Les Collines de l’Arche, Tour Opéra C, 92 057 Paris La Défense Cedex, France

Phone:+33 1 44 45 64 65 – Fax: +33 1 44 45 64 80 – www.viaccess-orca.com

CONFIDENTIAL – This document is the intellectual property of Viaccess-Orca. It is stricly confidential; any copy is forbidden.

Les Collines de l’Arche, Tour Opéra C, 92 057 Paris La Défense Cedex, FRANCE –

White Paper

Premium Video Services for a Multi-Screen Environment –

The DRM & Business Logic Requirements

2/20

Contents

1. MULTI-SCREEN ENVIRONMENTS – TV EVERYWHERE 3

2. OTT DRM 4

2.1. STANDARDIZATION TRENDS 4

2.2. TOWARDS A SCALABLE DRM INFRASTRUCTURE 4

3. CONTENT SECURITY IN END DEVICES 6

3.1. TRUSTED EXECUTION ENVIRONMENT (TEE) 6

4. UNIFICATION IN THE FACE OF DIVERSITY 8

5. VO UNIFIED SERVICE PLATFORM 9

6. VO SECURITY PARADIGM 11

7. VO DRM ARCHITECTURE 12

8. SECURITY ADAPTED TO THE DEVICE 15

8.1. VO DRM FOR STB 15

8.2. VO DRM FOR TEE-BASED MOBILE DEVICES 16

8.3. VO DRM FOR GENERIC IOS OR ANDROID DEVICES 17

8.4. CONTINUOUS SECURITY 18

9. ACRONYMS 19

10. REFERENCE DOCUMENTS 20

3/20

1. Multi-Screen Environments – TV Everywhere

In today’s always-on, connected world, TV content is no longer consumed only on traditional

Television sets. Connected devices, such as tablet PCs, smartphones and more, enable users to

consume over-the-top (OTT) video content anywhere and anytime.

The underlying video delivery infrastructure is forced to expand beyond traditional closed,

managed networks to vast, unmanaged ones. In this diversified, open environment, delivering

premium live and on-demand video services poses a number of serious security & protection

challenges for content service providers and Pay TV operators.

Rights Management Driven Business Logic

In order to fulfil contractual obligations with content owners in a multi-screen environment, new

types of business rules need to be added to the solution. The new business logic will regulate;

how many concurrent streams can be played in a family and the type of content allowed for each

device type of according to the device’s intrinsic security level.

Content Security Now & Over Time

Content service providers also face the challenge of securing premium content over time across a

wide variety of open client devices. As part of this on-going effort, providers will need to monitor

pirate activities and effectively manage security upgrades. While this has always been a challenge

in Pay TV distribution, it is now greatly amplified with the dramatic increase in device types

operating over open, unsecured networks.

Device diversification

Today, providing TV Everywhere services often means providing support for multiple Conditional

Access (CA) and DRM standards. The specific type of CA/DRM depends on the client device.

Microsoft based devices such as PC’s and XBOX are secured by running Microsoft PlayReady.

Set-top-boxes, tablets and smartphones will be configured to run vendor specific (e.g. Viaccess-

Orca) CA/DRM. At present, content service providers need to cope with multiple DRM

configurations and content packaging.

4/20

2. OTT DRM

2.1. Standardization Trends

The industry is moving towards a set of common OTT standards for streaming, encryption and file

structure that will help support different DRMs in future. The objective is to enable operators to

encode and encrypt content just once for distribution and playback across all the target devices

they may want reach in a TV Everywhere deployment.

There are two parallel and complementary standards movements driving the convergence trend;

MPEG-DASH and UltraViolet. Both have adopted the Common File Format (CFF) and Common

Encryption (CENC) for transmission of video, which lays the foundation towards a unified, online

video framework.

MPEG-DASH

MPEG’s Dynamic Adaptive Streaming over HTTP (MPEG-DASH), enables high

quality streaming of media content over the Internet delivered from conventional HTTP web

servers. It works by breaking the content into a sequence of small HTTP-based file segments and

encoding each one in a variety of different bit rates. As the content is played back by an MPEG-

DASH client, the client automatically selects from the alternatives the next segment to download

and play back based on current network conditions.

UltraViolet

Formed by the Digital Entertainment Content Ecosystem (DECE), UltraViolet (UV) is a digital

rights authentication and cloud-based licensing system. It allows users of digital home

entertainment content to stream and download purchased content to multiple platforms and

devices.

2.2. Towards a Scalable DRM Infrastructure

Separating the encryption from the DRM is an essential step in creating a large-scale OTT

infrastructure. It enables content service providers to effectively support a multi-DRM environment

from a single head-end and encrypting once.

This separation acknowledges the fact that, while there is broad agreement now that CENC

provides sufficient protection for video content, there will be different DRMs to suit varying device

platforms and service requirements. It means that specific DRMs can be deployed on particular

devices to satisfy the requirements of content owners.

The Common Encryption Scheme (CENC) specifies standard encryption and key mapping

methods that can be exploited by many key management systems. As a result, any given file can

be decrypted using different DRMs. The idea is similar to what the DVB achieved with Simulcrypt;

5/20

agreeing on a common encryption system and providing DRMs and Conditional Access (CA)

systems freedom in the key distribution method.

The CENC scheme operates by defining the common format for the encryption-related metadata,

which is necessary to decrypt the protected streams. It leaves rights mappings, key acquisition

and storage, and rules over DRM compliance, to the DRM system, or to the system supporting the

encryption scheme.

6/20

3. Content Security in End Devices

Pay TV service in a multi-screen environment needs to strike a delicate balance between the level

of protection and the ability to reach a wide and growing audience. DRM interoperability is a major

step in the right direction. However, there are additional security aspects that have to be taken into

account.

In the traditional Pay TV market, a STB is used to control content viewing. To achieve the maximal

security level, the CAS/DRM technologies have had a deep hardware anchor in the STB; part of

the memory access is restricted only to the DRM technology; secret keys are never exposed to

any 3rd party, to prevent the loading of malware on the STB any 3rd party software code has to

verified and signed by the CAS/DRM technology providers.

In an OTT environment, where the end clients are a wide variety of smartphones, tablet, PCs and

more, this approach is in most cases not viable.

3.1. Trusted Execution Environment (TEE)

One initiative designed to enhance the security of mobile devices by using a “hardware anchor” is

the Trusted Execution Environment (TEE). TEE is a secure area that resides in the main

processor of a smartphone, tablet, or any mobile device. It ensures that sensitive data is stored,

processed and protected in a trusted environment. The TEE's ability to offer safe execution of

authorized security software, known as 'trusted applications', enables it to provide end-to-end

security by enforcing protection, confidentiality, integrity and data access rights.

TEE has 3 main market applications, which are driving the technology’s adoption:

DRM

Video consumption over smartphones and tablet

devices is soaring. Content service providers,

seeking to capitalize on this market by delivering

premium content need to ensure the content’s

protection.

Mobile payment and mobile banking

Security measures are critical in mobile payment and

mobile banking applications. It is necessary to

ensure that no software application has access to or can log the PIN code entry or screen activity.

7/20

Bring your own device (BYOD)

As more and more employees bring their devices to work, access to highly confidential corporate

information over the corporate Intranet may be compromised. New measures are required to

guarantee security and prevent unauthorized access.

TEE based products will be commercially available in 2013. At this point, it will be possible to

download a DRM agent on smartphones and tablets that leverage a TEE to enhance security.

However, like all new technology, it will take time for TEE to gain significant market share.

8/20

4. Unification in the Face of Diversity

Today, multi-screen DRM systems need to address multiple DRM applications and file types,

operating across a wide range of client devices. In order to comply with content owners’

requirements for OTT distribution, new, advanced content & device management features must be

addressed.

The DRM system needs to be aware of

The robustness limitation of each device

The number of devices associated with a single household

How the content is accessed (at home, outside, abroad)

The number of concurrent steams and/or downloads for an asset

The authorized device set for an asset

Armed with these new business capabilities, content service providers will be able to enforce the

business rules required by content owners. It empowers providers to enforce specific rules and

limitations based on specific device and content scenarios.

Here are 3 different examples of business rules affecting content, users, devices and the delivery

network:

In order to successfully secure and manage the rights of premium content in an OTT environment,

the DRM solution needs to broaden its scope. It needs to effectively store content, user and device

related information and implement the relevant, cross functional business rules. Furthermore, the

DRM solution needs to have built in support for the emerging standards including MPEG-DASH,

UltraViolet and TEE in order to ensure future compliance with content protection requirements.

Stream HD content on a STB but not on

tablet or PC

VOD can only be streamed once to a device associated

with the household

VOD has to be viewed at home over the Wi-Fi

network

9/20

5. VO Unified Service Platform

As highlighted in the previous section, DRMs in a multiscreen environment shall not be limited to a

set of compliance and robustness rules, they need to evolve in order to encompass content

management and device management.

Viaccess-Orca DRM is part of the company’s Unified Service Platform, which is based on 4 main

systems: Content Management, Business Management, Content Security and Content Discovery

& Personalization. The DRM is an inherent part of Content Security and will be discussed in detail

in the following sections.

However, the 3 other systems have key roles in implementing the business rules and storing

related user and device information.

Content Management – During the

content publishing and delivery, the

VO Content Management solution

implements relevant business rules;

ensuring that users gain access only to

content that is allowed on their device

type. The solution also helps to

enforce content owner requirements

regarding the number of concurrent

devices, license period and the

number of allowed views/downloads.

Business Management – This system

stores the information regarding the

number of household members and

the associated devices. This

information is provided to the Content

Management and Service Delivery

Platforms, enabling them to comply with the imposed rights management requirements.

Content Discovery & Personalization – This system is not directly involved in enforcing the

content owner’s business rules. However, it empowers content service providers to provide a

superior customer experience and avoid disappointment. By cross-checking content

recommendations with the rights management business rules, VO Content Discovery &

Personalization solution ensures that the customer will be able to consume the recommended

content on the specific device.

VO’s Unified Service Platform combines best-of-breed business and security solution into a single

pre-integrated platform. With flexible business models, support for business rules and scalability,

10/20

the solution is designed to help content service providers meet the challenges of delivering live

and on-demand Pay TV services to multiple screens operating in an OTT environment. With the

VO Unified Service platform, providers can launch OTT services such as live TV, Video on

Demand, Catch-up services and Subscription VOD.

11/20

6. VO Security Paradigm

Piracy represents a constant threat for Content Providers’ revenue. Protecting premium content

against increasingly skilled hackers who always deploy new forms of piracy requires state-of-the-

art security mechanisms, a secure implementation and a sound piracy management approach.

There are 3 main types of piracy threats that deal with illegal access to protected, distributed

content:

Application Cloning/Emulation

DRM Keys illegal access and redistribution

Protected Content illegal redistribution

With over 20 years of experience in the Conditional Access and Digital Rights Management

business, VO has created a 360° security strategy that takes into account the diversified

environment and varying levels of achievable device security.

Hardware based content protection and secure implementation on devices (protection

against reverse-engineering, tampering, DRM key protection, secure audio/video path,

secure boot…)

Secure application (including the player)

Secure device identification

Secure license delivery

Support of Multiple DRM standards (PlayReady, VO DRM)) in compliance with

ISOBMFF standard and the Common Encryption CENC scheme

On-going security service for piracy monitoring and analysis

Design and deployment of countermeasures and security solution updates.

12/20

7. VO DRM Architecture

As discussed in the previous section, the VO DRM architecture employs several parts of the VO

Unified Service Platform. It delivers content protection and enforces the required business rules,

while operating in diversified environments, multiple DRMs and file types.

Licensing

VO’s solution uses a multi-DRM licenser that supports both Microsoft PlayReady and VO DRM.

This approach provides a single licensing module that provides DRM licenses for Microsoft based

devices such as PC’s and XBOX running Microsoft PlayReady, as well as set-top-boxes, tablets

and smartphones running VO DRM.

Since the VO DRM is fully interoperable with Microsoft PlayReady, the same content can be

played on PlayReady enabled devices or VO DRM enabled devices.

13/20

ABR technology

VO DRM supports MPEG-DASH adaptive bit rate (ABR) technology, which is the first industry

standardized ABR protocol. MPEG-DASH uses a common encryption scheme “CENC” that enable

the content to be encrypted once. The encrypted file can be decrypted by any DRM technology

that supports CENC.

VO DRM is also fully compatible with Microsoft SmoothStreaming and the PIFF file format.

Content service providers that have already invested in equipment and content preparation can

reuse their ‘already packaged’ content to offer VOD services for smartphones, tablets and STBs.

Live TV security

VO DRM addresses specific, live TV security requirements imposed by regulators and premium

Pay TV channels. It supports key rotation (live content encryption keys are changed on a regular

basis; minutes, hours, days) in order to maximize the security level. In accordance with

government regulations, VO DRM also supports parental control.

Multi-level device security

VO DRM is available in different implementations that leverage on what it is possible to do on the

device to provide the maximum level of robustness.

14/20

Enabling deployed hybrid STB with premium “OTT” services and content

A great number of STBs already deployed support an IP connection. For Pay TV operators, it is an

asset on which they could leverage to launch VOD, catch-up services.

However in order to provide the highest level of security, it is necessary that the DRM technologies

to be downloaded on STB relies on a hardware root of trust.

Most of STB with Viaccess-Orca conditional access system have secure chipset that have been

personalized with Viaccess-Orca’s keys. This will allow Viaccess-Orca to upgrade the STB with its

VO DRM agent and enable Pay TV operators and service providers to deploy their VOD, catch-up

services will benefit from the highest level of security.

15/20

8. Security Adapted to the Device

VO’s solution offers the maximal security based on the client platform. The solution addresses 3

different types of client environments:

STB with the secure chipset (legacy Pay TV deployed STBs, or new OTT boxes),

a secure software player on Mobile/smartphone running on Android or iOS when a Trusted Execution Environment (TEE) is not available,

A secure software trustlet installed on a TrustZone based TEE on tablet/smartphone running on Android.

8.1. VO DRM for STB

VO’s DRM solution for STB clients is based on a secure, VO-approved, chipset, which includes

secure boot and secure audio/video path. As the evolution of the Viaccess-Orca CAS agent, it can

be easily and securely deployed on existing, legacy STBs using Viaccess-Orca CAS.

The secure chipset contains individualized, unique secret-keys that are programmed during

chipset serialization process at the production stage. It also contains a public, VO signature key,

which is used in the STB secure boot verification process. This is the foundation for the

establishing a ‘root of trust’ in the authentication chain. With this base, each sensitive software

application is securely signed prior to being downloaded to the STB.

In case of an ISOBMFF ES stream, the encrypted stream will be deciphered in buffer mode using

AES decryption capabilities of the coprocessor in the secure chipset. As a result, the DRM keys

are never exposed to the host CPU. Similarly, the secure Audio/Video path is also provided

through the HW based implementation and the Audio/Video buffers are never exposed to the host

CPU in clear mode.

The secure chipset and STB design are reviewed and verified as part of the VO approval process.

This process examines all the debug ports to make sure JTAG and other such ports are securely

closed and the output control protection policy (for example HDCP for HDMI ports).

VO’s DRM for STB is a high-security solution based on a robust hardware-based implementation,

a secure chipset with state-of-the-art security methodologies. It is similar to the CW protection

schemes provided by traditional CAS mechanisms.

We illustrate in the following table the attack factors that would require getting illegal access to

DRM keys and critical security parameters together with the security mechanisms in place to

mitigate such attacks.

16/20

8.2. VO DRM for TEE-based Mobile Devices

VO’s DRM solution for TEE-based mobile devices relies on the secure TEE environment to

execute the VO DRM Agent. The solution leverages the secure APIs provided by the TEE for

secure storage of DRM keys and critical security parameters. Secure audio/video path and output

control protection functions are also enabled through the chipset’s secure APIs.

Additional mechanisms, such as hardware based secure boot, are integrated to enable the end-to-

end authentication chain-of-trust for all sensitive, embedded software or rooting detection. In this

manner, the secure player is also protected against rooting attacks and is able to continue working

in such hostile conditions.

VO’s DRM for TEE-based mobile devices is part of a comprehensive DRM solution. In the case of

an attack, the security service provides selective disabling for any device, which has been

compromised. As part of the recovery path, it also supports a version upgrade and service

reactivation for the device.

We illustrate in the following table the attack factors that would require getting illegal access to

DRM keys and critical security parameters together with the security mechanisms in place to

mitigate such attacks.

Attacks

Time required: In the range of years for attack identification and exploitation

Equipment required: Professional test equipment used by the semiconductor industry

Level of expertise: Several hardware and software security experts

Security Level in place: Hardware Security Level including Chipset Security

mechanisms, secure boot, secure audio/video path, software security

17/20

8.3. VO DRM for generic iOS or Android devices

VO’s DRM solution for generic iOS or Android devices (without TEE) is based on a software

secure player. In such devices, hardware-based root-of-trust or hardware-hardening cannot be

achieved. However, by employing a set of anti-debug and anti-tampering mechanisms together

with code and data obfuscation techniques the VO DRM Agent code, associated keys can be

protected. As a result, sensitive data confidentiality and integrity can be enforced.

Device-bound key material is derived at run time from various device dependent parameters,

software integrity mechanisms and cryptographic integrity checks on the secure player code itself.

This approach provides Anti-Tampering protection. VO’s DRM solution also provides the

necessary security parameters for the output control protection and enforcement.

In case of device rooting or jailbreak, VO’s DRM solution detects if the user has gained a root

access and applies restrictions on the service and content playback.

We illustrate in the following table the attack factors that would be required to get illegal access to

DRM keys & critical security parameters together with the security mechanisms in place to

mitigate such attacks.

Attacks

Time required: In the range of year for attack identification and exploitation

Equipment required: Reverse Engineering Software tools, Hardware equipment

Level of expertise: Hardware and Software Security experts

Security level in place: Hardware Security level including TEE hardware and software

security mechanism, secure boot, secure audio/video path.

18/20

8.4. Continuous Security

Piracy is and will remain an unfortunate aspect of Pay TV services. The OTT environment only

compounds the complexity of revealing and dealing with occurrences of piracy.

With over 20 years of experience in securing video content, Viaccess-Orca has adopted a 360°

Security solution for content service providers. In addition to the DRM solution, VO provides an on-

going security monitoring service, which consists of screening relevant forums and collecting

information from the field about piracy situations in deployed VO platforms across the globe.

At VO, we value our on-going partnership with our customers as we strive together to combat

piracy and content theft. To achieve transparency and productive collaboration, the information we

gather is shared regularly in targeted committees and through regular security update letters.

In case of a potential security breach in the field, Viaccess-Orca investigates the piracy situation.

Together with the provider’s team, appropriate countermeasures and action plans are established.

If the situation directly impacts the VO DRM system, Viaccess-Orca provides software renewal

plan together with relevant security services.

Indeed, in case of compromised devices, a security service allows selective disabling of

compromised devices, and the necessary upgrade of the version to recover from an attack.

Attacks

Time required: In the range of months for attack identification and exploitation

Equipment required: Reverse Engineering/Debugging Software tools

Level of experts: Software security expert

Security level in place: Software security level including Software anti-debug and anti-tampering

security mechanisms, code and data obfuscation and integrity checks mechanisms

19/20

9. Acronyms

ABR Adaptive Bit Rate

CA Conditional Access

CAS Conditional Access System

CENC Common Encryption

CFF Common File Format

CPE Consumer premises equipment

DASH Dynamic Adaptive Streaming over HTTP

OTT Over The Top

STB Set top box

TEE Trusted execution environment

20/20

10. Reference documents

# Title Reference Version

R1. ISO/IEC 23009-1:2012(E) - Dynamic adaptive streaming over HTTP (DASH) — Part 1:

Media presentation description and segment formats

R2. ISO/IEC 23001-7:2012 - MPEG systems technologies -- Part 7: Common encryption in ISO

base media file format file

R3. ISO/IEC 14496-12:2012 - Coding of audio-visual objects -- Part 12: ISO base media file

format

R4. ISO/IEC 14496-14:2003 - Coding of audio-visual objects -- Part 14: MP4 file format

R5. ISO/IEC 14496-1 5:2010 & ISO/IEC 14496-15:2010/Amd 1:2011 - Coding of audio-visual

objects -- Part 15: Advanced Video Coding (AVC) file format