Christopher Tarnovsky, could these methods be used to hack nagra 3???

[TheCoder]

Quote:

Originally Posted by sr20

Are you saying if you were given the code destined for a 'top level trader' you'd not implement and rel it for £1M?

Although I still disagree that the top level traders wouldn't do it for say even 1 mil euros...I think CS is the only logical way forward

What i'm saying is that your very unlikely to get that code in the first place !

The kind of people that would be extracting to embed in their own boxes/cams probably know more about security that the whole of Kudelski/NDS put together.

These people would not be interested in selling this info for any realistic price when they have the opertunity of controlling access, and therefore price, over an extended timeframe. They may sell you the present operational keys for an exorbitant sum but, as we all know, those keys can be changed in just a few hours !

[wellytronic]

There are a few threads on here piquiing my interest, this being a decent example of them.

Unfortunately it seems the average forum type hasn't really moved on one iota since 2005.

Nagra3 is not an encryption system, it's a Conditional Access System. The encryption systems is uses range from DES to RSA to IDEA to AES etc, but Nagra3 (or any Nagra technolgy) is not encryption.

All DVB-C signals are encrypted with CSA. The Control Words to decrypt MPEG2 video encryped using CSA are protected by Nagra's Conditional Access System (N3 being the latest iteration)

The box gets an ecrypted Video Stream, it asks the card for the Control Words to decrypt the Video Stream, and if it's entitled to them it gets them. If not, it doesn't (black screen)

That hasn't changed since the first DVB-C (and DVB-S for that matter, if we're talking about NDS in the same thread, since VideoGuard is the Conditional Access System used by NDS who protect SKY UK programming)

The encryption, like TheCoder mentioned, has never been broken (earlier, shortey-key implementations of RSA have been cracked, but even then it was only via bruteforcing, and still took ages!)

The Video Stream is encrypted using the CSA.

The CW's to decrypt it are passed to the card via EMM's encryped with a variant of RSA

The Box will ask the card for these CW's and if it's entitled to view (either via a legit sub or via a hacked sub i.e. a MOSC or emu) it will receive them. The card will pass them to the box AFTER first encrypting them using DES, with the box key as the common encrypt/decrypt key.

This happens every 8 seconds or so.

The various implementations of Nagra (1, 2, 3 etc) are systems which USE encryption, but also systems which use various command/response instructions from the Box<>Card to determine whether that encryption will be used to provide or deny programmes i.e a TV picture.

The first variant, N1, has lots of flaws in it's makeup and those are reflected in the many exploits and attacks available to hackers (CMD03 exploit in earlier times, glitching etc)

N1 here means both the actual programs in ROM/EEPROM on the cards and the processors on the cards themselves. The physical hardware was susceptible to certain attacks, glitching being one of them.

N2 was more of the same, but with better protection against attack via both the processors and the programs on them in ROM/EEPROM.

N3 is again more of the same, except with yet more protection in HW and SW (technically FirmWare)

The Conditional Access System is the implementation which utilises the hardware (the smartcard processor and some circuitry in the box too), the software/firmware (the ROM/EEPROM) and also encryption, it's not encryption itself.