DOCSIS includes MAC layer security services in its Baseline Privacy Interface specifications. DOCSIS 1.0 utilized the initial Baseline Privacy Interface (BPI) specification. BPI was later improved with the release of the Baseline Privacy Interface Plus (BPI+) specification used by DOCSIS 1.1 & 2.0. Most recently, a number of enhancements to the Baseline Privacy Interface were added as part of DOCSIS 3.0, and the specification was renamed “Security” (SEC).
The intent of the BPI/SEC specifications is to describe MAC layer security services for DOCSIS CMTS to CM communications. BPI/SEC security goals are twofold:
provide cable modem users with data privacy across the cable network
provide cable service operators with service protection; i.e., prevent unauthorized users from gaining access to the network’s RF MAC services
BPI/SEC is intended to prevent other cable users from listening each others. It does this by encrypting data flows between the CMTS and the CM. BPI & BPI+ utilize 56-bit DES encryption, while SEC adds support for 128-bit AES. All versions provide for periodic key refreshes (at a period configured by the network operator) in order to increase the level of protection.
The earlier BPI specification [ANSI/SCTE 22-2] had limited service protection because the underlying Key management protocol did not authenticate cable modems. BPI+ strengthened the service protection feature by adding digital certificate based authentication with a public key infrastructure to its Key exchange protocol.
Security in the DOCSIS network is vastly improved when only business critical communications are permitted, and end user communication to the network infrastructure is denied. Successful attacks often occur when the CMTS is configured for backwards compatibility with early pre-standard DOCSIS 1.1 modems which were “software upgradeable in the field,” but did not include valid DOCSIS or EuroDOCSIS root certificates.
CableLabs Clears Motorola’s DOCSIS 3.0 Security:
CableLabs has granted “manufacturer certificate authority” status to Motorola’s DOCSIS 3.0 products, allowing the equipment vendor to supply security credentials to MSOs’ cable modem networks.
The Motorola Public Key Infrastructure Center, located in San Diego, passed an audit for its digital security certificate generation system. Motorola is qualified to provide the underlying security for use in Motorola DOCSIS equipment.
Motorola said all its digital certificates are backward-compatible with DOCSIS 1.0, 1.1, and 2.0 equipment and will fully support all future shipments of DOCSIS equipment.
“The DOCSIS 3.0 specification itself establishes ways for cable companies to safely buy equipment from multiple vendors to deploy high-speed data services,” CableLabs president and CEO Dick Green said in a statement. “The audit the Certificate Authority undertakes is another benchmark standard that we hold DOCSIS certificate suppliers to as additional fail-safe for the cable community. Motorola has further demonstrated its commitment to DOCSIS by participating and successfully fulfilling the requirements of the audit.”
source: wikipedia.org , multichannel.com