OCAP Security File Generator (OCAP SFG)

The OCAP Security File Generator (OCAP SFG) provides a complete solution that allows broadcasters and application developers to manage the OCAP Security Infrastructure in a manner conforming to ETSI TS 102 812 and CableLabs OCAP specification.

OCAP SFG Common Download is a version of OCAP SFG designed specifically to address the security requirements for OCAP Common Download. It provides the following capabilities:

The certificate installer maintains a database of available certificates that are of interest to the application developer. The database can be updated from certificate files issued by the CableLabs Code Verification Certificate Authority. The database maintains an up to date list of all certificate locations and statuses. This facility simplifies the certificate file management process.

Certificate File Verifier

Application developers who do not generate their own certificates can use OCAP SFG to verify certificate chains that are provided by third parties. The verification includes tests for all X509 version 3 certificate extensions that are mandated for CableLabs Code Verification Certificates.

The verification also includes the ability to check against authenticated versions of the root certificates (rather than those included in the Code Download Signed Data file).

Code Image and CVT Signing

OCAP SFG allows device manufacturers to encapsulate their code image files and code version tables in a PKCS#7 Signed Data file. The Open Cable Security Specification requires code images to be prepared in this format for delivery to the receiver. The Open Cable Code Download Specification requires the code version table to be prepared in the PKCS#7 Signed Data format for delivery to the receiver.

OCAP SFG supports the independent generation and concurrent carriage of Manufacturer and CoSigner signer information within the PKCS#7 Signed Data file. OCAP SFG also supports the inclusion of all CableLabs specified Download Parameters within the PKCS#7 Signed Content section of the file.

Certificate Generation

These facilities are used by certificate authorities to generate X509 Certificates.

The X509 certificate generator creates new CA or leaf certificates according to the contents of a certificate request file. The certificate's Subject can include all of the Distinguished Name attributes specified as required or recommended by RFC 2459. The mandatory SubjectAlternateName can include rfc822Name (e-mail address), DNS name, URI name and IP addresses. The certificate generator includes the support of NameConstraints containing any of the field and name types allowed in the Subject and SubjectAlternateName attributes.

The X509 certificate generator also allows for the creation of self-signed root-certificates and for the generation of public/private key pairs.

Private Key Security

The DVB-MHP PKI Certification Practice Statement requires that certificate subscribers store their private keys on a cryptographic hardware device that is protected by suitable passphrase and/or other authentication (for example, biometric). OCAP SFG supports a range of such devices at varying costs across a range of computing platforms. For broadcasters and application developers, the most commonly used devices are USB tokens or smart cards that have been assessed for FIPS 140-2 compliance. OCAP SFG addresses these devices through the standard PKCS#11 application program interface, allowing a range of different hardware tokens to be supported.

The PKI Operator can generate key pairs on a range of tokens and securely deliver the token and the corresponding pass phrase to the subscriber. Alternatively, where a token that requires a biometric or where a higher level security device such as the nCipher nShield is installed using a PCI card form factor, OCAP SFG can generate a key and issue a PKCS#10 formatted certificate request to the PKI Operator.