture of a so-called Pocket Companion. It is a small personal portable computer with wireless communication facilities for every day use. The typical use of the Pocket Companion induces a number of requirements concerning security, performance, energy consumption, communication and size. We have shown that these requirements are interrelated and can only be met optimal with one single architecture. The Pocket Companion architecture consists of a central switch with a security module surrounded by several modules. The Pocket Companion is a personal machine. Communication, and particularly wireless communication, is essential for the system to support electronic transactions. Such a system requires a good security infrastructure not only for safeguarding personal data, but also to allow safe (financial) transactions. The integration of a security module in the Pocket Companion architecture provides the basis for a secure environment.\ud Because battery life is limited and battery weight is an important factor for the size and the weight of the Pocket Companion, energy consumption plays a crucial role in the architecture. An important theme of the architecture is: enough performance for minimal energy consumption

Mobile Identity, Credential, and Access Management Framework

Organizations today gather unprecedented quantities of data from their operations. This data is coming from transactions made by a person or from a connected system/application. From personal devices to industry including government, the internet has become the primary means of modern communication, further increasing the need for a method to track and secure these devices. Protecting the integrity of connected devices collecting data is critical to ensure the trustworthiness of the system. An organization must not only know the identity of the users on their networks and have the capability of tracing the actions performed by a user but they must trust the system providing them with this knowledge. This increase in the pace of usage of personal devices along with a lack of trust in the internet has driven demand for trusted digital identities. As the world becomes increasingly mobile with the number of smart phone users growing annually and the mobile web flourishing, it is critical to implement strong security on mobile devices. To manage the vast number of devices and feel confident that a machine’s identity is verifiable, companies need to deploy digital credentialing systems with a strong root of trust. As passwords are not a secure method of authentication, mobile devices and other forms of IoT require a means of two-factor authentication that meets NIST standards. Traditionally, this has been done with Public Key Infrastructure (PKI) through the use of a smart card. Blockchain technologies combined with PKI can be utilized in such a way as to provide an identity and access management solution for the internet of things (IoT). Improvements to the security of Radio Frequency Identification (RFID) technology and various implementations of blockchain make viable options for managing the identity and access of IoT devices. When PKI first began over two decades ago, it required the use of a smart card with a set of credentials known as the personal identity verification (PIV) card. The PIV card (something you have) along with a personal identification number (PIN) (something you know) were used to implement two-factor authentication. Over time the use of the PIV cards has proven challenging as mobile devices lack the integrated smart card readers found in laptop and desktop computers. Near Field Communication (NFC) capability in most smart phones and mobile devices provides a mechanism to allow a PIV card to be read by a mobile device. In addition, the existing PKI system must be updated to meet the demands of a mobile focused internet. Blockchain technology is the key to modernizing PKI. Together, blockchain-based PKI and NFC will provide an IoT solution that will allow industry, government, and individuals a foundation of trust in the world wide web that is lacking today

IoT-laitteiden datayhteyden automaattinen määrittely matkapuhelinverkoissa

Cellular networks have existed for almost forty years. During the course of their history, they have transformed from wireless voice communication providers to wireless network providers. Nowadays mobile broadband data forms the bulk of the cellular data transfer which was a staggering 14 exabytes per month in year 2017, or 2.9 gigabytes per smartphone per month. The Internet of Things is changing this connectivity landscape by introducing devices in the millions but with scarce individual resources and data usage. However, there are some challenges related to cellular data connections in constrained IoT devices. This thesis identifies those challenges and proposes solutions to overcome them for enabling simpler cellular data connectivity. We first present the technical challenges and solutions found in today’s cellular IoT devices. We then present a proof of concept prototype that realizes automatic cellular connectivity in a very constrained IoT device. The prototype is capable of connecting to a management system and reporting sensor readings without requiring any user interaction. Besides recognizing important improvements in the next generation of cellular IoT technology, the thesis concludes with suggestions on how to improve the usability of programming interfaces for cellular connectivity.Lähes neljäkymmenvuotisen historiansa aikana atkapuhelinverkot ovat muuttuneet puheen välittäjistä langattomaksi dataverkoksi. Nykyään langaton laajakaista muodostaa suuren osan matkapuhelinverkoissa siirretystä datasta, jota oli 14 exatavua kuukaudessa vuonna 2017. Esineiden Internet tuo verkkoon miljoonia laitteita joiden yksittäinen datansiirron tarve on vähäinen. Matkapuhelinverkon datayhteyden käyttö ei kuitenkaan ole ongelmatonta rajoittuneissa Esineiden Internetin laitteissa. Tämä diplomityö tunnistaa ja luokittelee näitä teknisiä haasteita ja ehdottaa ratkaisuja niihin. Esittelemme prototyypin joka toteuttaa automaatisen matkapuhelinverkon datayhteyden luonnin rajoittuneessa laitteessa. Prototyyppi ottaa yhteyden hallintajärjestelmään ja raportoi mittausdataa ilman käyttäjältä vaadittavia toimia. Johtopäätöksenä tämä diplomityö esittää parannuksia tehtäväksi matkapuhelinverkkojen datayhteyksien ohjelmointirajapintoihin niitä käyttävissä laitteissa. Löysimme myös tärkeitä parannuksia joita on jo tehty tulevan sukupolven matkapuhelinverkon määrittelyssä

Sähköisen identiteetin toteuttaminen TPM 2.0 -laitteistolla

Most of the financial, healthcare, and governmental services are available on Internet, where traditional identification methods used on face-to-face identification are not possible. Identification with username and password is a mediocre solution and therefore some services require strong authentication. Finland has three approved strong authentication methods: smart cards, bank credentials, and mobile ID. Out of the three authentication methods, only the government issued smart card is available to everyone who police can identify reliably. Bank credentials require identification with an identity document from Finland or other European Economic Area (EEA) country. Mobile ID explicitly require identification with Finnish identity document. The problem with smart cards is the requirement for a reader, slow functioning, and requirement for custom driver. A TPM could function as a replacement for a smart card with accompanying software library. In this thesis, I created a PKCS #11 software library that allows TPM to be used for browser based authentication according to draft specification by Finnish population registry. The keys used for authentication are created, stored and used securely inside the TPM. TPMs are deemed viable replacement for smart cards. The implemented system is faster to use than smart cards and has similar security properties as smart cards have. The created library contains implementations for 30% of all TPM 2.0 functions and could be used as a base for further TPM 2.0 based software.Pankki-, terveys- ja julkiset palvelut ovat suureksi osin saatavilla internetin välityksellä. Tunnistautuminen käyttäjätunnuksella ja salasanalla ei takaa riittävää luotettavuutta, vaan joissain palveluissa on käytettävä vahvaa tunnistautumista. Suomessa on tällä hetkellä käytössä kolme vahvaa tunnistautumisvälinettä: pankkien käyttämät verkkopankkitunnukset, Väestörekisterikeskuksen kansalaisvarmenne ja teleyritysten mobiilivarmenteet. Näistä kolmesta kansalaisvarmenne on ainoa, joka ei vaadi asiakkuutta ja on täten kaikille saatavilla, jotka poliisi voi luotettavasti tunnistaa. Verkkopankkitunnukset vaativat tunnistautumisen suomalaisella tai Euroopan talousalueen (ETA) valtion myöntämällä henkilötodistus. Mobiilivarmenne myönnetään vain henkilölle, joka voidaan tunnistaa suomalaisella henkilötodistuksella. Kansalaisvarmenne on kuitenkin älykortti kaikkine älykortin ongelmineen: sen käyttämiseen tarvitaan erillinen lukija, sen toiminta on hidasta ja se vaatii erillisen laiteajurin. Tämän työn tavoitteena on luoda ratkaisu, jolla älykorttipohjainen tunnistautuminen voidaan toteuttaa tietokoneissa olevan TPM-piirin avulla. Tässä diplomityössä luotiin PKCS #11 -rajapinnan täyttävä ohjelmistokirjasto, joka mahdollistaa TPM-piirin käyttämisen tunnistautumiseen selaimessa Väestörekisterikeskuksen laatiman määritelmän luonnoksen mukaan. Tunnistautumisavaimet luodaan, tallennetaan ja niitä käytetään TPM:ssa, mikä varmistaa avainten luottamuksellisuuden. Älykortin toiminnallisuudet todettiin mahdolliseksi toteuttaa TPM-piirillä. Toteutettu järjestelmä on nopeampi käyttää kuin älykortti ja se takaa älykortteja vastaavan tietoturvatason. Työn tuloksena tehty kirjasto toteuttaa 30 % kaikista TPM 2.0 -ohjelmistorajapinnoista, ja kirjastoa voidaan käyttää osana tulevia TPM 2.0 -ohjelmistoja

Cooperating broadcast and cellular conditional access system for digital television

This thesis was submitted for the degree of Doctor of Philosophy and awarded by Brunel University.The lack of interoperability between Pay‐TV service providers and a horizontally integrated business transaction model have compromised the competition in the Pay‐TV market. In addition, the lack of interactivity with customers has resulted in high churn rate and improper security measures have contributed into considerable business loss. These issues are the main cause of high operational costs and subscription fees in the Pay‐TV systems. This paper presents a novel end‐to‐end system architecture for Pay‐TV systems cooperating mobile and broadcasting technologies. It provides a cost‐effective, scalable, dynamic and secure access control mechanism supporting converged services and new business opportunities in Pay‐TV systems. It enhances interactivity, security and potentially reduces customer attrition and operational cost. In this platform, service providers can effectively interact with their customers, personalise their services and adopt appropriate security measures. It breaks up the rigid relationship between a viewer and set‐top box as imposed by traditional conditional access systems, thus, a viewer can fully enjoy his entitlements via an arbitrary set‐top box. Having thoroughly considered state‐of‐the‐art technologies currently being used across the world, the thesis highlights novel use cases and presents the full design and implementation aspects of the system. The design section is enriched by providing possible security structures supported thereby. A business collaboration structure is proposed, followed by a reference model for implementing the system. Finally, the security architectures are analysed to propose the best architecture on the basis of security, complexity and set‐top box production cost criteria

A new coupling solution for G3-PLC employment in MV smart grids

This paper proposes a new coupling solution for transmitting narrowband multicarrier power line communication (PLC) signals over medium voltage (MV) power lines. The proposed system is based on an innovative PLC coupling principle, patented by the authors, which exploits the capacitive divider embedded in voltage detecting systems (VDS) already installed inside the MV switchboard. Thus, no dedicated couplers have to be installed and no switchboard modifications or energy interruptions are needed. This allows a significant cost reduction of MV PLC implementation. A first prototype of the proposed coupling system was presented in previous papers: it had a 15 kHz bandwidth useful to couple single carrier PSK modulated PLC signals with a center frequency from 50–200 kHz. In this paper, a new prototype is developed with a larger bandwidth, up to 164 kHz, thus allowing to couple multicarrier G3-PLC signals using orthogonal frequency division multiplexing (OFDM) digital modulation. This modulation ensures a more robust communication even in harsh power line channels. In the paper, the new coupling system design is described in detail. A new procedure is presented for tuning the coupling system parameters at first installation in a generic MV switchboard. Finally, laboratory and in-field experimental test results are reported and discussed. The coupling performances are evaluated measuring the throughput and success rate in the case of both 18 and 36 subcarriers, in one of the different tone masks standardized for the FCC-above CENELEC band (that is, from 154.6875–487.5 kHz). The experimental results show an efficient behavior of the proposed coupler allowing a two-way communication of G3-PLC OFDM signals on MV networks