Open Kernel for Access to Protected Interoperable Interactive Services
The main objective of the OKAPI project is to describe and to settle the environment for the implementation of open, interoperable and equitable conditional access systems.
In an equitable approach the management of the scrambling keys is achieved through the use of Trusted Third Parties (TTPs).
The proposed solution relies on public key cryptography and on secure software downloading into security modules.
Several very high scale projects, i.e. DAVIC and DVB, aim at the interoperability for conditional access systems. Regarding these projects, the OKAPI project position could be summarised as follows:
understanding the new technological developments towards interoperability and openness,
guide and help for the actual work direction,.
try to think a step further, as every research project.
OKAPI should promote the solutions that really improve interoperability and openness. It should also propose solutions and demonstrate their accuracy regarding both security and market place aspects.
The technical approach is summarised as follows:
to understand the new standards on new positions from the large scale projects,
to analyse the accuracy of these positions towards interoperability and openness,
to propose an infrastructure for equitability,
demonstrate the validity of these proposals,
to implement the proposed solution within trials.
The OKAPI protocols use public key cryptography developments to provide both high security and interoperability. This solution must be compliant with the new standards or recommendations. Infrastructure implementing the protocols is developed, enabling certification, privacy, consumer and service provider protection.
The security of the cryptographic and communication protocols is validated with Lotos. The specifications describe functionality of the modules for each actor: user, service provider, TTP's together with guidelines to their implementation. Instances of these modules are then implemented within trials. This allows on the ground test of the solution.
The new developments in conditional access systems interoperability suggest that the next step would probably be the download of part or whole of a system. OKAPI deeply studies this solution, analysing the hardware requirements, the logical security means for the service provider protection, and the integration in the actual OKAPI protocols. OKAPI should be able to provide major contributions when the standardisation bodies start to consider downloading.
Summary of Trial
Three main trials are planned:
The ATM trial; the OKAPI security protocols will be tested on a fully DAVIC compliant environment. This trial is managed by CSELT. A test platform will be set up to implement the four main functions involved: the Service Provider (SPv), one or more User Terminals (U), a Trusted Third Party (TTP) and the Carrier (CR).
The Internet Simulator, a games championship combined with the OKAPI conditional access system simulation and demonstration. This trial is managed by ADETTI, PT.
The CampusNet, an Intranet on the UCL campus. This trial aims to demonstrate the security level of the system by its implementation in an 'aggressive' environment: an high speed access to Internet will be offered to more than 200 users on the Campus-Net of Louvain-la-Neuve. Conditional access (user authentication, messages certification,...) will be implemented by the OKAPI kernel.
Trusted Third Parties network to ensure the interoperability of the system.
Software downloading for the reliability and the openness of the system.
The project has completed its preliminary version of a conditional access system based on a DAVIC compliant platform and on IP connection to certification authorities. The Internet simulator for TTP based on conditional access is now operational, and the test bed for OKAPI kernel evaluation is set up on a Campus Net.
OKAPI expects to provide the answer to issues regarding Access Control to Multimedia services in an Open environment.
OKAPI will have an impact on DAVIC and DVB security specifications, by actively promoting its Kernel as a basis for standardising an Access Control system.