There is NO reason we need a card or any hardware from the cable company. If each TV was shipped with a signed embedded certificate, then all we'd have to do is contact the cable company and give them a number that uniquely identified our TV on the network, and the rest would just work.
PKI is a proven technology on the internet, in fact it is how every ecommerce site works. And this version would be even more secure since it would be on the cable co's private network.
I think most of us see the point, but don't expect the FCC or CableLabs to do anything more convenient for customers. Not only that, but even IF they come up with something, the rollout won't go smooth, they'll force us to buy new hardware, it probably will only work on a new operating system, and the cable companies will fight it every step of the way.
Besides that, what seems more likely for the cable cos to do is to lobby to drop the requirement entirely, and just stick to their boxes.
Since this is all a direct result of a act of congress, it would take the same to roll it all back. So what do you think is more likely? That Obama's FCC comish will force a consumer friendly solution on cable operators, or that the cable operators will successfully lobby congress to repeal the law?
@(Unverified) Well, we don't necessarily need cable cards, but, for DRM purposes, it'd still be a good idea to have a smart card slot. Just look at the satellite TV companies like Dish or DirecTV. Their encryption system has been broken several times, and to secure it again, they just need to release new smart cards, rather than change out all the receivers.
I like Obama, don't get me wrong... but he doesn't exactly have much of a track record for forcing much, even the kinds of regulation that would help Americans and that a majority of Americans support (cough) healthcare, regulating the financial sector, etc. (cough) when faced with millions and millions of dollars of lobbyist money buying off half of Congress.
I'd be very concerned about CableCard going away with no alternatives, personally.
@(Unverified) The point of the hardware token is to handle the decryption of the signal in secret while preventing people from pirating cable.
Software-based security wouldn't be able to protect the decryption keys for the signal.
Cable companies don't send unique video signals to every single household - and so if the decryption keys are able to be copied, then there would be no limit to the number of TVs that can watch for free.
The reason software tokens work for browsers is that they solve a very different security problem.
I understand that cable is broadcast so it isn't exactly the same as say SSL. What I meant was that the certificate would be used to prove that the device was certified to communicate on the network, and then the headend could share the encryption key. So the cert would be used for authentication and the initiation encryption, but not the stream encryption itself. This way the cable operator could change the keys as needed.
As for the smart card that sat uses, this really isn't necessary since that is a solution for a one way medium, and cable is two-way, and thus inherently more secure.
It would also be harder to crack then say AACS, since that is an offline technology which gives the attacker an unlimited time to crack the keys and no real way to retroactively revoke the keys.
Now that we've thrown 'em off the trail, use the form below to get in touch with the people at Engadget. Please fill in all of the required fields because they're required.
Most of you are missing my point.
There is NO reason we need a card or any hardware from the cable company. If each TV was shipped with a signed embedded certificate, then all we'd have to do is contact the cable company and give them a number that uniquely identified our TV on the network, and the rest would just work.
PKI is a proven technology on the internet, in fact it is how every ecommerce site works. And this version would be even more secure since it would be on the cable co's private network.
@(Unverified)
I think most of us see the point, but don't expect the FCC or CableLabs to do anything more convenient for customers. Not only that, but even IF they come up with something, the rollout won't go smooth, they'll force us to buy new hardware, it probably will only work on a new operating system, and the cable companies will fight it every step of the way.
Besides that, what seems more likely for the cable cos to do is to lobby to drop the requirement entirely, and just stick to their boxes.
@jhoff80
Since this is all a direct result of a act of congress, it would take the same to roll it all back. So what do you think is more likely? That Obama's FCC comish will force a consumer friendly solution on cable operators, or that the cable operators will successfully lobby congress to repeal the law?
@(Unverified)
Well, we don't necessarily need cable cards, but, for DRM purposes, it'd still be a good idea to have a smart card slot. Just look at the satellite TV companies like Dish or DirecTV. Their encryption system has been broken several times, and to secure it again, they just need to release new smart cards, rather than change out all the receivers.
@(Unverified)
I like Obama, don't get me wrong... but he doesn't exactly have much of a track record for forcing much, even the kinds of regulation that would help Americans and that a majority of Americans support (cough) healthcare, regulating the financial sector, etc. (cough) when faced with millions and millions of dollars of lobbyist money buying off half of Congress.
I'd be very concerned about CableCard going away with no alternatives, personally.
@(Unverified)
The point of the hardware token is to handle the decryption of the signal in secret while preventing people from pirating cable.
Software-based security wouldn't be able to protect the decryption keys for the signal.
Cable companies don't send unique video signals to every single household - and so if the decryption keys are able to be copied, then there would be no limit to the number of TVs that can watch for free.
The reason software tokens work for browsers is that they solve a very different security problem.
@skim
I understand that cable is broadcast so it isn't exactly the same as say SSL. What I meant was that the certificate would be used to prove that the device was certified to communicate on the network, and then the headend could share the encryption key. So the cert would be used for authentication and the initiation encryption, but not the stream encryption itself. This way the cable operator could change the keys as needed.
As for the smart card that sat uses, this really isn't necessary since that is a solution for a one way medium, and cable is two-way, and thus inherently more secure.
It would also be harder to crack then say AACS, since that is an offline technology which gives the attacker an unlimited time to crack the keys and no real way to retroactively revoke the keys.
@BenD
Registering a certificate with the cable co works for cable modems (MAC address).