HOME    COMMUNITY    BLOGS & FORUMS    VIP Central
VIP Central
 

HDCP 2.2: Locality Check, SKE and Authentication with Repeaters

Posted by VIP Experts on May 21st, 2015

In The HDCP 2.2 Authentication Process – an Introduction, we discussed why we need HDCP, and the basic steps of the HDCP Authentication Process. We noted that an advanced version of RSA is the underlying cryptography standard used during the Authentication and Key Exchange (AKE). AKE is the first step in the authentication protocol. Here we will continue exploring the next 3 steps of the protocol: Locality Check, Session Key Exchange (SKE) and Authentication with repeater. You can learn more about the HDCP 2.2 Authentication Process by downloading our whitepaper, Demystifying the HDCP 2.2 Authentication Process.

Locality Check

This is an interesting checking mechanism introduced in HDCP2.X to ensure that the receiver and the transmitter are placed nearby. It prohibits sharing of HDCP2.2 protected content over a long distance.

The flow for locality check is shown in the figure below. The transmitter sends a random number (rn) to the receiver and expects the HMAC-SHA256 value L’ computed over rn and derived key Kd to be back within 20ms. In the case of failure of locality check, either due to timer expiration or mismatch between L and L’, it may result in Authentication failure. The protocol permits the transmitter to retry the locality check (up to 1024 attempts) by sending the LC_INIT message with a new rn value.

HDCP-Locality

Flow for Locality Check

Session and Key Exchange (SKE)

Successful completion of AKE and locality check affirms to the HDCP transmitter that the HDCP receiver is authorized to receive the HDCP protected audio visual content. So after the locality check, the transmitter can generate a random 128 bit session key (Ks) and encrypt it using the Master key exchanged during the AKE and send it to the receiver.

During SKE, the HDCP transmitter:

  1. Generates a secret pseudo random session key Ks and a 64-bit pseudo-random number Riv
  2. Encrypts this with the key derived from AES-128 encryption and sends the encrypted message SKE_SEND_EKS.

Then this session key Ks and Riv will be used in the encryption of the audio video content by the transmitter. The receiver will be able to decrypt the content using this key (remember the Symmetric key encryption technique).

Authentication with Repeaters

This is an optional step only needed when the receiver is a repeater device. This step is used to propagate the topology information to the transmitter. The repeater accumulates a list of the entire downstream receiver IDs as well as the number of levels in the topology tree. The transmitter also checks whether any of the receivers is in its revocation list.

Once authentication is successful, the transmitter can start encrypting the audio visual content using AES-128 bit encryption algorithms which is a very secure and fast encryption technique capable of providing high bandwidth. The key for the AES core is the session key (Ks) xor with the secret constant lc128. This secret constant is provided by DCP LLC.

You can learn more about the HDCP 2.2 Authentication Process by downloading our whitepaper, Demystifying the HDCP 2.2 Authentication Process.

Posted in HDCP, HDMI, Methodology | No Comments »

MIPI Soundwire: Digital Audio Streams and Channels

Posted by VIP Experts on May 19th, 2015

In MIPI Soundwire: Digital Audio Simplified, we mentioned that digital audio formats including Pulse Code Modulation (PCM) and Pulse Density Modulation (PDM) are target applications for MIPI Soundwire. Here we will discuss Digital Audio Streams and Channels.

For more information on MIPI Soundwire, you can download our whitepaper.

The figure below illustrates how Digital Audio is transferred between Codecs and System memory via Digital Audio Streams. A Codec (short for encoder-decoder) converts analog signals to digital streams, or vice versa. Digital Audio Stream is a logical or virtual connection, which may have one or many channels. For example: Stream-3 has two channels (Stereo) which are decoded by both Codec-A and Codec-C, while Stream-2 has a single channel (mono) – the input side of  the modem.

Soundwire-DigitalAudioStreams

Digital Audio Streams

The figure below shows a conceptual audio frame, and how a digital audio stream and its channels are transferred on the link. Each input or output signal in the link transmits a series of frames. A new frame starts every 20.83us (48KHz). A typical frame consists of command (control information) and payload (audio data). The audio data could be single stream or multiple streams together. Since the frame occurs at a fixed rate, streams can occupy more or less than one sample block every frame. In Figure 7, stream S-2 occupies two sample blocks. This implies that the sample rate for S-2 is 96 KHz. Moreover, S-2 has 4 channels of 20 bits each. So the stream sample block uses 80bits. The audio bit rate would be (80 bits) * (96KHz) = 7.68Mbps.

Soundwire-ConceptualAudioFrameComposition

Conceptual Audio Frame Composition

The total number of streams supported would depend on frame size and streams. Any unused space is filled with Filler/Null data.

For more information on MIPI Soundwire, you can download our whitepaper.

Posted in Methodology, MIPI | No Comments »

HDCP 2.2: Authentication and Key Exchange (AKE)

Posted by VIP Experts on May 14th, 2015

In The HDCP 2.2 Authentication Process – an Introduction, we discussed why we need HDCP, and the basic steps of the HDCP Authentication Process. We noted that an advanced version of RSA is the underlying cryptography standard used during the Authentication and key exchange. In HDCP 2.2 Authentication: RSA Cryptography, we discussed the basics of RSA Cryptography. In this blog post, we will dive into the details of Authentication and Key Exchange (AKE), which is the first step in the authentication protocol. You can learn more about the HDCP 2.2 Authentication Process by downloading our whitepaper, Demystifying the HDCP 2.2 Authentication Process.

The HDCP transmitter can start at any time even before a previous authentication is complete. HDCP Receiver’s public key Certificate is verified by the HDCP transmitter then the devices share a master key Km. This stored master Key Km accelerates the subsequent communication between HDCP transmitter and Receiver. Authentication also happens even if the transmitter doesn’t have a stored master Key corresponding to the HDCP receiver. These keys information are sent in form of messages. If we are using HDMI then these messages would go over the I2C based control bus in big endian format.

1024 bit wide Receiver’s public key is stored in the certificate which has the following content:

HDCP-Certificate

Below figure shows the flow for Authentication and key exchange:

HDCP-AKE-flow-without-stored-KmAuthentication and Key Exchange Flow (without stored Km)

Transmitter sends its own information to receiver which in turns sends its own certificate containing public key within 100ms time frame. Transmitter verifies the signature. As explained in the figure below, the failure of the signature verification will result in the Authentication abort:

HDCP-signature-verif-AKESignature Verification during AKE

After successful signature verification, if the transmitter doesn’t have the stored master key Km from the previous session, the transmitter generates a random 128 bit master key, encrypts it using the RSAES-OAESP encryption with receiver’s public key, and sends it to the receiver.

In addition to signature verification, the transmitter also checks that the receiver ID of the receiver is not present in the revocation list. It is a procedure to make sure that a receiver which has been compromised and identified will be tracked during authentication. If the receiver ID is found in the revocation list, AKE is aborted.

Upon receiving the encrypted Km, receiver decrypt it using the receiver private key (HDCP2.2 recommend using Chinese Remainder theorem to reduce effort as this is the most compute intensive step in the entire authentication flow). There is also a time limit bound of 1s for the entire decryption and the subsequent hash value calculation.

After the receiver successfully decrypts the km, it sends back the H_Prime, a HMAC-SHA-256 (see below section for details), hash value of the master key Km to the transmitter. This is to provide an acknowledgement to the transmitter that the receiver has indeed successfully decrypt the master Key Km.

Upon receiving the Hash value (H_prime) from the receiver, the transmitter checks against its own computed value. Upon successful comparison of the H_Prime, Authentication and key exchange is complete otherwise AKE is aborted.

HMAC SHA-256

In order to provide more authenticity for messages, HDCP2.2 uses Hash based Message Authenticity code(HMAC). The HMAC-SHA256 is a message authentication method which uses the underlying hash functions as SHA-256. The input to the HMAC-SHA256 is a key (which can be message). The output is the message access code which can be send back to originator of the message which can check the HMAC code against its own code and verify the message has been correctly received by the receiver.

Pairing

Before explaining the next step in the Authentication Flow, it is important to explain a process called Pairing. In the above AKE flow, it is explained how transmitter generates a master key Km if it doesn’t have the stored key Km. Now transmitter can store the received Km value for the next session and reuse it instead of generating a new Km, hence speeding up the entire flow of AKE. In the AKE flow after the receiver send H_Prime information to transmitter, it will send the AES encrypted master Key to the transmitter. Transmitter stores the Encrypted master key and master key itself. For subsequent session, The AKE flow with stored Km is illustrated in the figure below:

HDCP-AKE-with-stored-KmAuthentication and Key Exchange (With Stored Km)

 You can learn more about the HDCP 2.2 Authentication Process by downloading our whitepaper, Demystifying the HDCP 2.2 Authentication  Process.

Posted in HDCP, HDMI, Methodology | No Comments »

AMBA System Monitor, Scoreboarding and Beyond

Posted by VIP Experts on May 12th, 2015

In my previous blog post, How do you Verify the AMBA System Level Environment? we discussed how to enable SOC verification engineers to create highly configurable AMBA fabric.

AMBA-System-Env

The system environment should provide place-holders for hooking the DUT with any of the quintessential AMBA VIP components such as AXI3/4/ACE, AHB or APB. With the use of the AMBA System environment, we can configure it to instantiate as many number of AXI/AHB/APB VIP as needed with minimal additional code.

To verify the interconnect fabrics that connect IP blocks and subsystems within an SoC, it is necessary to check the correctness and completeness of data as it passes through the interconnect.  This is what the AMBA System monitor does for us. It also ensures that a transaction is routed correctly to its appropriate slave.

Since interconnect behavior is always design-specific, the AMBA System monitor can be extended and customized to enable design-specific checking. User-created rules can be added to the System monitor checks.

The AMBA system monitor resides within the AMBA System environment. It has full visibility across all the port monitors of all the masters and slaves in the system. With such visibility, the system monitor is capable of performing all system-level checks across all the AHB, APB & AXI ports within the system. The system monitor has a built-in coverage model which covers the transaction flow across protocols. The coverage model is made aware of the system configuration. This ensures we get good functional coverage.

The AMBA system monitor observes transactions across all the port monitors of all the masters and slaves in the system and performs checks between the transactions of these ports. It does not perform port-level checks: these are accomplished by the checkers of each master/slave agent connected to a port. The system monitor requires transaction-level inputs from the master and slave ports of the system. Transaction-level inputs are transactions which are created by port-level monitors as a result of signal-level activity. The system monitor does not require signal-level inputs. Transaction-level inputs are provided by port monitors. To provide transaction-level inputs, the system monitor could, in turn, instantiate port-level monitors. UVM provides the capabilities to easily connect various components. All transactions from the port-level monitors of each of the agents can easily be provided to the system monitor via transaction-level modeling (TLM) connections, thereby eliminating the need for instantiating these port level monitors in the system monitor.

Authored by Satyapriya Acharya 

Here’s where you can find more information on Verification IP for AMBA 4 AXI.

Posted in AMBA, Methodology, SystemVerilog, UVM | No Comments »

MIPI Soundwire: Pulse Density Modulation (PDM)

Posted by VIP Experts on May 7th, 2015

In MIPI Soundwire: Digital Audio Simplified, we mentioned that digital audio formats including Pulse Code Modulation (PCM) and Pulse Density Modulation (PDM) are target applications for MIPI Soundwire. In the last blog post on Soundwire, we discussed Pulse Code Modulation.

For more information on MIPI Soundwire, you can download our whitepaper.

In this blog post, we will discuss Pulse Density Modulation (PDM).

PDM, is a form of modulation used to represent an analog signal with digital data. In a PDM signal, specific amplitude values are not encoded into code words of pulses of different weight, as they would be in pulse-code modulation (PCM). Instead, the relative density of the pulses corresponds to the analog signal’s amplitude. The output of a 1-bit DAC is the same as the PDM encoding of the signal.

PDM
Figure 1: Pulse Density Modulation

A run consisting of all 1s would correspond to the maximum (positive) amplitude value, all 0s would correspond to the minimum (negative) amplitude value, and alternating 1s and 0s would correspond to a zero amplitude value.

Pulse-Density-Modulator
Figure 2: Pulse Density Modulator

PDM modulators consist of noise shaping and oversampling block. Noise shaping ensures that noise present in lower frequency band is relatively low while noise in higher frequency band is relatively high. However, audio quality is more sensitive at higher frequencies unlike video/image data, which is not so sensitive at higher frequencies. To overcome this, PDM modulators oversample the audio signals and use noise shaping to push noise at higher frequencies, which reside in the non-audible zone. Typically, oversampling is done for sound at 3Mhz, while audio sampling is used at 24kHz/48KHz.

For more information on MIPI Soundwire, you can download our whitepaper.

Posted in Methodology, MIPI | No Comments »

HDCP 2.2 Authentication: RSA Cryptography

Posted by VIP Experts on May 5th, 2015

In the blog post, The HDCP 2.2 Authentication Process – an Introduction, we discussed why we need HDCP, and the basic steps of the HDCP Authentication Process. We noted that an advanced version of RSA is the underlying cryptography standard used during the Authentication and key exchange.

Here, we will discuss the basics of RSA cryptography. You can learn more about the HDCP 2.2 Authentication Process by downloading our whitepaper, Demystifying the HDCP 2.2 Authentication Process.

Basics of RSA Cryptography

All encryption and decryption techniques in cryptography can be classified into 2 categories:

  • Symmetric Key
  • Public Key

In the Symmetric Key category, both encryption key and decryption key are known to the transmitter as well as the receiver, or a common encryption key is shared between the transmitter and the receiver, whereas decryption key is same or easily computed from the encryption key. A common example of this type of encryption technique is AES which is also used in HDCP2.2 for encryption of the audio visual content.

In the Public Key category, the encryption key is public and known, but private key is computationally infeasible to find without the information which is only known to the receiver. The most popular version of this category is RSA which uses the public key technique.

Cryptography-principle

Figure 1: General principle of Cryptography 

RSA Cryptography is based on the pair of keys consisting of a private key and a public key. Each receiver has its private key and a public key. Private Key is used to encrypt and check signatures whereas public key is used to encrypt the plain text. Public key is not secret and can be sent in a plain text whereas private key is kept secret and can be derived from the public key with an extremely high computation effort.

The advantage of RSA cryptography with a public key and a private key pair is that there is no identical secret key which has to be exchanged between receiver and transmitter. The disadvantage of RSA encryption is that the calculation of cypher text and plain text is elaborate.

Explaining the RSA algorithm mathematically, public key consist of a pair of numbers (e, n) and the private key of a pair of numbers (d, n) where n = p*q where p and q are large secret prime numbers. Figure 2 shows the encryption where a plain text or a message is represented by a number m raising to publicly specified power e, and then taking the remainder when the result is divided by the publicly specified product n (of two large secret prime numbers, p and q)

RSA-Encryption

Figure 2: RSA Encryption using Public key

Decryption is also similar as shown in Figure 3, only a different secret power d is used where e.d≡1 (mod(p-1). (q-1)). The whole security of the system rests in part on the complexity of factoring the published divisor, n.

RSA-Decryption

Figure 3: RSA decryption using private key

Summarizing the algorithm, if two people, say Alice wants to communicate to Bob, then

  • Bob chooses secret primes p and q and computes n = pq.
  • Bob chooses e with e, (p − 1)(q − 1) = 1.
  • Bob computes d with de 1 mod (p − 1)() (q − 1) .).
  • Bob makes n and e public and keeps p, q, d secret.
  • Alice encrypts m as c me (mod n) and sends c to Bob.
  • Bob decrypts by computing m ≡ cd (mod n).

Although extremely difficult, plain RSA  can still be broken with sufficient computing power. That’s why HDCP2.2 uses a derivative of plain RSA called Optimized Asymmetric Encryption padding (RSAES-OAEP) which utilizes padding and hash functions.

In the next blog post on HDCP, we will see how this derivative is used in verifying the receiver’s public key certificate and in the Authentication and Key Exchange (AKE) step.

You can learn more about the HDCP 2.2 Authentication Process by downloading our whitepaper, Demystifying the HDCP 2.2 Authentication Process.

Posted in HDCP, HDMI, Methodology | No Comments »

PCIe: Monitors and Test Suites

Posted by VIP Experts on April 30th, 2015

In this video, Paul Graykowski of Synopsys gives an overview of the PCI Express VIP Monitor and Test Suites http://bit.ly/1DHIdyQ

You can learn more about our VIPs at Verification IP Overview, or download the Datasheet for PCIe and MPCIe.

Posted in Debug, PCIe, SystemVerilog, Test Suites, UVM | No Comments »

MIPI Soundwire: Pulse Code Modulation (PCM)

Posted by VIP Experts on April 28th, 2015

In MIPI Soundwire: Digital Audio Simplified, we mentioned that digital audio formats including Pulse Code Modulation (PCM) and Pulse Density Modulation (PDM) are target applications for MIPI Soundwire.

For more information on MIPI Soundwire, you can download our whitepaper.

In this blog post, we will discuss PCM.

PULSE CODE MODULATION

Most current digital audio systems (computers, compact discs, digital telephony etc.) use multi-bit Pulse Code Modulation (PCM) to represent the sound signal. PCM has the advantage of being easy to manipulate. This allows signal-processing operations to be performed on the audio stream, such as mixing, filtering, and equalization. As shown in Figure 1, Analog to PCM conversion consists of three steps:  Sampling, Quantizing and Encoding.

PCM

Figure 1. Pulse Code Modulation 

Sampling: As shown in Figure 2, Sampling is reduction of a continuous signal to a discrete signal. It is also called digitization of time. It results in a sample, which is discrete (digital) in time but continuous (analog) in amplitude. Sampling rate, i.e. samples taken per second, is an important factor while doing sampling and it is necessary to capture audio covering human hearing range. Human beings can hear frequencies in the range of 20Hz to 20KHz. Nyquist theorem says that sampling rate should be double the frequency of highest frequency signal.  So, in order to preserve the quality of sound sensed by the human ear, roughly 40Khz sampling rate is required. That is why 44.1Khz (CD) and 48Khz (DVD, DV) are the most common sampling rates for digital audio.

PCM-Sampling

Figure 2. Sampling

Quantization: It is the process of mapping a large set of input values to a (countable) smaller set such as rounding values to some unit of precision. After this step, the sample is discrete in time and amplitude as well, as illustrated in Figure 3. A device or algorithmic function that performs quantization is called a Quantizer. The round-off error introduced by quantization is referred to as quantization error. The number of available discrete levels of amplitude determines quantization error, and it depends on the number of bits per sample. If we use more bits to quantize a signal, its quality will be better. For instance, an 8-bit sample will have 28 = 256 discrete levels. In terms of Singal-to-Noise Ratio (SNR), each additional bit increases the SNR by 6dB (improve signal quality). It is represented by following formula:

PCM-formula

 

 

Common PCM samples are of 8, 16, 20 and 24 bits wide.

PCM-Quantization

Figure 3. Quantization

Based on this information, one can decide what kind of sampling rate and sample bits are appropriate for a specific target application. Let us consider the case of the human voice signal in a telephone system: Frequency range 80 ~ 3.4 KHz], Human ear can tolerate SNR of 40 [dB].

To transmit human voice in digitized form based on Nyquist theorem, we need a sampling rate = 2*3.4 [kHz] = 6800 [samples/sec]. Based on SNR formula: 40 [dB] = 6*m + 1.76 ⇒ Number of bits per sample = 7.

Encoding: It is simply converting sample data into digital traffic, which includes interface dependent framing data as well.

For more information on MIPI Soundwire, you can download our whitepaper.

Posted in Methodology, MIPI | No Comments »

PCIe: Accelerating Debug

Posted by VIP Experts on April 23rd, 2015

In this video, Paul Graykowski of Synopsys gives an overview of the PCI Express VIP’s capabilities that will support your efforts to accelerate the debug process:

You can learn more about our VIPs at Verification IP Overview, or download the Datasheet for PCIe and MPCIe.

Posted in Debug, PCIe, SystemVerilog, UVM | No Comments »

The HDCP 2.2 Authentication Process – an Introduction

Posted by VIP Experts on April 21st, 2015

When digital content is transmitted, it is susceptible to unauthorized copying and interceptions. Hence protecting content has become an important factor in the transmission of audiovisual content. In 2003, Intel developed an encryption technique called the High-bandwidth Digital Content Protection (HDCP) protocol to protect audio and video data between a transmitter (transmitting the audio visual content such as a Blu-ray player) and a receiver such as a Monitor. If a transmitting device is transmitting the content HDCP protected then the receiver must also support HDCP in order to receive the content correctly.

You can learn more about the HDCP 2.2 Authentication Process by downloading our whitepaper, Demystifying the HDCP 2.2 Authentication Process.

HDCP protocol is now managed by Digital Content Protection (DCP), LLC, an Intel subidiary, which licenses technologies for the protection of commercial digital content. For every HDCP protected digital content must follow the HDCP protocol and also must have a license issued by DCP, LLC.

History of HDCP
In earlier devices that support the 1.X version of HDCP, such as HDCP1.4, the receiver demonstrates that it has valid secret keys, device private key. Transmitter authenticates that the receiver has valid keys, and then both devices share a secret session key that will be used during encryption as depicted in Figure 1. The authentication strength was reasonable using SHA-1 encryption algorithm in key exchanges. Most of the authentication and encryption was proprietary between devices that support HDCP1.4. Encryption uses a proprietary stream cipher.

HDCP-1-X

Introduction to HDCP2.2
HDCP 2.2 specification applies state of the art cryptography standards, such as RSA and AES, and uses them in authentication and encryption respectively which makes it much more secure than the previous HDCP1.X protocols.

HDCP 2.2 protocol works in 3 phases: the first phase, Authentication, is to verify that the receiver is genuine and authorized to receive the digital content. During the second phase, Encryption, transmitter can start sending the encrypted data to receiver, which will then decrypt it using keys exchanged during the authentication step. In the event that legitimate devices are compromised, the third phase, Renewability, allows the HDCP transmitters to identify such compromised devices and prevent transmission of HDCP content.

HDCP2.2 Authentication Protocol
Before transmitting the audio visual content, the transmitter must make sure using the authentication protocol that the receiver is genuine and authorized to receive the protected content.

The Authentication Protocol consists of:
1. Authentication and key exchange (AKE): Checks that the receiver contains a valid un-revoked public key certificate.
2. Locality Check: A check to make sure that the receiver is placed nearby and restricts the transmission to a locality.
3. Session key exchange (SKE): A common shared session key is exchanged which will be used to encrypt the data itself.
4. Authentication with repeater: An option step when sink is a repeater i.e., Subsequent sink device can be attached. Transmitter checks that none of the receivers in the topology is un-authorized.

In the next blog post, we will discuss the basics of RSA cryptography. An advanced version of RSA is the underlying cryptography standard used during the Authentication and key exchange.

You can learn more about the HDCP 2.2 Authentication Process by downloading our whitepaper, Demystifying the HDCP 2.2 Authentication Process.

Posted in HDCP, HDMI, Methodology | No Comments »