FORM 2
THE PATENTS ACT, 1970
(39 of 1970)
&
THE PATENTS RULES, 2003
COMPLETE SPECIFICATION
[See section 10, Rule 13]
METHOD FOR SECURING MESSAGES TRANSMITTED BY A TRANSMITTING TERMINAL TO A REMOTE RECEIVING TERMINAL;
VIACCESS, A CORPORATION ORGANIZED AND EXISTING UNDER THE LAWS OF FRANCE, WHOSE ADDRESS IS LES COLLINES DE L'ARCHE, TOUR OPERA C, 92057 PARIS' LA DEFENSE CEDEX, FRANCE.
THE FOLLOWING SPECIFICATION
PARTICULARLY DESCRIBES THE INVENTION
AND THE MANNER IN WHICH IT IS TO BE
PERFORMED.

TECHNICAL DOMAIN
The invention pertains to the telecommunications domain and more specifically relates to a method for securing a number n greater than or equal to 1 of messages Mui (i= 1 to n) transmitted by a transmitting terminal to a remote receiving terminal.
The invention also relates to a transmitting terminal adapted to transmit a number n greater than or equal to 1 of messages MUi (i= 1 to n) to a remote receiving terminal.
The invention also relates to a receiving terminal configured to receive messages MUi (i= 1 to n) transmitted by said transmitting terminal.
The invention also relates to a computer program stored on a medium and designed to be run in the transmitting terminal to use said method at the transmitting end, and a computer program stored on a medium and designed to be run in the receiving terminal to use the method at the receiving end.
The invention is more particularly aimed at improving the protection of EMM messages sent through an operator's network head end to a client's reception system. However, it is more generally applicable to the protection of any transmission of messages between entities connected through communication networks independently of the nature and characteristics of said entities and said networks.

3
STATE OF PRIOR ART
With the increasing development of content distribution through communication networks, the risk of pirating these contents becomes a major concern of suppliers and also of persons receiving these contents. Consequently, it is of overriding importance to protect the distributed contents firstly against risks of misappropriation of access rights associated with these contents, and secondly against falsification of these rights by a user.
In CAS (Conditional Access System) type systems, distributed contents are usually scrambled and unscrambled under the control of logical entitlements (a user can access the content for a determined duration), and keys called operation keys that are used to access contents.
Logical entitlement and operation keys are
usually transmitted to receiving terminals in specific
Entitlement Management Messages (EMM) controlling
access. EMM messages may also include commands
intended to limit or eliminate entitlements previously held by the user.
Access conditions are usually transmitted to receiving terminals in specific ECMs (Entitlement Control Message).
EMM and ECM messages must be protected themselves.
For a better understanding of the terminology specific to this technical domain, refer to the document: FUNCTIONAL MODEL OF A CONDITIONAL ACCESS

4
SYSTEM» EBU REVIEW-TECHNICAL EUROPEAN BROADCASTING UNION. BRUSSELS, BE, no 266 21 December 1995.
One disadvantage of prior art lies in the fact that these messages may be intercepted and analysed so as to determine access conditions and the keys necessary to unscramble the contents. A pirate can thus eventually acquire the ability to keep a received message and then modify it, and then re-submit it to its reception terminal such that the reception terminal processes it. The pirate can then acquire or find entitlements that he does not have or no longer has legitimately. With the same objective, he can also acquire the ability to calculate messages of his choice himself and to have fraudulent messages processed by the receiving terminal as messages calculated by the operator.
Another method of fraud consists of filtering messages transmitted by the operator to prevent them from being processed by the security processor on the receiving terminal, for example for messages that might deprive the user of rights that he had previously acquired.
The state-of-the-art of protection of access control messages against these attacks is composed of various solutions, among which:
- Encryption of messages to be transmitted such that when the pirate receives them, he does not know if the messages contain positive or negative orders from his point of view. Therefore, this step prevents him from determining which messages he should

5
filter on-line, thus making it more difficult to filter EMMs .
- The addition of cryptographic redundancy to the messages to be transmitted. This provides the means of verifying that the messages have been calculated by an entity in possession of a specific key authorised to do this calculation. This step thus makes the calculation of authentic messages of the pirate's choice more difficult, and it thus protects the system against the insertion of such messages.
- The logical combination, in a single message, of orders that will be positive and negative from the pirate' s point of view, such that the reception system cannot successfully accept the positive order unless it has previously accepted the negative order. This combination is based on the assumption according to which the pirate is penalised more by failure to process the positive order than by processing of the negative order. This step then dissuades filtering of the EMM containing the combination, against which it thus protects the system.
When EMMs are encrypted: if the pirate a priori ignores what message he is handling, he can determine the effects by experience: for example, by submitting it to a reception system reserved for his tests .
He can also not submit encrypted messages to his reception system until the reception system no

6
longer works, possibly thus obtaining an additional and illegitimate access time to the contents considered.
In the case in which access entitlement messages are authenticated by cryptographic redundancy, this step does not have any effect in the following cases :
- if the pirate has successfully obtained the key or if he has succeeded in obtaining a correct cryptographic redundancy. This is possible particularly if said cryptographic redundancy is symmetric.
- if the pirate has succeeded in having a message processed by the security processor, as comprising a correct cryptographic redundancy, and therefore as being authentic. This is possible particularly by physically disturbing the operating environment of the security processor of the reception system that is designed to check this authenticity. For example, these disturbances include a sudden temperature increase, a variation in the electrical power supply signal or the clock signal, exposure of the component to laser pulses, electromagnetic emissions or radiation of radioactive particles.
If messages are protected by transmitting a combination of positiye and negative orders to the receiving terminal, the step is only interesting when the pirate has something to lose. In particular, some attacks consist of illegally adding entitlements into official security processors (cases called MOSC, Modified Official SmartCard). In this case, the pirate does not lose anything when filtering the messages unless the operator has changed the operation keys.

7
It is preferable not to transfer these keys in a multiplex, to avoid exposing them unnecessarily.
Therefore, it appears that it is not always possible for a conditional access system (CAS) to protect itself against pirate attacks, and particularly against the elimination of undesirable messages or the insertion of messages that should not be submitted to the security processor.
The purpose of this invention is to overcome insufficiencies of conditional access systems according to prior art described above.
PRESENTATION OF THE INVENTION
The invention is based on the concept of replacing the useful message, in other words the message transporting the useful information to be protected, by a sequence of messages containing secondary messages in a predetermined order, preferably similar in appearance and with a predetermined number, for scrambling purposes without transporting any information useful for any other purpose, in addition to the message to be protected.
To achieve this, the invention recommends a security process for a number n greater than or equal to 1 of messages MUi (i= 1 to n) transmitted by a transmitting terminal to a receiving terminal, this process including the following steps:
Before transmitting, by the transmitting terminal,

8
a- generating an ordered sequence comprising N data blocks Bj, (j= 1 to N), where N is an integer number greater than or equal to n; b- for each message MUi (i= 1 to n) , calculating a position pi in said ordered sequence of N blocks using a function F; c- encapsulating each message MUi (i= 1 to n) in block
Bj located in position pi, and; d- transmitting the ordered sequence comprising messages MUi to said receiving terminal;
and on reception, by the receiving terminal;
e- recalculating the positions pi (i = 1 to n) of blocks Bj encapsulating messages MUi using said function F; f- extracting blocks Bj located at positions pi (i= 1
to n) in the received ordered sequence; g- extracting the messages MUi encapsulated in said blocks Bj.
Using the method according to the invention, any attempt to add, replace or delete a message will be detected when the sequence of messages received by the receiving terminal does not respect the predetermined structure.
Furthermore, if a sequence of messages produced by a transmitting terminal according to the invention is transmitted to a terminal not conforming with the receiving terminal according to the invention, secondary control messages are then sent to this receiving terminal.

9
For example, these control messages may transport detection or sanction commands that could provoke detection or counter-measure operations. Detection may be of different types, such as memory of a log or incrementing a detection counter; counter-measures may for example consist of temporary invalidation or destruction of the card.
Preferably, said function F is a pseudorandom function initialised by at least one secret data shared by the transmitting terminal and the receiving terminal.
In a first variant embodiment of the method according to the invention, said secret data is defined as a function of the number N and/or the number n.
In a second variant, said secret data is defined as a function of at least one specific parameter of the generated ordered sequence.
According to another characteristic of the invention, the value of said secret data can be modified by the transmitting terminal using a sequence known only to said transmitting terminal.
In order for the receiving terminal to manage data blocks, each block Bj in the ordered sequence comprises a header indicating an identifier of said sequence and the position of said block Bj in this sequence.
In one variant, said header also comprises the value of the number N and/or the value of the number n.
In another variant of the invention, said ordered sequence also comprises at least one additional

10
message encapsulated in a block Bj of data located at a position different from positions pi (i = 1 to n) in said ordered sequence, without action or enabling activation of a detection and/or a sanction subsequent to an action by a frauder to divert useful messages MUi or an attempt at such action.
In one particular application of the method according to the invention that is designed to increase the security of a CAS type conditional access system, the plurality of useful messages MUi comprises at least one EMM message and/or at least one ECM message, and said transmitting terminal is arranged at an operator's network head-end.
In this case, said n messages MUi comprise at least one EMM message and/or at least one ECM message, and at least one of said numbers N and n is transmitted to the receiving terminal in an encrypted message.
The transmitting terminal sends said n messages MUi to the receiving terminal in a data flow also comprising scrambled audiovisual programs.
The method according to the invention is used by a transmitting terminal arranged at an operator's network head-end and configured to transmit a number n greater than or equal to 1 of messages MUi (i= 1 to n) to a receiving terminal.
The transmitting terminal according to the invention comprises:
- means of generating an ordered sequence comprising N data blocks Bj, (j= 1 to n) , where N is an integer number greater than or equal to n;

11
- means of calculating a position pi in said ordered sequence of N blocks using a function F, for each useful message MUi {i= 1 to n);
- means of encapsulating each message MUi (i= 1 to n) in the block Bj located at position pi;
- means of transmitting the ordered sequence comprising messages MUi to said receiving terminal.
The receiving terminal according to the invention comprises:
- means of recalculating positions pi (i= 1 to n} of blocks Bj encapsulating messages MUi using said function F;
- means of extracting said blocks Bj of positions pi
(i= 1 to n) in the received ordered sequence;
- means of extracting messages MUi from said blocks Bj.
At the end, the ' method according to the invention is implemented using a computer program stored on a medium and designed to be run in the transmitting terminal to:
- generate an ordered sequence comprising N data blocks Bj' (j= 1 to n)t where N is an integer number greater than or equal to n;
- for each useful message MUi (i= 1 to n) , calculate a position pi in said ordered sequence of N blocks using a function F;
- encapsulate each message MUi (i= 1 to n) in the block Bj located at position pi;
- send the ordered sequence comprising messages MUi to
said receiving terminal.
At the receiver end, the method according to the invention is implemented using a computer

12
program on a medium and designed to be run in the receiving terminal to:
- recalculate positions pi (i= 1 to n) of blocks Bj encapsulating messages MUi using said function F;
- extract said blocks Bj of positions pi (i= 1 to n) in the received ordered sequence;
- extract messages MUi from said blocks Bj.
BRIEF DESCRIPTION OP THE DRAWINGS
Other characteristics and advantages of the invention will become clear after reading the following description, given as a non-limitative example with reference to the appended figures among which:
- figure 1 represents a general flowchart
diagrammatically illustrating steps in the method
according to the invention used by the transmitting
terminal.
- figure 2 diagrammatically illustrates two
flows comprising ordered sequences of data transporting
messages according to the invention.
- figure 3 shows a flow chart
diagrammatically illustrating steps in the method
according to the invention used by the receiving
terminal.
DETAILED PRESENTATION OF PARTICULAR EMBODIMENTS
The invention will be described below in a particular application to a conditional access (CAS) type system. Useful messages to be transmitted are EMMs or ECMs transporting secret data such as encryption/decryption keys for a content broadcast by

13
an operator to several receiving terminals. Each receiving terminal is provided with a security processor comprising software for processing useful messages transmitted by the operator.
In this case, the operator can use different channels for broadcasting EMM and ECM messages. The operator can target addressees or particular groups of addressees using different addressing modes. Thus, an EMM-GA type message is addressed to all users in a given group {GA - General Audience), an EMM-S type message is addressed to a particular group of users (S - Shared), and an EMM-U type message is addressed to a single user {U - User). Typically, one channel is used to broadcast EMM messages in each of these addressing modes.
Note that even in the case of a single addressing mode, it is also possible to have different EMM channels. For example, on a mobile phone, some messages may be sent in the same multiplex as the multiplex that contains the video, and others may be transported in SMSs. It is also probable that several users will need to receive messages. Each EMM-U sent to one user must be considered as being an EMM channel in the context of this application.
EMM channels mentioned above are independent, and each EMM channel has its own sequencing context.
The different steps in the method according to the invention are described below with reference to figure 1.

14
At the network head-end, in step 2, the operator asks to send a number n of useful messages MUi (i= 1 to n) {EMM and/or ECM} to the CAS system.
Step 6 consists of generating said ordered sequence comprising N data blocks Bj.
Step 8 consists of calculating a position pi in said ordered sequence of N blocks for each message MUi (i= 1 to n), using a function F.
Step 10 consists of encapsulating each message MUi {i= 1 to n) in block Bj located in position
Pi-
Step 12 consists of transmitting the ordered sequence comprising messages MUi to receiving terminals.
Each receiving terminal:
- recalculates positions pi (i = 1 to n) of blocks Bj encapsulating messages MUi using said function F {step 14),
- extracts blocks Bj occupying positions pi (i= 1 to n) in the received ordered sequence {step 16).
- extracts messages MUi encapsulated in said blocks Bj (step 18).
Figure 2 diagrammatically illustrates a first flow of sequences 20 and a second flow of sequences 22. The first flow 20 comprises a first ordered sequence 24 comprising an integer number Nl of data blocks 26 and a second ordered sequence 28 also comprising Nl data blocks 30. The second flow 22 comprises a first ordered sequence 32 comprising an integer number N2 of data blocks 34 and a second ordered sequence 36 also comprising N2 data blocks 38.

15
Each data block (26, 30, 34, 38) comprises a first sub-block forming a header 40 and a second sub-block 42 comprising useful data in the block.
The header 40 comprises a sequence identifier SN, a parameter 0 indicating the position of a block Bj in the sequence and possibly a date indicating the emission date of the sequence identified by the parameter SN.
The sub-blocks 42 of the data blocks Bj (j= 1 to n) of the ordered sequence produced in step 10 encapsulate at least one additional message in the block Bj located at a position different from positions pi (i = 1 to n) calculated by the function F, in addition to the useful messages. The additional messages activate detection and/or a sanction following an action by a frauder to divert useful messages MUi, or an attempt at such an action.
Although figure 2 illustrates ordered flows of sequences, in one variant embodiment, blocks in an ordered sequence may be transmitted in a disordered sequence according to a random law.
Although figure 2 illustrates separate ordered flows of sequences, in one variant embodiment, the transmission of data flows could be organised such that between two blocks of at least one single ordered sequence, at least one block belonging to at least one other ordered sequence is sent.
Characteristics of function F.
Since the result of function F should not be predictable by an observer external to the system, this function is preferably chosen to be a pseudo-

16
random function, in other words it obeys a pseudorandom law built-up from pseudo-random generators initialised with parameters with equal values in the transmitting terminal and in the receiving terminals.
In a first variant embodiment of the method according to the invention, the function F is kept secret.
In this case, only terminals authenticated by the operator are authorised to memorise this function before flows of sequences are transmitted.
Parameters for calculating the positions pi using the function F may or may not be secret.
In a second variant, the function F is public and in particular it may be saved in terminals in plain text or it may be downloaded from an operator server.
In this case, at least one of the parameters to calculate positions pi using the function F is kept secret and is transmitted to receiving terminals in encrypted form.
One example construction of such a function F is described below.
Construction of the function F is based on an increase in the value of the number N and the number n, in other words in the number of positions to be determined in a sequence identified by the parameter SN, by a factor of ten (10) . Since this determination depends on the selection of successive bytes in a random number, ten also increases the number of bytes in this random number, which will therefore be assumed to be coded on 16 bytes in the following description.

17
Remember that X modulo ¥ denotes the remainder of the integer division of integer X by the non-null integer Y. The cardinal is denoted Card, in other words the number of elements in an assembly.
We will consider:
- SN, the identifier of the sequence considered that is to be constructed at the transmitting terminal end or to be processed at the receiving terminal end;
- N, the length of the sequence;
- n, the number of useful messages in this sequence;
- MUi, MU2, ..., MUn, the n useful messages to be transmitted in the sequence;
- K, a secret key shared by the transmitting and receiving devices.
A random number RAND specific to the sequence SN is calculated in the following form, using a pseudo-random generator such as a C cryptographic function:
C (K, SN) = RAND = RANDfi], 1 < i < 16 where RAND[i] denotes byte rank i in RAND C may typically be:
• A hash function H applied to concatenation of the key
K and the sequence identifier SN; the calculated
random number is. then:
H (K || SN) = RAND = RAND[i], 1 < i < 16;
• The AES (Advanced Encryption Standard) encryption
algorithm applied with key K to the sequence
identifier SN; the calculated random number is then:
AES (K, SN) = RAND = RANDfi], 1 < i < 16.

18
The position pi of MU4- in SN is then calculated in the form:
Pi = RAND[1] modulo N; for 1 < i < n:
namely Ex = {j integer / 0 < j < N} \ {p-j /
1 < j < i} = {1, 2, ..., N} \ {Pj / 1 < j < i}, all
positive integers less than or equal to N without
previously assigned positions, in other words all
positions still available;
Let F; = (Xj s E; / V 1 < k, 1 < Card (Ej) , k < 1 o xk < xi), the same set, ordered;
We when have: pi = x RANDJH modulo