EP0748073A1 - Message transmission protocol for access control for RDS applications; transmitting and receiving means therefor - Google Patents

Abstract

The access control is performed by messages distributed over at least one group of four consecutive blocks of binary digits. A program identification message (PI) is transmitted in uncoded form over the first block (A), and an encoded message (TG) representing the type of group and a specific application channel message (VA) is transmitted over the second block (B). A number of application messages, at least partially encrypted, and uncoded access control messages (CA) are transmitted in at least partially encrypted form over the remaining blocks (C,D).

Description

The invention relates to a protocol for sending access control messages to RDS applications, to a corresponding sending device and to a receiving device.

The RDS system (for Radio Data System) is the data broadcasting system, as defined by the EBU, intended mainly for motorists who wish to listen to audio programs broadcast in frequency modulation. For most European broadcasters, this system has become a fully-fledged service delivery medium, with many motorists now enjoying the benefits and services distributed on this medium. However, these services are not limited to the latter.

At the present time, many manufacturers of receivers offer FM receivers specially equipped for the reception of RDS messages at very competitive prices.
In fact, the RDS system offers a wide range of application possibilities such as communication of road messages, radio messaging, remote display or others. Basic services such as program identification (PI), program chain name (PS), list of other frequencies (AF) on which the same program is broadcast, identification of programs for motorists (TP) and road announcements or program genre code (PTY), are provided by the aforementioned receivers.

In addition to the services mentioned above, the establishment of value-added services is desirable and conceivable, provided, however, that there is a system for controlling access to these services to ensure effective management of the latter. .

In general, it is recalled that the RDS system allows the transmission of digital data according to a well-established transmission protocol, a succession of RDS data groups designated by RDS groups. Each RDS group necessarily comprises four successive blocks of bits or bits, block A, block B, block C and block D, each block comprising 26 bits, 16 bits of RDS data and 10 bits of error correction code.

• la faible ressource, en capacité de débit d'information, du système RDS. La ressource disponible, les services de base étant déduits, est limitée à 253,5 bits/s, soit de l'ordre de 7 à 8 groupes RDS par seconde. Une telle ressource doit en outre être partagée entre le service ou application considérée d'une part, et le contrôle d'accès à ce service ou à cette application, d'autre part ;
• les conditions de réception des mobiles destinataires, lorsque les récepteurs sont installés sur des mobiles. Les conditions de réception d'une porteuse radiofréquence en bande 2 sont très variables. Le taux d'erreur bit, du fait de la transmission, peut varier de 7.10^-5 à 4.10^-2 ;
• la limitation introduite du fait de l'existence, pour chaque émetteur, d'une zone de couverture, au mieux équivalente à celle de l'émetteur FM concerné, l'audience du service, bien que plus large, voyant sa portée réduite à une zone locale ou régionale ;
• la sensibilité aux trajets multiples. Les données diffusées sont très sensibles aux trajets multiples, et, dans ce cas, le code d'erreurs RDS (27,17) est souvent en dépassement.

Due to the data structure imposed by the format of the RDS groups, the implementation of a specific access control system must be carried out taking into account the corresponding constraints inherent in the RDS system itself. Among these constraints, we should mention in particular:

• the low resource, in information flow capacity, of the RDS system. The available resource, the basic services being deducted, is limited to 253.5 bits / s, ie of the order of 7 to 8 RDS groups per second. Such a resource must also be shared between the service or application considered on the one hand, and access control to this service or this application, on the other hand;
• the reception conditions of the destination mobiles, when the receivers are installed on mobiles. The reception conditions for a band 2 radio frequency carrier are very variable. The bit error rate, due to the transmission, can vary from 7.10 ^-5 to 4.10 ^-2 ;
• the limitation introduced by the existence, for each transmitter, of a coverage area, at best equivalent to that of the FM transmitter concerned, the audience of the service, although wider, seeing its range reduced to a local or regional area;
• sensitivity to multipath. The broadcast data is very sensitive to multipath, and in this case the RDS error code (27,17) is often exceeded.

• peu cher vis-à-vis du coût du service ou de l'application considérée ;
• flexible et évolutif, afin d'assurer un degré de résistance raisonnable au piratage ;
• utilisable et compatible avec toutes les applications RDS, anciennes, nouvelles et futures applications RDS ;
• ouvert et pouvant s'adapter aux différentes techniques de chiffrement de ces applications, afin d'assurer la pérennité même du système de contrôle d'accès.

Finally, the implementation of a control system access can only be envisaged if it has certain minimum characteristics, such a system having to be:

• inexpensive compared to the cost of the service or application considered;
• flexible and scalable, to ensure a reasonable degree of resistance to hacking;
• usable and compatible with all RDS applications, old, new and future RDS applications;
• open and able to adapt to the different encryption techniques of these applications, in order to ensure the very durability of the access control system.

The subject of the present invention is a system for controlling access to RDS applications implemented using a protocol for transmitting access control messages to these applications, a transmitting device and a receiving device. such corresponding messages satisfying in all respects the constraints previously mentioned in the description.

The protocol for transmitting access control messages to applications on an RDS medium, object of the invention, in which the access control is carried out on the basis of access control messages distributed over at least one RDS group of four consecutive blocks of binary elements, is remarkable in that it consists, on transmission, for the RDS group considered, of transmitting in clear text on the first block of this RDS group a program identification message, to transmit in clear on the second block of the RDS group a coded message representative of the type of RDS group, relating to this RDS group, and a specific RDS application channel message, to be transmitted in at least partially encrypted form on the third and the fourth RDS block a plurality of RDS application messages respectively of access control messages.

The device for controlling access to applications on an RDS medium, object of the present invention, in which the access control is carried out on the basis of access control messages distributed over at least one RDS group considered of four consecutive blocks of binary elements, each block comprising a field information and a parity check field, is remarkable in that it comprises, at the level of an FM transmitter equipped with an RDS coder, a clear coding module on the first block of the RDS group considered of a program identification message, a clear coding module on the second block of the RDS group considered of a coded message representative of the type of RDS group relating to the RDS group considered and an application channel message representative of at least one specific RDS application, a coding module in at least partially encrypted form on the third block of the RDS group considered of a plurality of RDS application messages respectively in clear of control of ac ces, a clear coding module on the fourth block of the RDS group considered of a plurality of messages, access control message, parity message, redundancy message, and, in encrypted form, RDS application messages , the message coding modules on the first, second, third and fourth blocks of the RDS group considered being interconnected with the RDS coder of the FM transmitter.

The device for controlling access to RDS applications to a user device, in which access control is carried out on the basis of access control messages transmitted on at least one RDS group considered of four consecutive blocks of elements binary, each block comprising an information field and a parity control field, object of the present invention, is remarkable in that it comprises, at the level of an FM receiver equipped with an RDS decoder, a module for discrimination of the RDS group considered, a discrimination module in the consecutive blocks of the RDS group considered discriminated, access control messages and application messages encrypted, a module for decrypting encrypted RDS application messages making it possible to generate information from decrypted RDS applications, a conditional access control module for RDS applications decrypted on the basis of identity criteria for access control information and reference access control information. All of the modules are interconnected at the cutoff between the RDS decoder and the user device.

The protocol for transmitting access control messages to RDS applications and the corresponding access control device find application in the management of all types of RDS applications.

• la figure 1 représente, sur un groupe RDS, un schéma illustratif du format des messages de contrôle d'accès selon le protocole d'émission de messages de contrôle d'accès, objet de la présente invention ;
• la figure 2a représente un schéma synoptique d'un processus générateur, à l'émission, d'une suite chiffrante permettant d'effectuer un chiffrement/déchiffrement des messages d'applications RDS, en vue du contrôle d'accès à ces applications ;
• la figure 2b représente sur le deuxième bloc, bloc B du groupe RDS considéré, la structure des messages de contrôle d'accès ;
• la figure 2c représente sur le troisième bloc, bloc C du groupe RDS considéré, la structure des messages de contrôle d'accès ;
• la figure 2d représente sur le quatrième bloc, bloc D du groupe RDS considéré, la structure des messages de contrôle d'accès ;
• la figure 2e représente sur les troisième et quatrième blocs, bloc C et bloc D du groupe RDS considéré, un exemple de structure de messages d'images des clés ;
• la figure 2f représente sur les troisième et quatrième blocs, bloc C et bloc D du groupe RDS considéré, un exemple de structure de messages de synchronisation ;
• la figure 2g représente un processus de création à l'émission et d'utilisation à la réception d'une signature condensée conformément au protocole objet de la présente invention ;
• la figure 3 représente une variante de mise en oeuvre du protocole de transmission de messages de contrôle d'accès, dans le cas où, en lieu et place du processus de chiffrement/déchiffrement par la mise en oeuvre de la suite chiffrante, des messages d'applications directement chiffrés ou cryptogrammes sont transmis sur le bloc RDS considéré, le processus de chiffrement/déchiffrement étant réalisé à partir d'un algorithme de type classique ;
• la figure 4 représente, à titre d'exemple non limitatif, un dispositif permettant l'émission de messages de contrôle d'accès à différentes applications RDS, conforme à l'objet de la présente invention ;
• la figure 5 représente, à titre d'exemple non limitatif, un dispositif permettant la réception d'applications RDS soumises à un protocole de contrôle d'accès conforme à l'objet de la présente invention.

They will be better understood on reading the description and on observing the drawings below in which:

• FIG. 1 represents, on an RDS group, an illustrative diagram of the format of the access control messages according to the protocol for transmitting access control messages, object of the present invention;
• FIG. 2a represents a block diagram of a generating process, on transmission, of an encryption suite enabling encryption / decryption of messages of RDS applications, with a view to controlling access to these applications;
• FIG. 2b represents on the second block, block B of the RDS group considered, the structure of the access control messages;
• FIG. 2c represents on the third block, block C of the RDS group considered, the structure of the access control messages;
• FIG. 2d represents on the fourth block, block D of the RDS group considered, the structure of the access control messages;
• FIG. 2e represents on the third and fourth blocks, block C and block D of the RDS group considered, an example of structure of key image messages;
• Figure 2f shows on the third and fourth block, block C and block D of the RDS group considered, an example of the structure of synchronization messages;
• FIG. 2g represents a process of creation on transmission and use on reception of a condensed signature in accordance with the protocol which is the subject of the present invention;
• FIG. 3 represents an alternative implementation of the protocol for transmitting access control messages, in the case where, instead of the encryption / decryption process by the implementation of the encryption suite, messages of 'applications directly encrypted or cryptograms are transmitted on the RDS block considered, the encryption / decryption process being carried out using a conventional algorithm;
• FIG. 4 represents, by way of nonlimiting example, a device allowing the transmission of access control messages to different RDS applications, in accordance with the object of the present invention;
• FIG. 5 represents, by way of nonlimiting example, a device allowing the reception of RDS applications subjected to an access control protocol in accordance with the object of the present invention.

A more detailed description of the protocol for transmitting access control messages to applications on an RDS medium, which is the subject of the present invention, will now be given in conjunction with FIG. 1.

Referring to the aforementioned figure, it is indicated that access control to RDS applications, in accordance with the object of the present invention, is carried out from access control messages distributed over at least one RDS group of four blocks. consecutive bits.

This protocol consists, on transmission, for the RDS group considered, of transmitting in clear on the first block of the RDS group a PI program identification message and of transmitting in clear on the second block, block B of the RDS group, a TG coded message representative of the relative RDS group to the RDS group considered and a VA application channel message representative of at least one specific RDS application, that for which the access control is performed.

In addition, as shown in FIG. 1 above, the transmission protocol consists in transmitting, in at least partially encrypted form on the third C and the fourth D RDS block, a plurality of RDS application messages, these messages d RDS applications being transmitted in the form of at least partially encrypted, respectively of access control messages. In general, it is indicated that the access control messages are transmitted in clear.

In FIG. 1, the structure of the blocks A, B, C, D is represented constituting the RDS group considered.

Each block includes a data or information field coded in 16 bits and a parity check field coded in 10 bits, the RDS group considered comprising a total of 104 bits. In general, it is indicated that the usual RDS service data messages and that the access control message in accordance with the object of the present invention are transmitted on the third and fourth blocks, blocks C and D , as shown in Figure 1, a parity message and a redundancy message being transmitted on the fourth block, block D. These messages occupy the entire information field of the third and fourth block as shown in Figure 1 By way of example, it is indicated that the RDS data message relating to the RDS application is coded on the 16 bits of the third block, block C, the parity message is coded on 1 bit for example on the fourth block, block D, the CRC redundancy message is coded on 8 bits in the field of the fourth block, block D, and the access control message CA is coded on the 16 bits of block C and on the remaining 7 bits of the fourth block , block D.

Thus, the application channel message VA is intended to indicate to a suitable receiver the type code of group of scrambled data while the message consisting of the RDS data field or applications of the information field of the third block C, ie 16 bits plus the 7 bits of the access control message of block D in total 23 bits, are used to provide the access control system proper to the RDS application in question.

• un code détecteur d'erreurs, de type FIRE (35,27), toutes les possibilités de ce code d'erreurs en matière de détection et de correction étant utilisées ;
• un système permettant de détecter les erreurs résiduelles impaires.

An RDS error code (27,17) can then be used to correct an erroneous data packet of size less than or equal to 5. It is necessary to take into account the errors generated by the error code in case of overflow of the last. To this end, access control messages are protected against residual errors by:

• an error detector code, of the FIRE type (35, 27), all the possibilities of this error code in terms of detection and correction being used;
• a system for detecting odd residual errors.

The FIRE code (35,27) is used in its shortened form, the length n = 32 and the message size being 24 bits. This error code makes it possible to correct packets of size 3 errors. The above parity message or parity bit makes it possible to detect the odd residual errors.

According to a particularly advantageous characteristic of the protocol for transmitting access control messages to RDS applications object of the present invention, and this in order to ensure the compatibility of this protocol with previous or current RDS applications, the step of transmission in at least partially encrypted form of the third block of an RDS application message consists in modulating the data into encrypted and unencrypted data in packets with a determined number of consecutive bits.

Thus, for the information field of block C, it is understood that in the case where the data of the information field of block B are likely to overflow on the information field of block C, a scrambling mask of the field block C information element is then used as shown in FIG. 1. This scrambling mask can consist in preserving from scrambling the first four bits of the 16-bit information field of the third block C, these first four bits then always being encoded in clear. The next twelve bits of the information field in block C are then reserved for RDS application data and can then be encrypted or unencrypted by modules of four bits, at discretion, depending on the application considered. In any case, the last four-bit module is always encrypted so as of course to ensure access control to the RDS application considered.

The encryption of RDS application messages can be carried out without limitation on transmission, using a 32-bit encryption suite.

As shown in FIG. 2a, the ciphering sequence is generated by means of a pseudo-random sequence generator receiving a clock signal and a generator polynomial, denoted P (x), as well as an initial loading word, noted I (x).

The encryption process for RDS application messages is performed over several basic periods. Each basic period is assigned a specific encryption key.

Each basic period is broken down in turn into several diversification periods for which the allocated encryption key is unchanged during these diversification periods. The diversification is obtained by means of diversification parameters VD, V, the diversification parameter V taking into account the value of the RDS group considered.

In general, it is indicated that the transmission scrambling cycle can be composed of one or more basic periods with which a specific encryption key is associated.

The low resource in transmission capacity of the RDS system as previously mentioned in the description does not allow to assign or make coexist several operators or several service providers for the same transmission channel. To this end, two classes of services are provided for the same operator or for the same service provider.

• abonnement à la durée,
• abonnement par date de validité.

In accordance with a particular aspect of the protocol for transmitting access control messages which is the subject of the present invention, two classes of subscription are provided for a user:

• duration subscription,
• subscription by validity date.

Of course, the scrambling parameters are known on reception, on the one hand, thanks to the access control messages transmitted in the protocol for transmitting the access control messages according to the subject of the present invention. , and, on the other hand, encryption data which, according to a particular aspect of the protocol for transmitting access control messages to RDS applications which is the subject of the present invention, can be stored on a tamper-proof storage medium as will be described in more detail in connection with a corresponding device.

• un premier type, dit messages d'image de clés de chiffrement, représentatif de la clé de chiffrement spécifique de base pour la durée de base courante ;
• un deuxième type, dit messages de synchronisation, permettant de valider la clé de chiffrement spécifique de base associée à la durée de base suivant la durée de base courante ;
• un troisième type, dit messages de fin de chiffrement, permettant de discriminer les applications RDS chiffrées et non chiffrées.

With regard to the access control messages themselves, it is indicated that, according to a particularly advantageous characteristic of the protocol, which is the subject of the present invention, these consist of messages of three distinct types:

• a first type, called encryption key image messages, representative of the specific base encryption key for the current base duration;
• a second type, called synchronization messages, making it possible to validate the specific basic encryption key associated with the basic duration according to the current basic duration;
• a third type, called end of encryption messages, allowing to discriminate between encrypted and unencrypted RDS applications.

In accordance with one aspect of the protocol for transmitting access control messages to RDS applications according to the invention, the above-mentioned RDS applications and the corresponding access control messages advantageously use a particular type of group of all RDS groups. By way of nonlimiting example, it is indicated that the type of group used can be group 5A.

As shown in FIG. 2b, it is indicated that the access control messages have a common structure, these messages, coded in clear, being distributed over the blocks B, C and D of the RDS group considered.

In FIG. 2b above and for block B of the RDS group considered, the row of the bit considered in the information field of the latter, the number of corresponding bits as well as the name of the field and the comments are represented for this RDS block. correspondents.

With regard to block B, it is indicated that the data of the latter is never encrypted or scrambled. The bits for which the field name and comments have been represented in gray play a different role depending on the type of access control message considered.

It is thus indicated that as regards the group type message, denoted TG, this can be coded on 4 bits in the information field of the second block B of the RDS group considered.

The message relating to the application channel VA of the information field of the second block B is coded on 5 bits. It is thus understood that for a given application channel among the 2 ⁵ application channels, there is, per RDS group considered, group 5A, a transmission potential of 32 bits corresponding to the information field of the third and fourth blocks, C and D, thus constituting a route of application considered.

In FIG. 2b, it is indicated that the message of type group message TG is coded on bits A ₀ to A ₃ while the application channel message VA is coded on bits V ₀ to V ₄ for coding the application channel.

• les messages d'image des clés précédemment cités, et
• les messages de synchronisation ou de fin d'embrouillage.

With regard to the access control messages of blocks C and D, it is indicated that these essentially use two kinds of messages:

• the image messages of the keys mentioned above, and
• synchronization or end of scrambling messages.

Key image messages and synchronization messages support the signaling and information necessary for the management and proper functioning of the access control system itself.

• Le message TM est un message d'identification de type de messages transmis sur le groupe RDS considéré, ce message de type de messages TM étant codé sur un bit, le bit C₁₅. Pour la valeur 0 par exemple, ce message indique que le message transmis sur le groupe RDS considéré est un message de voie de service, alors que pour la valeur 1 du bit correspondant le message transmis correspond à un message de contrôle d'accès.
• Le message TSC désigne un message discriminateur du type de système de chiffrement utilisé. Ce message est codé sur deux bits, les bits C₁₄ et C₁₃, et est représentatif du système cryptographique utilisé. Pour une valeur 01 du message TSC, le chiffrement est réalisé à partir des images des clés de chiffrement produites à l'émission et de la suite chiffrante,
• pour la valeur 00 du message TSC, le chiffrement utilisé est un chiffrement de type DES ou RSA réalisé à l'émission, des cryptogrammes correspondants étant transmis sur le bloc RDS considéré, ainsi qu'il sera décrit ultérieurement dans la description.
• Pour un message TSC égal à 10, le système cryptographique utilisé permet la transmission d'une signature du cryptage dans des conditions qui seront décrites ci-après dans la description.
• Pour un message TSC égal à 11, le système cryptographique utilisé provoque une émission de clés cryptées avec obligation de transmission de signature.

FIG. 2c shows the common structure of the access control messages on the third block C of the RDS group considered. The 16-bit information field includes the bits referenced C ₀ to C ₁₅ .

• The message TM is a message identifying the type of message transmitted on the RDS group under consideration, this message of the type of messages TM being coded on one bit, the bit C ₁₅ . For the value 0 for example, this message indicates that the message transmitted on the RDS group considered is a service channel message, while for the value 1 of the corresponding bit the message transmitted corresponds to an access control message.
• The TSC message designates a message discriminating the type of encryption system used. This message is coded on two bits, bits C ₁₄ and C ₁₃ , and is representative of the cryptographic system used. For a value 01 of the TSC message, the encryption is carried out from the images of the encryption keys produced on transmission and from the encryption suite,
• for the value 00 of the TSC message, the encryption used is a DES or RSA type encryption performed on transmission, corresponding cryptograms being transmitted on the RDS block considered, as will be described later in the description.
• For a TSC message equal to 10, the cryptographic system used allows the transmission of an encryption signature under conditions which will be described below in the description.
• For a TSC message equal to 11, the cryptographic system used causes an emission of encrypted keys with obligation to transmit a signature.

• pour la valeur 0 du message SV, toutes les voies de l'application sont chiffrées,
• pour la valeur 1 du message SV, seule la voie spécifiée par le numéro de voie est chiffrée.

In addition, a channel selection message SV is provided, this message being coded in one bit, bit C ₁₂ of block C.

• for the value 0 of the SV message, all the channels of the application are encrypted,
• for the value 1 of the SV message, only the channel specified by the channel number is encrypted.

In addition, a channel number message corresponding to the current channel number used for the transmission of encrypted RDS application messages, this message being referenced NV, is provided and coded in five bits, bits C ₇ to C ₁₁ .

An IS service identification message is coded on one bit, the C ₆ bit, which makes it possible to switch access to a first or a second application denoted Service 1 or Service 2 depending on the value of the C ₆ bit.

Finally, a message making it possible to discriminate the nature of the communication, either of an image message of the encryption key, or of a synchronization message, C / S message is coded on one bit, bit C ₅ of the block C shown in Figure 2c. By way of nonlimiting example, for the value 0 of the bit C ₅ , and therefore of the C / S message, the message transmitted is an image message of the keys whereas, on the contrary, for the value 1 of this same bit C ₅ , the message transmitted is a synchronization or end of encryption message as will be described later in the description.

The bits C ₀ to C ₄ of the block C are used in particular as a function of the value of the C / S message image of the keys or of synchronization as will be described later in the description.

Finally, with regard to block D, the fourth block of the RDS group considered, it is indicated that this is represented in FIG. 2d. The information field represented by bits D ₀ to D ₁₅ comprises 7 bits, D ₉ to D ₁₅ normally reserved for the transmission of encrypted application messages, a parity bit, the bit De, and eight bits of correcting code of errors, CRC, corresponding to bits D ₀ to D ₇ . The error correcting code is of the FIRE type (35,27) as described previously in the description.

Given the common structure of the access control messages previously described in connection with FIGS. 2b, 2c and 2d, the protocol for transmitting access control messages for RDS application, object of the present invention, makes it possible to provide three classes of cryptographic services and a pseudo-random creation process with image of the encryption keys.

• TSC = 01 pour laquelle la suite chiffrante paramétrée par des clés diversifiées dans le temps est utilisée,
• pour TSC = 00, utilisation de cryptogrammes sur la ou les voies spécifiées par les messages d'image des clés tels que donnés dans la table 1 ci-après.

The TSC cryptographic system type message previously described thus makes it possible to distinguish between two points:

• TSC = 01 for which the encryption suite configured by time-diversified keys is used,
• for TSC = 00, use of cryptograms on the channel or channels specified by the key image messages as given in table 1 below.

In principle, DES and RSA encryption algorithms can be used. Synchronization messages do not change and thus keep the same meanings. The information relating to the RDS application, that is to say the RDS application messages are then encrypted in the cryptographic sense of the term.

The bits C ₄ and C ₃ previously described in the description define the cryptographic algorithm used. The signature of the encrypted messages is then sent only for the value of the corresponding AC as given below in table 1 above. Key picture messages (AC) Algorithm Comments C ₄ C ₃ Standard Signature 0 0 OF No Encrypted messages without signature 0 1 RSA No Encrypted messages without signature 1 0 OF Yes Encrypted messages with signature 1 1 RSA Yes Encrypted messages with signature

In such a case, the signature is sent on a single channel specified by the key image messages.

For TSC = 10, the signatures of the encrypted messages are then transmitted. This operating mode must be consistent with the sending of encrypted messages TSC = 00. Only one channel specified by the access control messages then contains the corresponding signature on three RDS groups in accordance with the values of bits C ₄ , C ₃ such that shown in table 2 below.

Key picture messages (AC) Algorithm Comments C ₄ C ₃ Standard Signature 0 0 Not used 0 1 Not used 1 0 OF Yes Signature of DES encrypted messages 1 1 RSA Yes Signature of RSA encrypted messages

For TSC = 11, the encrypted keys used are then transmitted. The transmission of encrypted keys used for decryption on reception then uses a single channel specified by the control messages. access and must be accompanied by a signature. The value of bits C ₄ and C ₃ is then given by table 3 below.

Key picture messages (AC) Algorithm Comments C ₄ C ₃ Standard Signature 0 0 OF Sign Cryptogram of a key issued in DES 0 1 RSA Sign Cryptogram of a key issued in RSA 1 0 OF Yes Cryptogram of the key signature issued 1 1 RSA Yes Cryptogram of the key signature issued

The signature then uses the same and same channel as the cryptogram of the encrypted keys emitted. The encryption key index allows you to find the key to use to decrypt the received cryptogram. However, the issued and received decrypted key is only validated when the cryptogram of the corresponding issued signature is correct. The index of keys and cryptogram of the signature is different.

The transmission of the cryptograms of the encrypted keys transmitted can be complementary to the services for TSC = 01 and 00. For TSC = 10, only the cryptogram for the signature of the encrypted messages is transmitted.

A more detailed description of the structure of the key image messages will now be given in connection with FIG. 2e.

For the RDS groups on which the RDS application is transmitted, blocks A and B are always coded in clear, that is to say in the absence of encryption. Block C can be partially or completely encrypted according to a multiple of groups of 4 bits from the least significant as described previously in the description. As to RDS D block, it is always encrypted. The scrambling mask of block C makes it possible to modulate the range of the binary elements of the encryption suite, that is to say at least 20 bits and at most 32 bits.

For key image messages, blocks A, B, C, D are always in clear.

When the bit C ₅ of the block C is at the value 0, that is to say when the message C / S making it possible to identify the image message of the keys is equal to 0, the blocks A, B, C and D are always coded in clear. A TD field corresponding to bits C ₀ and C ₁ indicates to the receiver the type of diversification used on transmission.

A message of index of the encryption key used, message of index of key IC, is then transmitted on 7 bits on block D, bits D ₉ to D ₁₅ . This message indicates the active key to apply when the synchronization messages are received.

In block C, bit C ₅ represents the C / S message, key image message, this key image message being transmitted for the value equal to 0 of the aforementioned bit C ₅ .

• 00 quarté de poids faible embrouillé ;
• 01 octet de poids faible embrouillé ;
• 10 trois quartés de poids faible embrouillé ;
• 11 deux octets du bloc C embrouillé.

Bits C ₄ and C ₃ correspond to a scrambling masking or cryptography algorithm message as indicated below:

• 00 scrambled low weight;
• 01 scrambled least significant byte;
• 10 three quartets of low weight scrambled;
• 11 two bytes of the scrambled block C.

The scrambling mask message ME corresponds to bits C ₃ and C ₄ of block C.

Bit C ₂ is a diversification message or flag.

When, as shown in FIG. 2f, the bit C ₅ is at the value 1, the access control message consists of a synchronization or end of scrambling message.

• de synchroniser la mise en oeuvre des clés valides en cours de réception ou de nouvelles clés en cours d'émission ;
• de synchroniser le désembrouillage après la réception ou la prédiction d'un groupe RDS 4A délivrant l'heure et la date, la synchronisation ainsi réalisée étant désignée par synchronisation immédiate ;
• de synchroniser le désembrouillage après la réception ou la prédiction d'un certain nombre de groupes 4A transmettant l'heure et la date, cette synchronisation étant désignée par une synchronisation différée et maîtrisée dans le temps ;
• de fournir au récepteur la valeur de diversification. Le type de diversification est défini par ailleurs par le message d'image des clés ;
• de signaler au récepteur la fin de désembrouillage, cette opération étant faite de façon explicite. Elle peut être immédiate, c'est-à-dire n'ayant aucun lien temporel avec le groupe 4A délivrant l'information d'heure et de date, ou différée par comptage des groupes RDS 4A reçus ou prédits.

Synchronization messages as shown in Figure 2f then allow:

• synchronize the implementation of valid keys during reception or new keys during transmission;
• synchronize descrambling after reception or prediction of an RDS 4A group delivering the time and date, the synchronization thus achieved being designated by immediate synchronization;
• synchronize the descrambling after the reception or the prediction of a certain number of groups 4A transmitting the time and the date, this synchronization being designated by a deferred synchronization and controlled over time;
• to provide the receiver with the diversification value. The type of diversification is also defined by the key image message;
• to signal to the receiver the end of descrambling, this operation being done explicitly. It can be immediate, that is to say having no temporal link with the 4A group delivering the time and date information, or delayed by counting the RDS 4A groups received or predicted.

• C/S : message de synchronisation = 1 ;
• VD : valeur de diversification comprise en codage hexadécimal entre 01 et FF, 00 marquant la fin de l'embrouillage ;
• VT : validation temporelle immédiate ou différée.

In FIG. 2f, it is indicated that the synchronization message represented corresponds to:

• C / S: synchronization message = 1;
• VD: diversification value included in hexadecimal coding between 01 and FF, 00 marking the end of scrambling;
• VT: immediate or delayed time validation.

• la validation est immédiate et dans ce cas, le message VT est égal à 0 ou ≥ 8. Le déchiffrement se fait alors sur le ou les numéros de voie d'application spécifiés par les messages de contrôle d'accès ;
• la validation est différée : au départ, le message VT est égal à une valeur comprise entre 1 et 7. Cette valeur est décrémentée à l'émission toutes les minutes en synchronisme avec les groupes RDS 4A. Le déchiffrement est alors effectué sur le ou les numéros d'application spécifiés par les messages de contrôle d'accès.

The use of temporal, immediate or deferred validation is defined in particular according to the following methods:

• validation is immediate and in this case, the VT message is equal to 0 or ≥ 8. The decryption is then done on the application channel number (s) specified by the access control messages;
• validation is deferred: at the start, the VT message is equal to a value between 1 and 7. This value is decremented on transmission every minute in synchronism with the RDS 4A groups. The decryption is then carried out on the application number or numbers specified by the access control messages.

With regard to service channel messages, when the message TM has the value 0, 31 bits without error code or 22 bits protected by an error correcting detector code and a parity bit are then available. Service channel messages are never encrypted or scrambled.

In a preferred embodiment of the protocol for transmitting access control messages to applications on an RDS medium, which is the subject of the present invention, it is indicated that, instead of encrypting sequences, the cryptograms or encrypted sequences themselves same are transmitted via RDS support.

In such an embodiment, the encrypted message constituted by the cryptogram, due to the limited transmission resources of the RDS system, must not exceed 256 bytes, that is to say 2048 bits.

Thus, it is possible to transmit in encrypted 64-bit portions the corresponding cryptograms, the latter having been obtained by encryption according to the DES or RSA standard with an internal key.

In general, it is indicated that each 64-bit portion of the encrypted cryptograms is transmitted via three RDS groups, which are advantageously transmitted under the conditions below described in connection with FIG. 3.

Each 64-bit portion or cryptograms encrypted according to the DES or RSA standard is subdivided, as shown in FIG. 3, into a first 21-bit section, a second 22-bit section and a third 21-bit section. The aforementioned 64 bits constitute by definition the cryptogram or a portion of the transmitted cryptogram.

Preferably, and according to a particularly advantageous aspect of the protocol for transmitting access control messages to applications on an RDS medium, which is the subject of the present invention, it is indicated that it is implemented, both at transmission that upon reception, from a tamper-resistant memory medium of the memory card type, a motherboard used for transmission containing 128 secret keys identified by a pointer, index of the IC key, when the DES standard is used .

Regarding the RSA standard, the motherboard contains 128 public keys.

In both cases of use of the DES or RSA standards, the daughter card contains the 128 secret keys pointed by the same key index IC, when the DES standard is used, and, on the contrary, 128 secret keys for the same modulo n when the RSA standard is used.

In the two embodiments of the protocol which is the subject of the present invention, that is to say when either the DES standard or the RSA standard are used, it is then possible, as shown diagrammatically in FIG. 3, to use all the channels coded by the message application channels VA, that is to say all of the 32 channels in order to ensure the transmission of the aforementioned cryptograms.

Under these conditions, each channel can then successively transmit the first 21-bit segment, the second 22-bit segment and the last 21-bit segment of a cryptogram on three RDS groups, as shown diagrammatically in FIG. 3.

Two link bits, denoted BL, whose values are chosen according to a particular Hamming distance then make it possible to reconstruct the cryptogram with maximum certainty. A virtual Boolean index is calculated at each entry point. At each complete cycle, the Boolean variable is complemented.

Transmission for each 64-bit cryptogram is thus carried out on three successive RDS groups or not, a first RDS group called synchronizing group allowing the transmission of the first section of 21 bits, a second RDS group said intermediate group allowing the transmission of the section, cryptogram, of 22 bits, and, finally , a last RDS group allowing the transmission of the last section, or cryptogram, of 21 bits.

At each complete transmission cycle, the Boolean variable is complemented. After correction of the errors and validation by the parity bit, denoted P1, the first RDS group ensuring the transmission of a cryptogram, that is to say of the 21-bit section, is recognized as a synchronizing group. The intermediate RDS group is protected by the FIRE error code (32,24) and the third and last RDS group is protected individually by the same error code, a parity bit from the last RDS group, the P2 bit on the FIG. 3, making it possible to check the consistency of all the data bits of the three RDS groups, synchronizing group, intermediate group and last RDS group, considered. It is thus understood that the synchronizing group allowing the transmission of the two link bits BL of the first section of 21 bits, the first parity bit P1 and 8 bits of error correction code CRC, the intermediate RDS group allowing the transmission of two link bits, of the second 22-bit segment and 8 bits of CRC error correction code, the third RDS group allowing the transmission of two BL link bits of the third and last 21-bit segment and the second bit of P2 parity, as well as the 8 bits of CRC error correction code, each group of 8 bits of CRC error correction code makes it possible to ensure the correction of the 24 bits to which each of these 8 error correction bits is associated, while the second parity bit P2 makes it possible to check the consistency of the 71 data bits of the three groups, that is to say of the corresponding bits transmitted by the synchronizing group, the intermediate group and the last group R DS, except for each of the 8 bits of error correction code CRC and of course of the second bit P2.

On receipt of each of the three aforementioned RDS groups, it is indicated that the verification of the Hamming distance on the link bits plus the parity checks make it possible to verify the consistency of the successive messages or cryptograms transmitted in order to achieve the concatenation of these and reconstruct the corresponding complete cryptograms.

It is also understood that the process previously described in connection with FIG. 3 makes it possible not only to ensure the transmission of the aforementioned cryptograms, but also, if necessary, also to send cryptograms of keys with signature. It is thus possible to transmit n keys among N, in encrypted form, the rate of transmission and the diversification of the choice of keys over determined time intervals, thereby making it possible to ensure the inviolability of the entire system.

A preferred mode of implementation of the protocol for transmitting access control messages to RDS applications, object of the present invention, will now be described, this mode of implementation allowing greater flexibility of transmission of encrypted messages as well as the decryption of the aforementioned messages.

In this preferred embodiment, the access control messages include a field relating to the type of encryption system used, the TSC field with extended functionality, this field allowing reception, depending on the value assigned to it. attributed, a different interpretation of scrambled or encrypted messages.

According to the aforementioned embodiment, the different values of this field allow at least the transmission and recognition, on reception, of an encrypted decryption key and of a signature, the encrypted key and the signature being coded on a same number N of bits distributed over G RDS groups.

In the aforementioned embodiment, the encrypted decryption key is coded on 64 bits and is necessarily accompanied by a signature of the same size. In this case, the value of the field relating to the type of encryption system used TSC is then in binary value equal to 11. In this case, the key and signature pair requires the use of six RDS groups.

For a global resource of seven RDS groups per second and with a distribution of five groups for the RDS application considered and two groups for its access control, it takes 3 seconds to send a key couple -signature. Table 4 below indicates the time required in the absence of repetition.

Type of Group TG VA application channel BL Link Bit Time in seconds Comments 6A 1 01 1.5 64-bit encrypted key 10 11 6A 2 01 1.5 64-bit signature 10 11

A majority decision would in fact make it possible to increase the time by a factor of 3. In order to increase the difficulty of piercing the code of the encrypted keys by an unauthorized unscrupulous user, it is also possible to use a key in the form of a word. code to which correctable errors have been added.

In addition, depending on the value of the field relating to the type of encryption system used TSC, the protocol, object of the present invention allows either the transmission of unsigned encrypted messages or the transmission of signed encrypted messages.

In the case of the transmission of unsigned encrypted messages, the size of the encrypted messages is fixed. It is for example 2048 bits, or 32 elementary encrypted messages or cryptograms. The application channel VA serves as a continuity index in order to ensure the transmission and recognition of the corresponding encrypted message elements. The value of the field relating to the type of encryption system used TSC in the key image message is then 00 in binary and the parameters relating to the successive encrypted elementary messages have the values given in table 5 below:

UNSIGNED NUMBER MESSAGES Cryptogram n ° 1 Cryptogram # 2 Cryptogram # 3 - Cryptogram # 31 Cryptogram # 32 VA = 0 VA = 1 VA = 2 - VA = 30 VA = 31 BL = 01,10.11 BL = 01,10.11 BL = 01,10.11 BL = 01,10.11 BL = 01,10.11

In the case of transmission, that is to say of the transmission and recognition on reception of encrypted signed messages, these can advantageously have a variable size between a minimum number m, m being able for example be taken equal to 2, and a maximum number M of elementary encrypted messages or successive cryptograms with which a signature is associated. The value M can be taken equal to 32. In this case, the transmission of the signature indicates to the receiver, on the one hand, the end of transmission of the elementary messages or cryptograms, and, on the other hand, the signature of the encrypted message transmitted. The field relating to the application channel VA serves as a continuity index for the succession of the above-mentioned encrypted elementary messages. Relative field values the type of encryption system used TSC key image messages are then in binary 00 for the cryptograms, or elementary encrypted messages, and 10 for the signature, the values of the parameters being given in table 6 below:

SIGNED NUMBER MESSAGES Cryptogram n ° 1 Cryptogram # 2 Cryptogram # 3 - Cryptogram n ° n Signature VA = 0 VA = 1 VA = 2 - VA = n VA = 0 TSC = 00 BL = 01,10,11 TSC = 00 BL = 01,10,11 TSC = 00 BL = 01,10,11 TSC = 00 BL = 01,10,11 TSC = 10 BL = 01,10,11

We can see that each successive elementary message, or cryptogram, is associated with a continuity tracking index, the discrimination between encrypted signed message and signature being obtained for the two distinct values 00 and 01 of the TSC field relating to the type of the encryption used.

Finally, the protocol which is the subject of the present invention, in its preferred mode of implementation, also allows the transmission and recognition of encrypted messages with an encrypting suite configured by encryption keys varying in time, these encrypted messages corresponding to RDS application messages. In this case, the binary value of the field relating to the type of encryption system used TSC is for example 01. The 32-bit encryption suite is used to scramble an RDS application group, the scrambling process consisting of modulo 2 arithmetic between the bits of data conveyed by the RDS group, for the application under consideration, and the encryption suite. A modular mask makes it possible to have a clear portion of the quads of block C.

According to a particular embodiment variant of the protocol which is the subject of the present invention, it is indicated that image messages of encryption keys can also be signed. In such a case, a condensed signature is obtained from a secret key buried on an inviolable support as described previously in the description, the condensed signature being calculated on a number P of bits from a pseudo-random sequence and calendar date information for example. The condensed signature is transmitted by means of a plurality of the synchronization messages previously mentioned in the description.

The condensed signature can be calculated on 64 bits. The date code, modified Julian date, of the RDS 4A group is part of the data of the message to be signed.

• à l'émission, à partir du message à signer, le calcul de la signature à partir d'une clé interne pour obtenir la signature condensée, puis, suite à la transmission du message à signer et de la signature condensée par l'intermédiaire des messages de synchronisation,
• à la réception, à partir du message à signer, calcul à partir d'une clé interne de la signature correspondante et, au niveau réception, reconstitution à partir de la signature condensée reçue d'une signature au format DES. Une étape de vérification est alors réalisée entre la signature reconstituée au format DES et la signature calculée à la réception à partir de la clé interne. Une réponse négative au test de vérification précité entraîne l'absence de validation du message d'image des clés, alors qu'au contraire une réponse positive au test de vérification précité entraîne la validation imémdiate du message d'image des clés.

The process of condensed signature of the image messages of the keys on transmission, respectively on reception, can then consist of the succession of steps as shown in FIG. 2g, and presents the steps below:

• on transmission, from the message to be signed, the calculation of the signature from an internal key to obtain the condensed signature, then, following the transmission of the message to be signed and the condensed signature via the synchronization messages,
• upon receipt, from the message to be signed, calculation from an internal key of the corresponding signature and, at reception level, reconstitution from the condensed signature received from a signature in DES format. A verification step is then carried out between the signature reconstituted in DES format and the signature calculated on receipt from the internal key. A negative response to the aforementioned verification test results in the absence of validation of the key image message, whereas on the contrary a positive response to the aforementioned verification test results in immediate validation of the key image message.

Synchronization messages contain the condensed signature transmitted in a 12-bit format for example.

The distribution of the key image and synchronization messages is given in table 7 below:

More specifically, it is indicated that the synchronization messages include a time validation field VT of the encryption keys transmitted, immediate or deferred validation, depending on the value of this field, being carried out on reception.

• immédiate pour une première valeur déterminée de ce champ, VT=0 par exemple,
• différée pour une deuxième valeur de ce champ, distincte de la première et comprise entre une première et une deuxième valeur arbitraire, 1 ≤ VT < 8 par exemple.

As an example of implementation, it is indicated that the validation can be:

• immediate for a first determined value of this field, VT = 0 for example,
• deferred for a second value in this field, distinct from the first and between a first and a second arbitrary value, 1 ≤ VT <8 for example.

Finally, for a third value of the time validation field VT greater than the second arbitrary value, that is to say VT ≥ 8, the synchronization message contains the condensed signature.

Finally, in the case where a diversification is introduced, ID = 1, value of the diversification flag associated with a type of diversification TD represented in FIG. 2e, the diversification value retained VD, FIG. 2f, on 8 bits, can consist in fact in the 8 most significant bits of the condensed signature. For the particular diversification value VD = 0, FIG. 2f, the synchronization message then indicates to the receiver the end of the scrambling in the signature verification step represented in FIG. 2g.

In the preferred embodiment of the access control protocol according to the invention, it is indicated that, preferably, the encrypted signed messages are messages of variable size. For this purpose, each signed encrypted message comprises at least two elementary encrypted messages, or cryptograms, that is to say m = 2. The first elementary encrypted message then comprises a header and input parameters, and the second elementary encrypted message comprises a specific elementary encrypted message such as a tamper-evident medium identification code.

The structure of the encrypted messages signed with variable size constituted by a succession of elementary encrypted messages or cryptograms, is given in table 8 below:

Cryptogram n ° 1 Cryptogram # 2 Cryptogram --- Cryptogram 64 bit 64 bit (n * 64) bits with n ∈ {0,1,2, ..., 29,30} On your mind Input parameters Identification / Authentication of the Card or Cryptogram Cryptograms

A more detailed description of a access control to applications on RDS support in accordance with the object of the present invention, implemented in the context of a non-limiting application of the transmission of a service or RDS application relating to the dissemination of differential corrective data GPS, denoted dGPS, application or service for which access control is instituted, will now be given in connection with FIG. 4.

In general, and in accordance with the method or protocol which is the subject of the present invention, it is indicated that the access control messages are distributed over at least one RDS group considered of four consecutive blocks of binary elements.

As shown in FIG. 4, the device comprises, at the level of an FM transmitter equipped with an RDS coder, the RDS coder bearing the reference B and being interconnected with a stereo coder C, which makes it possible to control the FM transmitter D for broadcasting the corresponding RDS service, and the RDS coder comprising a modem A, which is connected by a switched PSTN telephone link to a modem 10, a clear coding resource 1 ₁ on the first block of the RDS group considered of a program identification message, resource 1 ₂ of plain coding on the second block of the RDS group considered an encrypted message representative of the type of RDS group on the RDS group considered, and a channel message representative implementation of at least one RDS specific application, a resource 1 ₃ as encoding at least partly encrypted over the third block of the RDS group considered, a plurality of application messages RDS respectively clear access control, as well as a clear coding resource 1 ₄ on the fourth block of the RDS group considered of a plurality of messages, access control message, parity messages, redundancy message, and, in encrypted form, an RDS application message.

Of course, the aforementioned coding resources 1 ₁ , 1 ₂ , 1 ₃ , 1 ₄ , on the first, second, third and fourth blocks of the RDS group in question are interconnected, on the one hand, to the RDS B encoder by means of the modem 10, of the connection of the switched telephone network PSTN and modem A, and, on the other hand, to a GPS reference station, denoted G ₁ , delivering reference GPS positioning data at the transmission level.

In a specific embodiment of the device for controlling access to applications on an RDS medium as shown in FIG. 4, it is indicated that the coding resources 1 ₁ , 1 ₂ , 1 ₃ , 1 ₄ of the messages on the first, second, third and fourth blocks of the RDS group considered are advantageously constituted by a microcomputer provided with its peripheral organs, this microcomputer being able, of course, to include a working memory M _t and a program memory M _P in which are installed message coding program modules on the first, second, third and fourth blocks of the RDS group considered, as shown in FIG. 1.

According to an advantageous characteristic of the device which is the subject of the invention as shown in FIG. 4, the peripheral members comprise at least one microprocessor card reader device, bearing the reference 1 ₅ , the microprocessor card itself, designated by motherboard , bearing the reference 1 ₆ . The whole of the microprocessor card reader and microprocessor card device makes it possible to ensure the coding in encrypted form of the messages coded on the third and the fourth block of the RDS group considered. In a conventional manner, the card reader 1 ₅ can consist of a card reader of the TLP224 type for example, marketed by the company BULL CP8 78430 Louveciennes, France, this card reader can be integrated directly into the microcomputer, the microcomputer being connected to the RDS coder as mentioned previously.

As mentioned previously in the description, it is indicated that the coding program modules of messages include, for example, an encryption module to generate a 32-bit encryption suite. This encryption sequence can then be transmitted via four consecutive RDS blocks or an RDS group, as described previously in the description.

Referring to FIG. 2a, it is indicated that the encryption module comprises a pseudo-random generator module of digits parameterized by a generator polynomial P (x) and by an initial loading word, noted I (x). The encryption information stored on the microprocessor card, motherboard bearing the reference 1 ₆ in FIG. 4, includes at least information relating to the number of encryption keys to be used, to the reference of at least one specific encryption, the basic period of validity of each encryption key, the duration of an encryption diversification period for the encryption key considered, the number of diversification periods generated for the encryption key during the duration of validity base as well as a plurality of reference initial loading words I (x) and a plurality of reference generating polynomials P (x).

The aforementioned motherboard 1 ₆ actually contains all the dynamic and static parameters of the access control messages. The dynamic parameters concern the scrambling cycle, the number of keys, the duration of the basic periods and of the diversification periods. Fixed parameters are long-lasting options linked to the life cycle of the corresponding current motherboard.

Table 9 below gives the organization of the transmission motherboard bearing the reference 1 ₆ in FIG. 4.

ORGANIZATION OF THE MOTHERBOARD (emission side) PINE Carrier code or confidential code Number of keys to use NC For a scrambling or encryption cycle, the use of a certain number of keys makes it possible to diversify the keys within the cycle. ICB basic key index This is the IC key index reference value for key image messages. Period of validity of a DC key It is the time duration of a key or basic period Duration of SD diversification period It is the duration of the diversification period within a diversification period Number of MIC key image messages It is the number of key image messages within a diversification period Number of MS synchronization messages It is the number of synchronization messages within a diversification period Type of group TG VA application channel This is the type of TG group of the application route TSC This is the type of cryptographic system SV It is the channel selection NV Channel number IS Service identification ME or AC Scrambling mask or cryptographic algorithm ID Diversification flag TD Type of diversification Immediate or deferred validation VT Parameter used by synchronization messages
. If VT = "0", it is immediate validation
. If1 ≤VT <8, it is deferred validation
. If 8≤VT≤15, immediate validation and condensed signature

$\frac{{\text{I}}_{\text{0}}\text{(x)}}{{\text{I}}_{\text{127}}\text{(x)}}$

128 words of initial loading of the pseudo-random generator, depending on the number of keys in the key index, the transmission software loads the corresponding values of l _N (x) and P _N (x) $\frac{{\text{P}}_{\text{0}}\text{(x)}}{{\text{P}}_{\text{31}}\text{(x)}}$

32 generator polynomials of degree 15

With regard to the device for controlling access to RDS applications to a user device, the access control being carried out on the basis of access control messages transmitted on at least one RDS group considered of four consecutive blocks d bits, this device, at an FM receiver equipped with an RDS decoder as shown in Figure 5 includes, in addition to the RDS decoder 2 ₀ receiving the radio reception of the transmitter D, a resource denoted 2 ₁ of discrimination of the RDS group considered, a resource noted 2 ₂ of discrimination in the consecutive blocks of the group considered discriminated from the access control messages and encrypted RDS application messages, a resource 2 ₃ for decrypting the encrypted RDS application messages used to generate decrypted RDS application information, as well as a resource denoted 2 ₄ for conditional access control to the decrypted RDS applications on identity criterion for access control information and reference access control information. All of the aforementioned resources 2 ₁ to 2 ₄ are interconnected in cutoff between the RDS decoder 2 ₀ and the user device, which is represented in FIG. 5 by a local GPS receiver bearing the reference G ₂ .

In a preferred embodiment of the device as represented in FIG. 5, it is indicated that the discrimination resource 2 ₁ of the RDS group considered, the discrimination resource 2 ₂ in the consecutive blocks of the RDS group considered discriminated control messages. encrypted RDS application and access messages, the decryption resource 2 ₃ and the conditional access control resource 2 ₄ to RDS applications are advantageously constituted by a microcomputer provided with its peripheral organs.

This microcomputer includes a working memory M ' _t and a program memory M' _P in which are installed modules of discrimination programs of the RDS group considered, discriminating in the consecutive blocks of the RDS group considered discriminating access control messages and encrypted RDS application messages, a program decryption module for encrypted RDS application messages making it possible to generate information of decrypted RDS applications and a conditional access control module to RDS applications on criteria of identity of the access control information and reference access control information.

As regards the peripheral members, these bear the reference 2 ₅ and 2 ₆ and may advantageously comprise a microprocessor card reader device, the card reader device bearing the reference 2 ₅ and the microprocessor card designated by daughter card bearing reference 2 ₆ . These peripheral members 2 ₅ and 2 ₆ are intended to provide decryption information stored in the daughter card 2 ₆ to ensure the decoding of access control messages and RDS application messages encrypted in the form of information, messages decrypted RDS application.

As shown in FIG. 5, the microcomputer 2 ₁ , 2 ₂ , 2 ₃ , 2 ₄ is interconnected in a so-called cut-off mode between the decoder 2 ₀ RDS and the device for use or GPS receiver G ₂ . The cut-off connection mode makes it possible to ensure access or absence of access to the GPS G ₂ receiver on the validation criterion respectively of non-validation of this access by the process and the access control system.

More specifically, it is indicated that the decryption module 2 ₃ comprises, like the encryption module previously described in connection with FIG. 4 and with FIG. 2a, a pseudo-random generator generator of digits parameterized by a generator polynomial and by an initial loading word P (x) respectively I (x).

In general, it is indicated that the decryption information stored on the daughter card 2 ₆ include at least subscriber class carrier code, allocated usage time credit, RDS service identification information of a plurality of reference IPL words, a plurality of reference generator polynomials and parameters associated with an authentication algorithm making it possible to generate a personalized authentication value.

When changing the encryption key declared as a new valid key, the control resource at the receiving device searches for the new decryption parameters. If the validity of the subscriber's rights has expired or if the current date is outside the validity range, or if the term credit has been used up, the order resource proceeds to deactivate the daughter card and disarm the decryption indicator. The reception of a valid encryption key or the change of key declared as a new valid key makes it possible to arm or maintain the decryption indicator on receipt of validated synchronization messages.

• vérification du code confidentiel,
• lecture et vérification de la classe d'abonnement,
• lecture et vérification des paramètres de validité de l'abonnement,
• vérification périodique de la présence de la carte fille,
• recherche des paramètres dynamiques de désembrouillage à partir d'une clé de chiffrement valide.

The operations executed at the level of each of the devices as represented in FIG. 5, that is to say at the FM receiver level, are then as follows:

• verification of the confidential code,
• reading and checking the subscription class,
• reading and checking the subscription validity parameters,
• periodic verification of the presence of the daughter card,
• searches for dynamic descrambling parameters using a valid encryption key.

The daughter card verification test can be performed in the background task activated periodically.

Table 10 below represents the strategy used for synchronization and end scrambling messages, the aforementioned strategy being given as non-limiting example.

Key image messages Synchronization messages Comments Valid key Active decryption Passive decryption Receiver connected YES YES Descrambling is effective 1st reception of messages YES YES End of decryption messages received Receiver already connected YES YES Descrambling is effective Receiving messages YES YES End of decryption message received

As for the daughter card on June _2, it indicates that the memory of this plan reflects the formats and constraints of each parameter.

• du drapeau de diversification ID,
• du type de diversification TD.

Thus, the interpretation and use of the diversification value, VD message, depends on:

• the ID diversification flag,
• of the TD diversification type.

• d'authentifier la carte fille,
• de masquer les mots de chargement initial.

The diversification value received is modified by calculation and then serves as a parameter to break the linearity of the pseudo-random generator. The IS service identification message allows:

• to authenticate the daughter card,
• to hide IPL words.

For IS = 0, a 64-bit format is provided in the memory zone dedicated for this purpose in the daughter card 2 ₆ .

On the other hand, for IS = 1, a memory word is necessary whose content is used as an authentication calculation parameter. The authentication result or value is coded on 8 bytes. The reception access control device as shown in FIG. 5 verifies the period of validity of the rights subscribed by the subscriber correspondent, start date and end date, when the latter has subscribed for periods of validity. The credit in duration is accompanied by a notion of allocated time, flexible according to a plurality of parameters such as type of service, added value of content. The reception access control device as shown in FIG. 5, during the first connection, updates and updates the date of its parking meter equipment. In order to maintain synchronization between the program access control device as shown in FIG. 4 and the access control device as shown in FIG. 5, the latter can be programmed so as to refresh the time and date according to a predetermined period, the drifts due to clock slip of the receivers being thus minimized.

The organization of the daughter card memory plane 2 ₆ is given below in Table 11.

ORGANIZATION OF THE GIRL CARD (receiver side) PINE Carrier code or confidential code Subscription class * By period of validity of the rights subscribed by the subscriber
* By duration, this is the principle of calling cards Start date or Duration credit * This is the start date of the subscription,
a memory word is used
* It is the credit in consumable duration progressively, several memory words are necessary End Date or Allocated Time * This is the end date of the subscription,
a memory word is used
* It is the time allotted to a duration and flexible according to the service and the contents IS service identification = 0 A fixed mask of 64 bits is memorized on daughter card, several memory words are necessary IS service identification = 1 The content of a memory word serves as an authentication value calculation parameter, the result has an 8-byte format

$\frac{{\text{I}}_{\text{0}}\text{(x)}}{{\text{I}}_{\text{127}}\text{(x)}}$

128 words of initial loading of the pseudo-random generator, the values can be hidden $\frac{{\text{P}}_{\text{0}}\text{(x)}}{{\text{P}}_{\text{31}}\text{(x)}}$

32 generator polynomials of degree 15

Finally, an authentication operation of the card daughter June ₂ may be provided, such an operation is obtained by the use of a cryptographic algorithm owner. The aforementioned cryptographic algorithm can for example be the "Telepass" algorithm of the creator of corresponding microprocessor cards.

• les droits d'accès de l'abonné,
• les mots de chargement initial du générateur pseudo-aléatoire.

The authentication value of 8 bytes obtained by the aforementioned algorithm configured by the service identification bit, service identification message IS, makes it possible to decrypt by name:

• the subscriber's access rights,
• the initial loading words of the pseudo-random generator.

IPL word can be diversified otherwise. The flag and type of diversification are in the keyframe messages and the synchronization messages contain the diversification value. The daughter card authentication procedure, which is costly in time, can preferably be carried out at the start, when the daughter card is inserted into the card reader 2 ₅ . Taking into account the change of keys and the entry into service of the corresponding keys are guaranteed as long as the daughter card is present and the validity of the subscription is in conformity.

In the context of the application considered for access control applied to differential corrective data GPS, dGPS, broadcast on RDS support, the data was scrambled by an encrypting suite configured by keys diversified over time.

The GPS differential corrective data application and the access control system share 60% of the RDS transmission resource, i.e. 7 to 8 RDS groups per second. The type of RDS group used for this purpose is the RDS 6 version A group (TG = 6A). 32 channels are available, each channel being identified by the 5 bits of the VA application channel message of block B.

• voie 0 : heure D GPS,
• voies 1 à 12 : données satellite très proche de la station de référence associée au dispositif de contrôle d'accès côté émission,
• voies 13 à 24 : données satellite très proche de la station de référence associée côté réception,
• voie 25 : table des satellites visibles, correspondance entre numéro de voie et numéro réel des satellites,
• voie 26 : messages de type télétexte,
• voies 27 à 30 non-utilisées,
• voie 31 : messages de contrôle d'accès transmis en clair.

The allocation of channels was given by the list below:

• channel 0: D GPS time,
• channels 1 to 12: satellite data very close to the reference station associated with the transmission side access control device,
• channels 13 to 24: satellite data very close to the associated reference station on the reception side,
• channel 25: table of visible satellites, correspondence between channel number and actual satellite number,
• channel 26: teletext type messages,
• channels 27 to 30 not used,
• channel 31: access control messages transmitted in clear.

• dialoguer, échanger des données avec la carte à microprocesseur 1₆ par l'intermédiaire du lecteur 1₅,
• gérer la ressource disponible afin de diffuser les messages de contrôle d'accès,
• mettre en oeuvre et diffuser les messages de contrôle d'accès selon les directives fournies par la carte à microprocesseur ou carte mère 1₆,
• mettre à la disposition de l'application considérée une suite chiffrante et les paramètres indispensables pour assurer le déchiffrement.

In the application considered, the access control device as shown in FIG. 4, in particular the encoder microcomputer 1 ₁ to 1 ₄ makes it possible to:

• dialogue, exchange data with the microprocessor card 1 ₆ via the reader 1 ₅ ,
• manage the available resource in order to disseminate access control messages,
• implement and distribute access control messages according to the directives provided by the microprocessor card or motherboard 1 ₆ ,
• provide the application under consideration with an encryption suite and the parameters necessary to ensure decryption.

The DPS G ₁ reference station supplies the abovementioned microcomputer PC encoder with the differential corrective data GPS, dGPS, the PC encoder microcomputer 1 ₁ , 1 ₂ , 1 ₃ , 1 ₄ enabling the RDS format to be these data in order to ensure their transmission via modem 10 and modem A to the RDS coder B and to the transmitter D for transmission.

As regards the access control device at the FM receiver as shown in FIG. 5, the RDS decoder circuit 2 ₀ can be tuned to the transmission frequency in band 2 of the transmitter D. The RDS groups 6A received are transmitted to the decoder microcomputer 2 ₁ , 2 ₂ , 2 ₃ , 2 ₄ , which allows the RTCM format to be reconstituted for the GPS receiver G ₂ . The accuracy of the position data is then improved thanks to the contributions of the corrective dGPS data received via the RDS support, that is to say the FM network.

• vérifier périodiquement la présence de la carte fille 2₆ dans le lecteur de carte 2₅,
• contrôler le type de carte,
• inviter l'abonné à présenter son code confidentiel afin d'assurer la vérification de ce dernier,
• vérifier la validité des droits (abonnement par date de validité ou abonnement à la durée),
• authentifier la carte présentée,
• lire les paramètres et données secrètes indispensables au déchiffrement,
• gérer et décoder les trois types de messages de contrôle d'accès, message d'image des clés, messages de synchronisation et de fin d'embrouillage,
• fournir une suite chiffrante permettant d'assurer le déchiffrement paramétré par les messages de contrôle d'accès et les données secrètes de la carte fille 2₆.

The aforementioned decoder microcomputer provides access control on the reception side. It allows to :

• periodically check the presence of the daughter card 2 ₆ in the card reader 2 ₅ ,
• check the type of card,
• invite the subscriber to present their confidential code in order to verify the latter,
• check the validity of the rights (subscription by validity date or subscription to the duration),
• authenticate the card presented,
• read the parameters and secret data essential for decryption,
• manage and decode the three types of access control messages, key image message, synchronization and end scrambling messages,
• provide an encrypting suite making it possible to ensure the decryption configured by the access control messages and the secret data of the daughter card 2 ₆ .

The implementation of the protocol for transmitting access control messages to services on an RDS medium as well as the devices for transmitting and receiving corresponding access control as shown in FIGS. 4 and 5 have been implemented. implemented in real situations. Thanks to the implementation of all the aforementioned functions, they have made it possible to justify the respective role of the aforementioned access control messages as well as to demonstrate the effectiveness of the strategy adopted for protection against transmission errors. .

Because of the very great flexibility of use of the protocol for transmitting access control messages to applications on an RDS medium, object of the present invention, such flexibility is obtained, due to the structure of the protocol implemented. In spite of the low transmission resources of the RDS system, it is also indicated that it can be implemented in order to manage an access control system for the RDS service in a geographic region. , transmission coverage area in frequency modulation, by means of the transmission of signed encrypted messages, the access control system according to the invention then making it possible in particular to carry out operations such as modification of the rights of access of a subscriber, inhibition / validation of one or several tamper-proof subscription cards and, for example, a registered encryption key registration in one or more subscription cards.

Claims (22)

Protocol for transmitting access control messages to applications on an RDS medium, in which the access control is carried out on the basis of access control messages distributed over at least one RDS group of four consecutive blocks of elements binary, characterized in that said protocol consists, on transmission, for the RDS group considered: - to transmit in clear on the first block of said RDS group a program identification message; to transmit in clear on the second block of said RDS group a coded message representative of the type of RDS group, relating to said RDS group, and an application channel message representative of at least one specific RDS application; to transmit in at least partially encrypted form on the third and the fourth block a plurality of RDS application messages respectively of access control messages. Protocol according to claim 1, characterized in that the RDS service data message and the access control message are transmitted on the third and the fourth block, a parity message and a redundancy message being transmitted on the fourth block , said messages occupying the entire information field of the third and fourth blocks. Protocol according to claim 2, characterized in that the step of transmitting at least partially encrypted form on the third block of an RDS application message consists in modulating the data into encrypted and unencrypted data in packets of a number determined consecutive bits. Protocol according to claim 3, characterized in that said messages transmitted in partially encrypted or respectively encrypted form are subjected to an encryption process from a 32-bit encryption suite. Protocol according to claim 4, characterized in that it consists in generating said encryption sequence from: - a pseudo-random generator of digits, parameterized by a generator polynomial and by an initial loading word, - specific encryption data stored on an inviolable storage medium. Protocol according to claim 4 or 5, characterized in that said encryption process consists of: to conduct the actual encryption of data over at least one basic duration, with each basic duration being associated with a specific encryption key, - to break down each basic duration into a plurality of diversification periods, - Associating for each diversification period an arbitrary specific value with said specific encryption key, to generate during each diversification period an equivalent diversified encryption key. Protocol according to one of claims 1 to 6, characterized in that said access control messages consist of messages of three distinct types: - a first type, encryption key image message, representative of the specific base encryption key for the current base duration; a second type, synchronization message, making it possible to validate the specific basic encryption key associated with the basic duration according to the current basic duration; - a third type, end of encryption message, used to discriminate between encrypted and unencrypted RDS applications. Method according to claim 7, characterized in that each synchronization message makes it possible to ensure immediate or deferred validation of the encryption key specific considered. Protocol according to claim 7, characterized in that said access control messages include a field relating to the type of encryption system used (TSC) allowing, on reception, according to the value of this field, a different interpretation of the scrambled or encrypted messages, the different values of said field allowing at least: the transmission and recognition, on reception, of an encrypted decryption key and of a signature, said encrypted key and the signature being coded on the same number N of bits distributed over G RDS groups; - the transmission and recognition, on reception, of signed encrypted messages of variable size between a minimum number (m) and a maximum number (M) of successive elementary encrypted messages with which a signature is associated, with each elementary encrypted message successive being associated with a continuity tracking index, the discrimination between signed encrypted message and signature being obtained for two distinct values of said field (TSC) relating to the type of encryption system used; - The transmission and recognition of messages encrypted with an encryption suite configured by encryption keys varying in time, said encrypted messages corresponding to RDS application messages. Protocol according to Claim 7, characterized in that the said encryption key image messages are signed messages, a condensed signature obtained from a secret key buried on an inviolable support being calculated on a number P of bits from a pseudo-random sequence and calendar date information, said condensed signature being transmitted by means of a plurality of said synchronization messages. Protocol according to Claim 7, characterized in that the said synchronization messages include a time validation field (VT) of the encryption keys transmitted, an immediate or delayed validation depending on the value of said field being carried out, this validation being: - immediate for a first determined value of this field; - deferred for a second value of this field distinct from the first and between a first and a second arbitrary values. Protocol according to claims 10 and 11, characterized in that, for a third value of this field, greater than said second arbitrary value, said synchronization message contains said condensed signature. Protocol according to claim 9, characterized in that said signed encrypted messages comprise at least two elementary encrypted messages, m = 2, the first elementary encrypted message comprising a header and input parameters, and the second elementary encrypted message comprising a specific elementary encrypted message such as a tamper-evident medium identification code. Device for controlling access to applications on an RDS medium, in which the access control is carried out on the basis of access control messages distributed over at least one RDS group considered of four consecutive blocks of binary elements, each block comprising an information field and a parity check field, characterized in that said device comprises, at the level of an FM transmitter equipped with an RDS coder: means for encoding in the clear on the first block of the RDS group considered a message identifying the program; - means for encoding in the clear on the second block of the RDS group considered a coded message representative of the type of RDS group relating to the RDS group considered and an application channel message representative of at least one specific RDS application; coding means in the form at least partially encrypted on the third block of the RDS group considered of a plurality of RDS application messages respectively in the form of clear access control; means for encoding in the clear on the fourth block of the RDS group considered a plurality of messages, access control message, parity message, redundancy message and in encrypted form of RDS application message; said message coding means on the first, second, third and fourth blocks of the RDS group considered being interconnected to said RDS coder of the FM transmitter. Device according to claim 14, characterized in that said means for coding messages on the first, second, third and fourth blocks of the RDS group considered are constituted by: a microcomputer provided with its peripheral organs, said microcomputer comprising a working memory and a program memory in which are installed message coding program modules on the first, second, third and fourth blocks of the RDS group considered, said peripheral members comprising at least: a microprocessor card reader device intended to provide encryption information stored in a microprocessor card for coding in encrypted form the messages encoded on the third and on the fourth block of the RDS group considered, said micro -computer being interconnected to said RDS coder via a transmission line. Device according to claim 15, characterized in that the message coding program modules include an encryption module making it possible to generate a 32-bit encryption suite. Device according to one of claims 15 or 16, characterized in that said encryption module comprises a pseudo-random generator of digits module, parameterized by a generator polynomial and by an initial load word, and in that said encryption information stored on said microprocessor card comprises at least information relating to the number of encryption keys to be used, to the reference of at least one specific encryption key, to the basic period of validity of each encryption key, to the duration of an encryption diversification period for said at least one encryption key, the number of diversification periods generated for said encryption key during said base validity period, a plurality of reference initial loading words and a plurality of reference generator polynomials. Device for controlling access to RDS applications to a user device, in which access control is carried out on the basis of access control messages transmitted on at least one RDS group considered of four consecutive blocks of binary elements , each block comprising an information field and a parity control field, characterized in that said device comprises, at the level of an FM receiver equipped with an RDS decoder: - means of discrimination of said RDS group considered; - means for discriminating, in said consecutive blocks of said RDS group considered discriminated against, access control messages and encrypted RDS application messages; - means for decrypting said encrypted RDS application messages making it possible to generate decrypted RDS application information; - conditional access control means to RDS applications deciphered on the basis of identity criteria for access control information and reference access control, all of said means being interconnected in cutoff between said RDS decoder and said user device. Device according to claim 18, characterized in that said means for discriminating said RDS group considered, the means for discriminating in consecutive blocks of the RDS group considered discriminated from the access control messages and encrypted RDS application messages, the means of decryption and the conditional access control means for RDS applications consist of: a microcomputer provided with its peripheral organs, said microcomputer comprising a working memory and a program memory in which are installed program modules of discrimination of the RDS group considered, of discrimination, in the consecutive blocks of the RDS group considered to be discriminated against, access control messages and encrypted RDS application messages, decryption of encrypted RDS application messages making it possible to generate decrypted RDS application information, conditional access control to RDS applications on identity criterion of the access control information and reference access control information, said peripheral members comprising at least: - a microprocessor card reader device interconnected to said microcomputer and intended to provide decryption information stored in a microprocessor card for decoding access control messages and RDS application messages encrypted in the form of decrypted RDS application message information, said microcomputer being cut-off interconnected between said RDS decoder and the operating device. Device according to claim 19, characterized in that the decryption program module includes a generator module for a 32-bit encryption suite. Device according to claim 19 or 20, characterized in that said decryption module comprises a pseudo-random generator module of digits parameterized by a generator polynomial and by an initial load word, and in that said decryption information stored on said card comprising at least carrier code, subscription class, allocated usage time credit, RDS service identification information, a plurality of reference IPL words, a plurality of reference generator polynomials, and parameters associated with an authentication algorithm allowing to generate a personalized authentication value. Use of the protocol for transmitting access control messages to applications on an RDS medium according to one of claims 1 to 13, for ensuring the management of an access control system for RDS services in a geographic region area transmission coverage in frequency modulation, through the transmission of signed encrypted messages, said signed encrypted messages allowing in particular the operations: - modification of a subscriber's access rights; - inhibition / validation of one or more cards, tamper-proof support, subscription; - registered registration of encryption keys in one or more subscription cards.

Images