MPEG-21 Part4: IPMP ISO/IEC JTC 1/SC29/WG11 N4269 (Committee Draft)

MPEG-21 Part4: IPMP

ISO/IEC JTC 1/SC29/WG11 N4269 (Committee Draft)

Multimedia Security

2

Outline

• Overview of the IPMP framework– Framework architecture– Walkthrough

• Standardized processes• Messaging infrastructure

3

ISO/IEC 21000-4

• An MPEG-21 IPMP framework, referred to as “IPMP Extensions”, is specified in this part of MPEG-21– The MPEG IPMP Extensions are designed so

that they can be applied to any MPEG multimedia representation

– Specific mappings of the MPEG IPMP Extensions should be defined as amendments to the MPEG-n standard

4

Interoperability

• Two types of interoperability are defined

• The major focus of MPEG in general• A consumer centric approach • Content protected by one IPMP vendor will play on any given Terminal

C-interoperability

• IPMP Tools from different vendors will be able to integrate into the same Terminal implementation concurrently• An IPMP System is able to comprise IPMP Tools made by one or more vendors• Goal: to simplify the design of tool and terminal interfaces such that the integration and interoperation of these tools and terminals may be more widespread and economical

M-interoperability

Consumers’ Point of View

Manufacturers’ Point of View

5

Framework Architecture

IPMP Tool ID(s)

Alternate IPMP Tool ID(s)

Parametric Tool Description(s)

IPMP Tool Elementary Stream IPMP Information

IPMP Tool List

Content

Terminal

IPMP Tool Manager

Terminal-Tool Message Interchange Interface

Missing IPMP Tools

Content Request

Content Delivery

Obtain missing IPMP Tool(s)

IPMP Tool 1 IPMP Tool n…

Terminal-IPMP Tool Communications

Message Router

6

Walkthrough:(1) User Requests Specific Contents

• The manner in which content is requested is out of scope• Recommendations about the order in which different parts of the content are

received and used– IPMP requirements on the Terminal should be placed with or before media

requirements on the Terminal– Access information and/or restrictions should precede Content Stream download

information

IPMP Tool ID(s)




IPMP Tool List

Content

Terminal

IPMP Tool Manager


IPMP Tool 1

Missing IPMP Tools

Content Request

IPMP Tool 2 …

Message Router

7

Walkthrough:(2) IPMP Tools Description Access

• The Terminal access the IPMP Tool List• Using the IPMP Tool List, the Terminal determines the IPMP

Tools required to consume the content

IPMP Tool ID(s)




IPMP Tool List

Content

Terminal

IPMP Tool Manager


Missing IPMP Tools

Access the IPMP Tool List

Receiving IPMP Tools Descriptio

n

IPMP Tool 1 …IPMP Tool 2

Message Router

8

IPMP Tool ID(s)




IPMP Tool List

Content

Walkthrough:(3) IPMP Tools Retrieval

• Sources of IPMP Tools– Locally available IPMP Tools– Missing IPMP Tools carried in Content itself– Missing IPMP Tools that need to be obtained remotely

Terminal

IPMP Tool Manager


Missing IPMP ToolsObtaining Missing IPMP Tool(s)

IPMP Tool 1 …Locally Available IPMP ToolsIPMP Tool 1 …IPMP Tool 2

ObtainingMissing

IPMP Tool(s)


All Required IPMP Tools Received

Message Router

9

IPMP Tool 1 IPMP Tool n…Instantiations

Walkthrough:(4) Instantiation of IPMP Tools

• The Terminal instantiates the IPMP tools• The instantiated Tools are provided with the initial IPMP information from the

Content• IPMP Tools may use IPMP information to

– Determine security requirements for content access– Monitor and facilitate the establishment and maintenance of the security

requirements in inter-Tool communication

IPMP Tool ID(s)




IPMP Tool List

Content

Terminal

IPMP Tool Manager


Missing IPMP Tools

Providing Initial IPMP Information

Message Router

Accessing Content

Inter-Tool Communication

10

Walkthrough:(5) IPMP Initialization and Update

- in Parallel with Content Consumption

• Content consumption if allowed• IPMP Information routing• The whole walkthrough can be requested again

IPMP Tool ID(s)




IPMP Tool List

Content

Terminal

IPMP Tool Manager



Missing IPMP Tools

Message Router

Content Consumption

IPMP Info. Routing

11

Illustration of Normative Elements

IPMP Tool ID(s)




IPMP Tool List

Content

Terminal

IPMP Tool Manager



Missing IPMP Tools

Content Request

Content Delivery

Obtain missing IPMP Tool(s)

Terminal-IPMP Tool Communications

Message Router

IPMP Tool List

Tools in the Content

Instantiation of IPMP Tools

Mutual AuthenticationIPMP Information

IPMP Information Routing

Consumption Query and Permission

The Parametric Infrastructure

12

Normative Elements

• IPMP Tool List– IPMP Tool ID– Parametric Infrastructure

• Tools in the Content • Instantiation of IPMP Tools• Mutual Authentication• IPMP Information• IPMP Information Routing• Consumption Query and Permission

13

IPMP Tool List

IPMP_ToolListDescriptorbit(8) IPMPToolListDescriptorID;bit(8) numTools;IPMP_Tool ipmpTool[numTools];

The container for the Tool List

IPMP_ToolParametricDescriptor

Container for a parametric description of an IPMP Tool required to access the content

ByteArray parametricDesc;

•For the case of a list of alternate IPMP tools, the Terminals shall select an IPMP Tool from the list•For the case of a parametric description of the IPMP Tool, the Terminal shall select an IPMP Tool that meets the criteria specified in the parametric description

The class describing a logical IPMP Tool required to access the content

IPMP_Toolbit(1) isAltGroup;bit(1) isParametric;bit(6) reserved=0b111111;bit(128) IPMP_ToolID;If (isAltGroup) { bit(8) numAlternates; bit(128) Alt_IPMP_ToolIDs[numAlternates];}else if(isParametric) { IPMP_ToolParametricDescriptor toolParamDescr;}

•A vendor-specific IPMP Tool specified by IPMP_ToolID

•One of a list of alternate IPMP Tools

•An IPMP Tool specified by a parametric description

14

IPMP Tool ID (1/2)

• The IPMP_Tool_ID identifier– 128-bits long– Platform-independent

• A registration authority for IPMP Tools that use a unique ID is required– An association of the download URLs for

various implementations of the given tool for various platforms shall be maintained.

15

IPMP Tool ID (2/2)

IPMP_Tool_ID Semantics0x0000 Forbidden0x0001 Content0x0002 Terminal0x0003-0x2000 Reserved for ISO use0x2001-0xFFFF Carry over from 14496-1 RA0x10000-0x100FF Parametric Tools or

Alternate Tools0x100FF-2^128-2 Open for registration2^128-1 Forbidden

16

Parametric Infrastructure• Cases in which the tools required may not be

unique– Tools are based on popular public algorithms– A wide variety of equivalent implementations are available– Computationally intensive tools leading to platform-specific

optimized implementations form a wide variety of venders– A set of parameters and values are to be identified and

standardized to support a specific class of functionality

• Parametric Representation– Parametric Description– Parametric Aggregation

17

Parametric Description

• Definition– Information that enables a Terminal to choose a

specific Tool implementation that will support all functionalities required by a presentation

• No specific schema for any specific Tool type is attempted to be defined now– It is anticipated that such definitions will be added

over time to develop an optimal schema– Only a basic framework is outlined in the current

version of the specification

18

Current Parametric Description Framework

• Version of parametric description syntax• Class of Tool

– e.g. Decryption, Right Language Parser • Sub-class of Tool

– E.g. for Decryption: DES, Camellia– E.g. for Rights Language Parser: XrML, ODRL– E.g. for Protocol Parser: Bluetooth, SmartCard

• Sub-class-specific information– E.g. for DES: number of bits, block decipher capabili

ty– E.g. for Rights language Parser: version

19

Parametric Aggregation

• Definitions– Information to aggregate different IPMP Tools

in a given configuration under a single entry-point IPMP Tool

• Goals– To configure existing IPMP Tools into new

combinations, enabling different types of protection schemes

20

Current Parametric Aggregation Framework

• Version of parametric aggregation syntax• Entry-point Tool

– Input and output pin specification– The ID of the entry-point tool is not required

• List of member IPMP Tools (aggregation units)– A 128-bit IPMP Tool ID– One or more Input and output interface codes

• No duplication of interface codes to avoid ambiguity• Sequential links can be established

• Opaque information, specific to the entry-point tool

• Optional signal information

21

Delivery of Tools via Content

• One or more Binary Representations of IPMP Tools may be carried directly or by reference in an MPEG presentation

• Required information– IPMP_Tool_ID– Tool_Format_ID

• The Binary Representation of the Tool• E.g. Platform Dependent Native Code, Java Byte Code

– Tool_Package_ID• The details of the packages of the tool• E.g. CAB, Winzip self-install executable

– Signature and Certification data

Assigned by a Registration Authority

Assigned by a Registration Authority

22

IPMP Tool Instantiation

• Upon instantiation of an IPMP Tools, all IPMP Tools already instantiated by the Terminal must be notified such instantiation

• The newly instantiated IPMP Tool may request to be informed of other IPMP Tools running on the Terminal

• The process of instantiation– Establish a context for the Tool being instantiated– Establish a link between the Message Router and the

Tool instance– Establish a link between the Tool instance and the

Message Router

23

Events Triggering IPMP Tools Instantiation

• Sources and requirements – The Content

• The syntax and context that trigger instantiation• The scope of protection• The relationship of one IPMP Tool with another

IPMP Tool in the same scope of protection– Another IPMP Tool

• Clear method of creation of a context for such instantiation

24

IPMP Information Routing• Addressing

– Normative addressing methods are used – Addressee of a specific message is implicit either

by bit-stream context or by process context• Message router

– Handling the physical routing of information, synchronous/asynchronous delivery issues, and context resolution

– Abstract all platform-dependent issues – Both interfaces between the Message Router and

the IPMP Tools and the behavior of the Message Router are normative

25

Mutual Authentication

• IPMP Tools may be required to communicate with one another or the Terminal.

• Execution of mutual authentication– The tool that initiates mutual authentication with

another tool determines the conditions of trust to be achieved by such authentication

• E.g. integrity protected communication or fully-secured communication

– Both tools engaged in message exchange to determine which authentication protocol will be used

26

Credentials

• Used by an IPMP Tool or Terminal for identification, verification, mutual authentication, and similar security process.– Information about the identity and

implementation of IPMP Tools (see the recommended schema)

– A means of identifying the integrity and validity of the credential info

– Trust and security metadata– Opaque information

27

A Schema for Platform Presentation (Informative)

28

Permission for Consumption

• Permission for an intent on protected media in a presentation should be requested from and explicitly granted by all IPMP Tools protecting that media, prior to processing such intents.

• Permission is granted in true-false form by each IPMP Tool.

29

IPMP Tool Manager

• A conceptual entity in a given IPMP Terminal– Parsing IPMP Tool List– Retrieving IPMP Tools– Processing parametric descriptions – Resolving alternative tools– Receive binary Tools that arrive in the content

30

Message Router

• All IPMP Tool messages are routed through the Terminal

• The Message Router (MR) connects and communicates with supported IPMP Tools, and thus abstracts the physical interface of one IPMP Tool from other IPMP Tools that wishes to communicate with it.

31

Message Infrastructure

• Normative components of the IPMP Tool Interaction Framework– Interaction (communication) is realized via

“messaging”– The generic functional interface is normative– The messages (syntax and semantics) are

normative– The process of message routing is normative

32

Message Interchange Interface

IPMP_ToolMsgStatusIPMP_ReceiveMessage( [in] short Sender, //sender context ID [in] short Recipient, //recipient context ID [in] long MsgSize, //size of message in bits [in] octet Msg[], //payload [in] IPMP_MsgMode, //sync/async [in] long MsgID) //message ID, included in resp

onse message

IPMP_ToolMsgStatusAn enumerated status returned by the Terminal (MR) to the message originator

IPMP_MSG_STATUS_MSG_POSTEDIPMP_MSG_STATUS_INVALID_SENDER_IDIPMP_MSG_STATUS_INVALFID_RECIPIENT_IDIPMP_MSG_STATUS_MSG_MODE_NOT_SUPPORTEDIPMP_MSG_STATUS_GENERIC_ERROR

33

IPMP Tool Messages (I)

Instantiation and Notification•IPMP_CreateNewToolInstance/IPMP_ToolInstNotification•IPMP_RequestInstTools/IPMP_ToolInstNotofication•IPMP_AddToolInstNotoficationListener (IPMP_ToolInstNotofication)•IPMP_RemoveToolInstNotoficationListener•IPMP_RequestToolContextID/IPMP_SupplyToolContextID

IPMP Information Delivery

Data Processing Functions (between terminals and tools)•IPMP_ProcessData/IPMP_ProcessDataReturn

Intent and Permission•IPMP_IntentRequest/IPMP_IntentResponse•IPMP_IntentTerminate•IPMP_IntentRevoke

34

IPMP Tool Messages (II)

ToolToUserMessage (defined as a class)•languageCode: three character language code•titleText: Title of dialog display•displayText: Text to be displayed to the user•promptText: Text to be displayed to the user to indicate the purpose of text input field •optionText: text to be displayed indicating purpose of option selection•SMIL: SMIL file to be displayed

UserToToolMessage (defined as a class)•replyText: text entered by user•optionResult

35

IPMP Tool Messages (III)

Mutual Authentication Messages•IPMP_InitAuthentication

•Context ID•Authentication Types

•No authentication required•No ID verify, do secure channel•No ID verify, no secure channel•Do ID verify, do secure channel

36

IPMP Tool Acquisition

Content Terminal IPMP Tool Provider IPMP ToolGet Tool List

Tool ListIPMP Data

Locate Tool

Establish Channel

Acquire IPMP Tool

ToolInstantiate

Mutual AuthenticationIPMP Data

Allow Consume Content

Get Content

Content

37

Failed IPMP Tool Validation


Tool ListIPMP Data

Locate Tool

Establish Channel

Acquire IPMP Tool

ToolInstantiate

Mutual Authentication

Failed Authentication: Consumption Terminates

38

Denied User Permission


Tool ListIPMP Data

Locate Tool

Establish Channel

Acquire IPMP Tool

ToolInstantiate

Mutual AuthenticationIPMP Data

Disallow Content Consumption

MPEG-21 Part4: IPMP ISO/IEC JTC 1/SC29/WG11 N4269 (Committee Draft)

Documents