MPEG-21 Part4: IPMP ISO/IEC JTC 1/SC29/WG11 N4269 (Committee Draft) Multimedia Security
Mar 20, 2016
MPEG-21 Part4: IPMP
ISO/IEC JTC 1/SC29/WG11 N4269 (Committee Draft)
Multimedia Security
2
Outline
• Overview of the IPMP framework– Framework architecture– Walkthrough
• Standardized processes• Messaging infrastructure
3
ISO/IEC 21000-4
• An MPEG-21 IPMP framework, referred to as “IPMP Extensions”, is specified in this part of MPEG-21– The MPEG IPMP Extensions are designed so
that they can be applied to any MPEG multimedia representation
– Specific mappings of the MPEG IPMP Extensions should be defined as amendments to the MPEG-n standard
4
Interoperability
• Two types of interoperability are defined
• The major focus of MPEG in general• A consumer centric approach • Content protected by one IPMP vendor will play on any given Terminal
C-interoperability
• IPMP Tools from different vendors will be able to integrate into the same Terminal implementation concurrently• An IPMP System is able to comprise IPMP Tools made by one or more vendors• Goal: to simplify the design of tool and terminal interfaces such that the integration and interoperation of these tools and terminals may be more widespread and economical
M-interoperability
Consumers’ Point of View
Manufacturers’ Point of View
5
Framework Architecture
IPMP Tool ID(s)
Alternate IPMP Tool ID(s)
Parametric Tool Description(s)
IPMP Tool Elementary Stream IPMP Information
IPMP Tool List
Content
Terminal
IPMP Tool Manager
Terminal-Tool Message Interchange Interface
Missing IPMP Tools
Content Request
Content Delivery
Obtain missing IPMP Tool(s)
IPMP Tool 1 IPMP Tool n…
Terminal-IPMP Tool Communications
Message Router
6
Walkthrough:(1) User Requests Specific Contents
• The manner in which content is requested is out of scope• Recommendations about the order in which different parts of the content are
received and used– IPMP requirements on the Terminal should be placed with or before media
requirements on the Terminal– Access information and/or restrictions should precede Content Stream download
information
IPMP Tool ID(s)
Alternate IPMP Tool ID(s)
Parametric Tool Description(s)
IPMP Tool Elementary Stream IPMP Information
IPMP Tool List
Content
Terminal
IPMP Tool Manager
Terminal-Tool Message Interchange Interface
IPMP Tool 1
Missing IPMP Tools
Content Request
IPMP Tool 2 …
Message Router
7
Walkthrough:(2) IPMP Tools Description Access
• The Terminal access the IPMP Tool List• Using the IPMP Tool List, the Terminal determines the IPMP
Tools required to consume the content
IPMP Tool ID(s)
Alternate IPMP Tool ID(s)
Parametric Tool Description(s)
IPMP Tool Elementary Stream IPMP Information
IPMP Tool List
Content
Terminal
IPMP Tool Manager
Terminal-Tool Message Interchange Interface
Missing IPMP Tools
Access the IPMP Tool List
Receiving IPMP Tools Descriptio
n
IPMP Tool 1 …IPMP Tool 2
Message Router
8
IPMP Tool ID(s)
Alternate IPMP Tool ID(s)
Parametric Tool Description(s)
IPMP Tool Elementary Stream IPMP Information
IPMP Tool List
Content
Walkthrough:(3) IPMP Tools Retrieval
• Sources of IPMP Tools– Locally available IPMP Tools– Missing IPMP Tools carried in Content itself– Missing IPMP Tools that need to be obtained remotely
Terminal
IPMP Tool Manager
Terminal-Tool Message Interchange Interface
Missing IPMP ToolsObtaining Missing IPMP Tool(s)
IPMP Tool 1 …Locally Available IPMP ToolsIPMP Tool 1 …IPMP Tool 2
ObtainingMissing
IPMP Tool(s)
IPMP Tool 1 IPMP Tool n…
All Required IPMP Tools Received
Message Router
9
IPMP Tool 1 IPMP Tool n…Instantiations
Walkthrough:(4) Instantiation of IPMP Tools
• The Terminal instantiates the IPMP tools• The instantiated Tools are provided with the initial IPMP information from the
Content• IPMP Tools may use IPMP information to
– Determine security requirements for content access– Monitor and facilitate the establishment and maintenance of the security
requirements in inter-Tool communication
IPMP Tool ID(s)
Alternate IPMP Tool ID(s)
Parametric Tool Description(s)
IPMP Tool Elementary Stream IPMP Information
IPMP Tool List
Content
Terminal
IPMP Tool Manager
Terminal-Tool Message Interchange Interface
Missing IPMP Tools
Providing Initial IPMP Information
Message Router
Accessing Content
Inter-Tool Communication
10
Walkthrough:(5) IPMP Initialization and Update
- in Parallel with Content Consumption
• Content consumption if allowed• IPMP Information routing• The whole walkthrough can be requested again
IPMP Tool ID(s)
Alternate IPMP Tool ID(s)
Parametric Tool Description(s)
IPMP Tool Elementary Stream IPMP Information
IPMP Tool List
Content
Terminal
IPMP Tool Manager
Terminal-Tool Message Interchange Interface
IPMP Tool 1 IPMP Tool n…
Missing IPMP Tools
Message Router
Content Consumption
IPMP Info. Routing
11
Illustration of Normative Elements
IPMP Tool ID(s)
Alternate IPMP Tool ID(s)
Parametric Tool Description(s)
IPMP Tool Elementary Stream IPMP Information
IPMP Tool List
Content
Terminal
IPMP Tool Manager
Terminal-Tool Message Interchange Interface
IPMP Tool 1 IPMP Tool n…
Missing IPMP Tools
Content Request
Content Delivery
Obtain missing IPMP Tool(s)
Terminal-IPMP Tool Communications
Message Router
IPMP Tool List
Tools in the Content
Instantiation of IPMP Tools
Mutual AuthenticationIPMP Information
IPMP Information Routing
Consumption Query and Permission
The Parametric Infrastructure
12
Normative Elements
• IPMP Tool List– IPMP Tool ID– Parametric Infrastructure
• Tools in the Content • Instantiation of IPMP Tools• Mutual Authentication• IPMP Information• IPMP Information Routing• Consumption Query and Permission
13
IPMP Tool List
IPMP_ToolListDescriptorbit(8) IPMPToolListDescriptorID;bit(8) numTools;IPMP_Tool ipmpTool[numTools];
The container for the Tool List
IPMP_ToolParametricDescriptor
Container for a parametric description of an IPMP Tool required to access the content
ByteArray parametricDesc;
•For the case of a list of alternate IPMP tools, the Terminals shall select an IPMP Tool from the list•For the case of a parametric description of the IPMP Tool, the Terminal shall select an IPMP Tool that meets the criteria specified in the parametric description
The class describing a logical IPMP Tool required to access the content
IPMP_Toolbit(1) isAltGroup;bit(1) isParametric;bit(6) reserved=0b111111;bit(128) IPMP_ToolID;If (isAltGroup) { bit(8) numAlternates; bit(128) Alt_IPMP_ToolIDs[numAlternates];}else if(isParametric) { IPMP_ToolParametricDescriptor toolParamDescr;}
•A vendor-specific IPMP Tool specified by IPMP_ToolID
•One of a list of alternate IPMP Tools
•An IPMP Tool specified by a parametric description
14
IPMP Tool ID (1/2)
• The IPMP_Tool_ID identifier– 128-bits long– Platform-independent
• A registration authority for IPMP Tools that use a unique ID is required– An association of the download URLs for
various implementations of the given tool for various platforms shall be maintained.
15
IPMP Tool ID (2/2)
IPMP_Tool_ID Semantics0x0000 Forbidden0x0001 Content0x0002 Terminal0x0003-0x2000 Reserved for ISO use0x2001-0xFFFF Carry over from 14496-1 RA0x10000-0x100FF Parametric Tools or
Alternate Tools0x100FF-2^128-2 Open for registration2^128-1 Forbidden
16
Parametric Infrastructure• Cases in which the tools required may not be
unique– Tools are based on popular public algorithms– A wide variety of equivalent implementations are available– Computationally intensive tools leading to platform-specific
optimized implementations form a wide variety of venders– A set of parameters and values are to be identified and
standardized to support a specific class of functionality
• Parametric Representation– Parametric Description– Parametric Aggregation
17
Parametric Description
• Definition– Information that enables a Terminal to choose a
specific Tool implementation that will support all functionalities required by a presentation
• No specific schema for any specific Tool type is attempted to be defined now– It is anticipated that such definitions will be added
over time to develop an optimal schema– Only a basic framework is outlined in the current
version of the specification
18
Current Parametric Description Framework
• Version of parametric description syntax• Class of Tool
– e.g. Decryption, Right Language Parser • Sub-class of Tool
– E.g. for Decryption: DES, Camellia– E.g. for Rights Language Parser: XrML, ODRL– E.g. for Protocol Parser: Bluetooth, SmartCard
• Sub-class-specific information– E.g. for DES: number of bits, block decipher capabili
ty– E.g. for Rights language Parser: version
19
Parametric Aggregation
• Definitions– Information to aggregate different IPMP Tools
in a given configuration under a single entry-point IPMP Tool
• Goals– To configure existing IPMP Tools into new
combinations, enabling different types of protection schemes
20
Current Parametric Aggregation Framework
• Version of parametric aggregation syntax• Entry-point Tool
– Input and output pin specification– The ID of the entry-point tool is not required
• List of member IPMP Tools (aggregation units)– A 128-bit IPMP Tool ID– One or more Input and output interface codes
• No duplication of interface codes to avoid ambiguity• Sequential links can be established
• Opaque information, specific to the entry-point tool
• Optional signal information
21
Delivery of Tools via Content
• One or more Binary Representations of IPMP Tools may be carried directly or by reference in an MPEG presentation
• Required information– IPMP_Tool_ID– Tool_Format_ID
• The Binary Representation of the Tool• E.g. Platform Dependent Native Code, Java Byte Code
– Tool_Package_ID• The details of the packages of the tool• E.g. CAB, Winzip self-install executable
– Signature and Certification data
Assigned by a Registration Authority
Assigned by a Registration Authority
22
IPMP Tool Instantiation
• Upon instantiation of an IPMP Tools, all IPMP Tools already instantiated by the Terminal must be notified such instantiation
• The newly instantiated IPMP Tool may request to be informed of other IPMP Tools running on the Terminal
• The process of instantiation– Establish a context for the Tool being instantiated– Establish a link between the Message Router and the
Tool instance– Establish a link between the Tool instance and the
Message Router
23
Events Triggering IPMP Tools Instantiation
• Sources and requirements – The Content
• The syntax and context that trigger instantiation• The scope of protection• The relationship of one IPMP Tool with another
IPMP Tool in the same scope of protection– Another IPMP Tool
• Clear method of creation of a context for such instantiation
24
IPMP Information Routing• Addressing
– Normative addressing methods are used – Addressee of a specific message is implicit either
by bit-stream context or by process context• Message router
– Handling the physical routing of information, synchronous/asynchronous delivery issues, and context resolution
– Abstract all platform-dependent issues – Both interfaces between the Message Router and
the IPMP Tools and the behavior of the Message Router are normative
25
Mutual Authentication
• IPMP Tools may be required to communicate with one another or the Terminal.
• Execution of mutual authentication– The tool that initiates mutual authentication with
another tool determines the conditions of trust to be achieved by such authentication
• E.g. integrity protected communication or fully-secured communication
– Both tools engaged in message exchange to determine which authentication protocol will be used
26
Credentials
• Used by an IPMP Tool or Terminal for identification, verification, mutual authentication, and similar security process.– Information about the identity and
implementation of IPMP Tools (see the recommended schema)
– A means of identifying the integrity and validity of the credential info
– Trust and security metadata– Opaque information
27
A Schema for Platform Presentation (Informative)
28
Permission for Consumption
• Permission for an intent on protected media in a presentation should be requested from and explicitly granted by all IPMP Tools protecting that media, prior to processing such intents.
• Permission is granted in true-false form by each IPMP Tool.
29
IPMP Tool Manager
• A conceptual entity in a given IPMP Terminal– Parsing IPMP Tool List– Retrieving IPMP Tools– Processing parametric descriptions – Resolving alternative tools– Receive binary Tools that arrive in the content
30
Message Router
• All IPMP Tool messages are routed through the Terminal
• The Message Router (MR) connects and communicates with supported IPMP Tools, and thus abstracts the physical interface of one IPMP Tool from other IPMP Tools that wishes to communicate with it.
31
Message Infrastructure
• Normative components of the IPMP Tool Interaction Framework– Interaction (communication) is realized via
“messaging”– The generic functional interface is normative– The messages (syntax and semantics) are
normative– The process of message routing is normative
32
Message Interchange Interface
IPMP_ToolMsgStatusIPMP_ReceiveMessage( [in] short Sender, //sender context ID [in] short Recipient, //recipient context ID [in] long MsgSize, //size of message in bits [in] octet Msg[], //payload [in] IPMP_MsgMode, //sync/async [in] long MsgID) //message ID, included in resp
onse message
IPMP_ToolMsgStatusAn enumerated status returned by the Terminal (MR) to the message originator
IPMP_MSG_STATUS_MSG_POSTEDIPMP_MSG_STATUS_INVALID_SENDER_IDIPMP_MSG_STATUS_INVALFID_RECIPIENT_IDIPMP_MSG_STATUS_MSG_MODE_NOT_SUPPORTEDIPMP_MSG_STATUS_GENERIC_ERROR
33
IPMP Tool Messages (I)
Instantiation and Notification•IPMP_CreateNewToolInstance/IPMP_ToolInstNotification•IPMP_RequestInstTools/IPMP_ToolInstNotofication•IPMP_AddToolInstNotoficationListener (IPMP_ToolInstNotofication)•IPMP_RemoveToolInstNotoficationListener•IPMP_RequestToolContextID/IPMP_SupplyToolContextID
IPMP Information Delivery
Data Processing Functions (between terminals and tools)•IPMP_ProcessData/IPMP_ProcessDataReturn
Intent and Permission•IPMP_IntentRequest/IPMP_IntentResponse•IPMP_IntentTerminate•IPMP_IntentRevoke
34
IPMP Tool Messages (II)
ToolToUserMessage (defined as a class)•languageCode: three character language code•titleText: Title of dialog display•displayText: Text to be displayed to the user•promptText: Text to be displayed to the user to indicate the purpose of text input field •optionText: text to be displayed indicating purpose of option selection•SMIL: SMIL file to be displayed
UserToToolMessage (defined as a class)•replyText: text entered by user•optionResult
35
IPMP Tool Messages (III)
Mutual Authentication Messages•IPMP_InitAuthentication
•Context ID•Authentication Types
•No authentication required•No ID verify, do secure channel•No ID verify, no secure channel•Do ID verify, do secure channel
36
IPMP Tool Acquisition
Content Terminal IPMP Tool Provider IPMP ToolGet Tool List
Tool ListIPMP Data
Locate Tool
Establish Channel
Acquire IPMP Tool
ToolInstantiate
Mutual AuthenticationIPMP Data
Allow Consume Content
Get Content
Content
37
Failed IPMP Tool Validation
Content Terminal IPMP Tool Provider IPMP ToolGet Tool List
Tool ListIPMP Data
Locate Tool
Establish Channel
Acquire IPMP Tool
ToolInstantiate
Mutual Authentication
Failed Authentication: Consumption Terminates
38
Denied User Permission
Content Terminal IPMP Tool Provider IPMP ToolGet Tool List
Tool ListIPMP Data
Locate Tool
Establish Channel
Acquire IPMP Tool
ToolInstantiate
Mutual AuthenticationIPMP Data
Disallow Content Consumption