Security
DOCSIS includes MAC layer security services in its Baseline Privacy Interface specifications. DOCSIS 1.0 utilized the initial Baseline Privacy Interface (BPI) specification. BPI was later improved with the release of the Baseline Privacy Interface Plus (BPI+) specification used by DOCSIS 1.1 & 2.0. Most recently, a number of enhancements to the Baseline Privacy Interface were added as part of DOCSIS 3.0, and the specification was renamed "Security" (SEC).
The intent of the BPI/SEC specifications is to describe MAC layer security services for DOCSIS CMTS to CM communications. BPI/SEC security goals are twofold: * provide cable modem users with data privacy across the cable network * provide cable service operators with service protection; i.e., prevent unauthorized users from gaining access to the network’s RF MAC services
BPI/SEC is intended to provide a level of data privacy across the shared medium cable network equal to or better than that provided by dedicated line network access services (analog modem or digital subscriber line). It does this by encrypting data flows between the CMTS and the CM. BPI & BPI+ utilize 56-bit DES encryption, while SEC adds support for 128-bit AES. All versions provide for periodic key refreshes (at a period configured by the network operator) in order to increase the level of protection.
The earlier BPI specification [ANSI/SCTE 22-2] had limited service protection because the underlying Key management protocol did not authenticate cable modems. BPI+ strengthened the service protection feature by adding digital certificate based authentication with a public key infrastructure to its Key exchange protocol.
