MPEG-21 Part4: IPMP ISO/IEC JTC 1/SC29/WG11 N4269 (Committee Draft)

MPEG-21 Part4: IPMP ISO/IEC JTC 1/SC29/WG11 N4269 (Committee Draft)Multimedia Security

OutlineOverview of the IPMP frameworkFramework architectureWalkthroughStandardized processesMessaging infrastructure

ISO/IEC 21000-4An MPEG-21 IPMP framework, referred to as IPMP Extensions, is specified in this part of MPEG-21The MPEG IPMP Extensions are designed so that they can be applied to any MPEG multimedia representationSpecific mappings of the MPEG IPMP Extensions should be defined as amendments to the MPEG-n standard

InteroperabilityTwo types of interoperability are defined Consumers Point of ViewManufacturers Point of View

Framework Architecture IPMP Tool ID(s)Alternate IPMP Tool ID(s)Parametric Tool Description(s)IPMP Tool Elementary Stream IPMP InformationIPMP Tool ListContentTerminalIPMP Tool ManagerTerminal-Tool Message Interchange InterfaceMissing IPMP ToolsContent RequestContent DeliveryObtain missing IPMP Tool(s)Message Router

Walkthrough:(1) User Requests Specific ContentsThe manner in which content is requested is out of scopeRecommendations about the order in which different parts of the content are received and usedIPMP requirements on the Terminal should be placed with or before media requirements on the TerminalAccess information and/or restrictions should precede Content Stream download informationIPMP Tool ID(s)Alternate IPMP Tool ID(s)Parametric Tool Description(s)IPMP Tool Elementary Stream IPMP InformationIPMP Tool ListContentIPMP Tool 1Missing IPMP ToolsIPMP Tool 2Message Router

Walkthrough:(2) IPMP Tools Description Access The Terminal access the IPMP Tool ListUsing the IPMP Tool List, the Terminal determines the IPMP Tools required to consume the content IPMP Tool ID(s)Alternate IPMP Tool ID(s)Parametric Tool Description(s)IPMP Tool Elementary Stream IPMP InformationIPMP Tool ListContentMissing IPMP ToolsMessage Router

Walkthrough:(3) IPMP Tools RetrievalSources of IPMP ToolsLocally available IPMP ToolsMissing IPMP Tools carried in Content itselfMissing IPMP Tools that need to be obtained remotelyMissing IPMP ToolsIPMP Tool 1Message Router

Walkthrough:(4) Instantiation of IPMP ToolsThe Terminal instantiates the IPMP toolsThe instantiated Tools are provided with the initial IPMP information from the ContentIPMP Tools may use IPMP information to Determine security requirements for content accessMonitor and facilitate the establishment and maintenance of the security requirements in inter-Tool communicationMissing IPMP ToolsMessage Router

Walkthrough:(5) IPMP Initialization and Update- in Parallel with Content ConsumptionContent consumption if allowedIPMP Information routingThe whole walkthrough can be requested againIPMP Tool 1IPMP Tool nMissing IPMP ToolsMessage Router

Illustration of Normative ElementsIPMP Tool ID(s)Alternate IPMP Tool ID(s)Parametric Tool Description(s)IPMP Tool Elementary Stream IPMP InformationIPMP Tool ListContentIPMP Tool 1IPMP Tool nMissing IPMP ToolsContent RequestContent DeliveryObtain missing IPMP Tool(s)Terminal-IPMP Tool CommunicationsMessage RouterThe Parametric Infrastructure

Normative ElementsIPMP Tool ListIPMP Tool IDParametric InfrastructureTools in the Content Instantiation of IPMP ToolsMutual AuthenticationIPMP InformationIPMP Information RoutingConsumption Query and Permission

IPMP Tool ListFor the case of a list of alternate IPMP tools, the Terminals shall select an IPMP Tool from the listFor the case of a parametric description of the IPMP Tool, the Terminal shall select an IPMP Tool that meets the criteria specified in the parametric description

IPMP Tool ID (1/2)The IPMP_Tool_ID identifier128-bits longPlatform-independentA registration authority for IPMP Tools that use a unique ID is requiredAn association of the download URLs for various implementations of the given tool for various platforms shall be maintained.

IPMP Tool ID (2/2)

IPMP_Tool_IDSemantics0x0000Forbidden0x0001Content0x0002Terminal0x0003-0x2000Reserved for ISO use0x2001-0xFFFFCarry over from 14496-1 RA0x10000-0x100FFParametric Tools or Alternate Tools0x100FF-2^128-2Open for registration2^128-1Forbidden

Parametric InfrastructureCases in which the tools required may not be uniqueTools are based on popular public algorithmsA wide variety of equivalent implementations are availableComputationally intensive tools leading to platform-specific optimized implementations form a wide variety of vendersA set of parameters and values are to be identified and standardized to support a specific class of functionalityParametric RepresentationParametric DescriptionParametric Aggregation

Parametric DescriptionDefinitionInformation that enables a Terminal to choose a specific Tool implementation that will support all functionalities required by a presentationNo specific schema for any specific Tool type is attempted to be defined nowIt is anticipated that such definitions will be added over time to develop an optimal schemaOnly a basic framework is outlined in the current version of the specification

Current Parametric Description FrameworkVersion of parametric description syntaxClass of Toole.g. Decryption, Right Language Parser Sub-class of ToolE.g. for Decryption: DES, CamelliaE.g. for Rights Language Parser: XrML, ODRLE.g. for Protocol Parser: Bluetooth, SmartCardSub-class-specific informationE.g. for DES: number of bits, block decipher capabilityE.g. for Rights language Parser: version

Parametric AggregationDefinitionsInformation to aggregate different IPMP Tools in a given configuration under a single entry-point IPMP ToolGoalsTo configure existing IPMP Tools into new combinations, enabling different types of protection schemes

Current Parametric Aggregation FrameworkVersion of parametric aggregation syntaxEntry-point ToolInput and output pin specificationThe ID of the entry-point tool is not requiredList of member IPMP Tools (aggregation units)A 128-bit IPMP Tool IDOne or more Input and output interface codesNo duplication of interface codes to avoid ambiguitySequential links can be establishedOpaque information, specific to the entry-point toolOptional signal information

Delivery of Tools via ContentOne or more Binary Representations of IPMP Tools may be carried directly or by reference in an MPEG presentation Required informationIPMP_Tool_IDTool_Format_IDThe Binary Representation of the ToolE.g. Platform Dependent Native Code, Java Byte CodeTool_Package_IDThe details of the packages of the toolE.g. CAB, Winzip self-install executableSignature and Certification data

IPMP Tool InstantiationUpon instantiation of an IPMP Tools, all IPMP Tools already instantiated by the Terminal must be notified such instantiationThe newly instantiated IPMP Tool may request to be informed of other IPMP Tools running on the TerminalThe process of instantiationEstablish a context for the Tool being instantiatedEstablish a link between the Message Router and the Tool instanceEstablish a link between the Tool instance and the Message Router

Events Triggering IPMP Tools InstantiationSources and requirements The ContentThe syntax and context that trigger instantiationThe scope of protectionThe relationship of one IPMP Tool with another IPMP Tool in the same scope of protectionAnother IPMP ToolClear method of creation of a context for such instantiation

IPMP Information RoutingAddressingNormative addressing methods are used Addressee of a specific message is implicit either by bit-stream context or by process contextMessage routerHandling the physical routing of information, synchronous/asynchronous delivery issues, and context resolutionAbstract all platform-dependent issues Both interfaces between the Message Router and the IPMP Tools and the behavior of the Message Router are normative

Mutual AuthenticationIPMP Tools may be required to communicate with one another or the Terminal.Execution of mutual authenticationThe tool that initiates mutual authentication with another tool determines the conditions of trust to be achieved by such authenticationE.g. integrity protected communication or fully-secured communicationBoth tools engaged in message exchange to determine which authentication protocol will be used

CredentialsUsed by an IPMP Tool or Terminal for identification, verification, mutual authentication, and similar security process.Information about the identity and implementation of IPMP Tools (see the recommended schema)A means of identifying the integrity and validity of the credential infoTrust and security metadataOpaque information

A Schema for Platform Presentation (Informative)

Permission for ConsumptionPermission for an intent on protected media in a presentation should be requested from and explicitly granted by all IPMP Tools protecting that media, prior to processing such intents.Permission is granted in true-false form by each IPMP Tool.

IPMP Tool ManagerA conceptual entity in a given IPMP TerminalParsing IPMP Tool ListRetrieving IPMP ToolsProcessing parametric descriptions Resolving alternative toolsReceive binary Tools that arrive in the content

Message RouterAll IPMP Tool messages are routed through the TerminalThe Message Router (MR) connects and communicates with supported IPMP Tools, and thus abstracts the physical interface of one IPMP Tool from other IPMP Tools that wishes to communicate with it.

Message InfrastructureNormative components of the IPMP Tool Interaction FrameworkInteraction (communication) is realized via messagingThe generic functional interface is normativeThe messages (syntax and semantics) are normativeThe process of message routing is normative

Message Interchange InterfaceIPMP_ToolMsgStatusIPMP_ReceiveMessage( [in] short Sender, //sender context ID [in] short Recipient, //recipient context ID [in] long MsgSize, //size of message in bits [in] octet Msg[], //payload [in] IPMP_MsgMode, //sync/async [in] long MsgID) //message ID, included in response message IPMP_ToolMsgStatusAn enumerated status returned by the Terminal (MR) to the message originator

IPMP_MSG_STATUS_MSG_POSTEDIPMP_MSG_STATUS_INVALID_SENDER_IDIPMP_MSG_STATUS_INVALFID_RECIPIENT_IDIPMP_MSG_STATUS_MSG_MODE_NOT_SUPPORTEDIPMP_MSG_STATUS_GENERIC_ERROR

IPMP Tool Messages (I) Instantiation and NotificationIPMP_CreateNewToolInstance/IPMP_ToolInstNotificationIPMP_RequestInstTools/IPMP_ToolInstNotoficationIPMP_AddToolInstNotoficationListener (IPMP_ToolInstNotofication)IPMP_RemoveToolInstNotoficationListenerIPMP_RequestToolContextID/IPMP_SupplyToolContextIDIPMP Information DeliveryData Processing Functions (between terminals and tools)IPMP_ProcessData/IPMP_ProcessDataReturnIntent and PermissionIPMP_IntentRequest/IPMP_IntentResponseIPMP_IntentTerminateIPMP_IntentRevoke

IPMP Tool Messages (II)ToolToUserMessage (defined as a class)languageCode: three character language codetitleText: Title of dialog displaydisplayText: Text to be displayed to the userpromptText: Text to be displayed to the user to indicate the purpose of text input field optionText: text to be displayed indicating purpose of option selectionSMIL: SMIL file to be displayedUserToToolMessage (defined as a class)replyText: text entered by useroptionResult

IPMP Tool Messages (III)Mutual Authentication MessagesIPMP_InitAuthentication Context IDAuthentication TypesNo authentication requiredNo ID verify, do secure channelNo ID verify, no secure channelDo ID verify, do secure channel

IPMP Tool AcquisitionContentTerminalIPMP Tool ProviderIPMP Tool

Failed IPMP Tool ValidationContentTerminalIPMP Tool ProviderIPMP ToolFailed Authentication: Consumption Terminates

Denied User PermissionContentTerminalIPMP Tool ProviderIPMP Tool

. Allow the same protected content to be consumed on different vendors Terminals. Allow the same content to be protected by different vendors IPMP ToolsThe Terminal shall route the messages specified in the bitstream for IPMP_ToolID to the specific IPMP Tool instantiated (even in alternate or parametric cases)Permissions are done by related messages