Content Provider Meeting Provider Meeti… · ATIS Content Provider Meeting May 12, 2011 Communicate the motivation, architecture and proposed solution for downloadable security Discuss

ATIS Content Provider MeetingMay 12, 2011

Content Provider Meeting

Downloadable Security for IP-delivered Media Content

May 12, 2011


• Introductions & Meeting Objectives• Content Security Environment

• Downloadable Security Solution

• Industry and Business Challenges

• Content Provider Feedback• Next Steps

Agenda

2


Background

• ATIS has an extensive standards development program for IPTV and IP-based security

• ATIS undertook an initiative to develop IPTV downloadable security solution (and business framework)

• Began to socialize the technical solution and Neutral Management Organization (NMO) concept in 2Q10More recently, ATIS Board expanded the scope from IPTV to IP-delivered media content

• Board encouraged engagement with the content provider community to obtain feedback on target solution

3


Communicate the motivation, architecture and proposed solution for downloadable security

Discuss degree to which solution intersects with content provider security needs

Understand the importance of hardware-based solutions on content security models and consumer device market

Assess pros/cons of the trust authority (neutral management organization) and how that fits with related industry activities

Summarize feedback on viability of downloadable security for IP-delivered media content

Objectives for Meeting

4


Current Content Environment

Portability of Portability of solutions across solutions across

devicesdevices

OTT and managed OTT and managed delivery modelsdelivery models

Content Content Anywhere Anywhere

ApplicationsApplications

Growing dependence Growing dependence on software-on software-

based solutionsbased solutions

Challenge - Evolution of security solutions to intersect market &

business needs!5


• The value proposition for security is directly related to the worth of the object you are trying to secure

• The level or strength of security varies widely for different content in different forms• Popularity Matters – Premium content will inherently

warrant a greater degree of protection

• Quality Matters – More security is needed for a 1080p HD video than a cell phone QCIF video @ 144 lines of resolution

• The Receiving Device Matters – The device usually implies a level of quality, but may also be able to record and duplicate the content. How well does the device obey the “Robustness Rules”

The Variables That Influence Security Requirements

6


Range of Security Solutions

Integrated Hardware Solutions

Software-based Security Solutions

Downloadable Security

• Acceptability level for each solution

• Usability for premium content

• Portability to many devices

• Security robustness and recovery

Content Providers

7


Classes of Content Security Solutions

Common Encryption Algorithm Everyone uses the same encryption algorithm

Single Common DRM Ecosystem only permits a single DRM

Separable Hardware-based Security environment on a removable device

Downloadable Secure Execution Environment Security client downloaded into an embedded security device

Separable Software-based Security environment on a single CPU

• Interoperable DRMsInteroperable DRMs• Secure execution Secure execution

environmentenvironment• Applicable to many devicesApplicable to many devices• Future proof (renewable) Future proof (renewable)

solutionsolution• Harmonizes with other Harmonizes with other

ecosystemsecosystems8


ATIS Downloadable Security Status

The ATIS Board of Directors provided the following re-direction in 4Q10…•Roadmap must support all forms of IP-based media•Provide for more explicit treatment of DRM-secured content•Following areas need to be considered:

• 3 screen experience• Mobile device applications• HTML5-presented content

•Identify how this business framework would relate to other content-related activities in the industry

Technical team is refining architecture & requirements → mid-2011

9


Downloadable Security Architecture

10


Server Side Architecture

Unique Code

Global Code

11


Benefits

CAS/DRM client agnostic Secure execution environment Portability across devices Renewal and recovery mechanism Enforced chain of trust solution Can be extended to new content sources, formats, etc. Can be harmonized with other content security

ecosystems

What are the significant benefits of downloadable security and the QSP approach undertaken by IDSI ?

12


ATIS Security Approach• Does not specify a CAS or DRM• Defined set of security algorithms implementable by many products• Trust Management Hierarchy (PKI) with well-defined robustness

rules• Requires participation in a chain of trust• Defines Security Profiles based on chain of trust and level of security

robustness of secure execution environment• The device certificate has means for specifying (and authenticating)

security profiles

Security Profiles 0,1,2,3,4

Chain of Trust

Execution Environment

Indirect Direct

Non-secure Secure

13


Benefits of Security Profiles

• Recognizes that security may vary by type of device• Vendor neutral approach

• Allows Content Owners to specify security profile compliance for access to content in specific formats• For example, content might require the highest profile to

access a very recent title in HD quality but might accept a less secure environment for a low resolution version of the same title

• Security profiles and levels mapped to common licensing regime (HDCP, DTCP, etc.) and FIPS 140-2.

• If implemented correctly, can be complimentary to existing content ecosystems

14


NMO Meetings with Industry

• Approximately 30 companies attended ATIS-sponsored NMO meetings held in late 2010

• Operators, content owners, CE & chip, security and network manufacturers

• Discussed proposed ecosystem, partner relationships, structure

• Overall reaction was favorable (i.e., framework is constructed properly), but there are a number of open issues:

• Indemnification and liability of NMO partners• Acceptable solution for multiple clients or secure parts in a

device• Interaction with other content-related activities in industry (e.g.,

UltraViolet™)

• Follow-up meetings deferred till 2Q11 to facilitate refinement of architecture 15


Participating Companies at NMO Meetings

Alcatel-Lucent

AT&T

Beyond Broadband Technologies

Broadcom Corp.

Cisco Systems

Ericsson, Inc.

Home Box Office (HBO)

Intertrust

Intel

LG Electronics

Marconi Pacific

Microsoft, Corp.

Motorola

Motion Picture Association of America (MPAA)

Nagravision

NBC Universal

NDS America

Neustar

Panasonic

STMicroelectronics

TELUS

Time Warner

Verizon

Viaccess

Viacom/MTV

Warner Brothers

16


Neutral Management Organization (NMO)

Neutral Management Organization (NMO)

Certificate Authority

Revocation Review Process

Test Labs

Approved Test Scripts

Hook IP Licensing

Agreement

Robustness Rules

Certificate Authority

CE Vendors

CA Policies

IDSI Spec

IIF ISS Standards

IIF T&I Standards

Multiple IPTV PKI Operators

ATIS(and other standards)

Revocation Request

Revocation List

Fault Arbitration Process

Security Breach Resolution NewCo LLC

(Oversight)

(Ongoing Operations)

QSP Vendors

17


Security Ecosystem ComparisonClass of Solution

Example Ecosystem

Compliance Process

Robustness Rules

Recovery Process

Revocation InteroperableDRMs

Common Encryption Algorithm

UltraViolet Enforced centrally

Enforced across ecosystem

Software download

Ecosystem

Single Common DRM

Marlin Enforced centrally

Controlled by Trust Mgt. org.

Controlled by Trust Mgt. org.

Issued by Trust Mgt. org.

Separable Hardware-based

Cable Card Enforced centrally

Enforced centrally

HW/Card replaced

Issued centrally

Separable Software-based

Vendor DRM

Vendor Controlled by DRM vendor

Software download

DRM vendor

Downloadable Secure Execution Environment

Proposed NMO

QSP (NMO); Devices (ITL)

Enforced by NMO

Secure software download

Issued by CAs; oversight by NMO

18


Relationship to Other Content Activities

• Numerous standards groups and forums are working on security for IP-based content

• Industry groups recognize the need to develop solutions that support both broadcast and Internet delivered content• Protective adaptive streaming• TV services over the web via HTML5

• Downloadable security solution can be harmonized with, and complementary to, existing operations like UltraViolet™• DSS does not specify a CAS or DRM client• Provides mechanism to download additional clients or renew

19


Content Provider Feedback

• Downloadable security approach ?• Trend of hardware- versus software-based solutions ?• Applicability of downloadable solution to portable

consumer device market ?

• Value assessment of security profile structure ?

• Neutral entity to manage security across devices, clients, providers ?

20


THANK YOU !

21

Proposed Next Steps


Back Up Slides

22


Downloadable Security Architecture(under development)

23


ATIS IIF Security ProfilesProfile 0 is defined as:• No authentication and no integrity check of ISS/A and ISS/E (i.e. there is no chain of

trust and the Native Security Solution (NSS) execution environment is non-secure. A PC used to access a web site.)

Profile 1 is defined as: • Authentication and integrity of ISS/A and ISS/E are verified by software on the IPTV

Device (i.e., an indirect chain of trust).• An NSS execution environment that is non-secure

Profile 2 is defined as:• Authentication and integrity of ISS/A and ISS/E are verified by hardware on the IPTV

Device (i.e., a direct chain-of-trust).• An NSS execution environment that is non-secure. (e.g. A web appliance)

Profile 3 is defined as:• Authentication and integrity of ISS/A and ISS/E are verified by software on the IPTV

Device (i.e., an indirect chain-of-trust).• A secure NSS execution environment as defined in ATIS-0800024.

Profile 4 is defined as:• Authentication and integrity of ISS/A and ISS/E are verified by hardware on the IPTV

Device (i.e., a direct chain-of-trust).• A secure NSS execution environment as defined in ATIS-0800024. (e.g., STB)

24

Content Provider Meeting Provider Meeti… · ATIS Content Provider Meeting May 12, 2011 Communicate the motivation, architecture and proposed solution for downloadable security Discuss

Documents