Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!seismo!lll-crg!ames!scubed!guest From: guest@scubed.UUCP (Guest Account) Newsgroups: sci.crypt Subject: Re: VC-II key distribution (was - This is *stupid*) Message-ID: <165@scubed.UUCP> Date: Fri, 5-Dec-86 03:33:36 EST Article-I.D.: scubed.165 Posted: Fri Dec 5 03:33:36 1986 Date-Received: Fri, 5-Dec-86 06:27:24 EST References: <12246@watnot.UUCP> <4725@yale-celray.yale.UUCP> <7277@gatech.EDU> Reply-To: guest@scubed.UUCP (Guest Account) Distribution: net Organization: S-Cubed, San Diego California Lines: 57 Keywords: VC-II, DES, NSA In article <7277@gatech.EDU> jeff@gatech.UUCP (Jeff Lee) writes: >Does anyone know where the key information is placed in the VC-II encryption >scheme? It seems to me that if the information were stored in the horizontal >or vertical retrace that you could build a box that you could switch out, have >your favorite channel turned on, and then switch it back in and have it strip >out anything extra once it detects a retrace. Something similar might could >be done if they were using a portion of the picture that would normally be >taken up by the overscan on most TV's. Or are they doing something more >sophisticated by maybe putting another signal similar, but different, to the >audio portion? > Basicly the VC-II system relies on having a "secure" audio portion and a basicly "protected" (breakable) video section. The VC-II scrambling system digitizes two audio channels (at approx the same rate used in compact disc's) and then adds each digital sample to a random binary sequence generated by the DES algorithm and combines them with error coding bits. The encrypted audio bits appear to be completely random. These two audio channels, along with the addressing and control information are digitally transmitted in place of the horizontal sync pulse in each video line as 88bits of PAM data. (The video scrambling is accomplished by the absence of normal sync information, and video inverting.) The exact pattern of how the bits are transmitted in the video frame is unknown to me (as it is one key in decodeing the signal) The VC-II descramblers use a multilevel key hierarchy. Each VC-II has a unique public address and a DES key contained in a TI7000 microprocessor. This key is 2 fold. It is used by the VC-II to decode other keys and 2) to descramble the satellite signal if that channel is in "Fixed key mode". (In this mode - any VC-II will decode the channel - no authorization is required) In the normal mode of operation though, each descrambler first receives a satellite message containing a monthly key along with service attributes. If this key is not preceeded with the address of the unit. It fails to store the key. Then every satellite service is encrypted by the scrambler with a different program key. The program key is combined with program attributes and is encrypted with the monthly key and broadcast over the control channel to all descramblers. Only those descramblers that correctly received the monthly key will be able to decrypt the program key and decode the program. The VCII scrambling system repetitively transmits individual monthly messages to all authorized descramblers in advance of changing the program keys. Then by changing keys at the program level, it can authorize and deauthorize a set of descramblers with one transmission. From what I can tell, the various videocypher busting techniques are based upon causing a VC-II decoder to change its ID to either a "MASTER" decoder which pays for all the encrypted signals (and each clone then receives them automaticly), or by changing the ID to random unit ID's and searching for authorization messages. General Instruments (the people that bought the MA/COM division) have supposely changed how often the monthly key information is transmitted in an attempt to frustrate the latter attempt. In any case, the DES encryption system in the VC-II has not been the target nor has it been broken in any of the VC-II decoding techniques. I can fail to see how the type of "hacking" people have been doing on the VC-II could be considered treason. I dont even think that the breaking of the encoding is illegal, although the use of such a device is.