unleashing content’s potential · conditional access tv middleware customer care & billing...

Unleashing Content’s Potential

Sony Pictures Entertainment & Sony ElectronicsIrdeto Confidential & Proprietary under NDA

August 7, 2012

1

©2012 Irdeto, All Rights Reserved.www.irdeto.com

Agenda

� Irdeto Overview

� ActiveCloak Overview

� Critical Ecosystem Security Attributes

� Proposed Solution

2

Irdeto Overview


2 Billion+ devices secured

1000+ employeesPart of $5+B Naspers

454 customers

571 patents522 patents pending

Transforming Digital Security

Irdeto is a world leader in content security and piracy management for digital TV and online pay media

4

Digital Content Security is our Business

5

SECURITYTECHNOLOGY

Security Breadth


Irdeto International

6

San FranciscoSan Francisco

HeadquartersAmsterdam, NetherlandsBeijing, China

San Francisco, USA

AmsterdamAmsterdam

BeijingBeijing

25 officesaround the globe


Part of $5+ Billion Multimedia Conglomerate

7

8

Focus: Unleashing Content’s Potential


Our Market Segments

9

PAY TV AND ONLINE OPERATORS

CONTENTOWNERS

ECOSYSTEM ENABLERS

Irdeto is helping its customers evolveand transform their businesses

Irdeto is helping its customers evolveand transform their businesses


Serving the World’s Best Brands

10

EMEA APACAmericas

ActiveCloak Overview


Irdeto Solution Portfolio

ActiveCloak™

for Media

ActiveCloak™

for

ePublications

ActiveCloak™

for Applications

ActiveCloak™

for Blu-ray

Irdeto Online

Broadband Content Management

Publish, Control, Monetize

Any Content to Any Device, Any Time

Conditional

Access

TVMiddleware

Customer Care

& Billing

Irdeto Digital TV

Customer Central -360°Customer

Visibility & Control

Basic & Advanced Solutions from Zapper to HD PVR & IP VOD

Industry-leading Smart Card and Cloaked CA security

End-to-End Solution

Anti-Piracy ServicesForensic marking, content tracking, enforcement, business

intelligence and monetization





12

TraceMark and Irdeto Intelligence


Solutions to address the advanced video-delivery scenarios requested by operators today:

� Delivering content securely to relevant consumer devices

� Solutions may be hosted (ASP model) or licensed as product

Home Networking(Device to Device)

Over the Top(Cloud to Device)

13

ActiveCloak Media


ActiveCloak Media Ecosystem

� ActiveCloak for Media enables a broad content ecosystem

� Over 500 customers, 600M users, globally

� Ranked 3rd DRM provider by ABI Market

Research behind Google & Microsoft

� Endorsed by all major studios, distributors

� Supports multiple DRMs and content formats

� Used in an Emmy Award winning app

� SDKs available for iOS, Android, Linux, Windows and Mac

Irdeto continuously works with its operator customers and partners to push the envelope with advanced content services for consumers

14

Critical Ecosystem Security Attributes


Critical Ecosystem Security Attributes

� Accountability and Control: Trust Authorities

� Certifies the end-to-end security of part of the ecosystem

� Few enough to ensure complete coverage

� Able to certify, audit, revoke and renew (forced update)

� Support for multiple without burned in key dependence in hardware

� Proof of Purchase

� Tie ability to playback a monetary event by binding to physical identity

� Close association with a consumer or consumer data means less sharing

� Robust Forensic Marking

� This is critical to be able to respond to attacks

� Tied to consumer identity, resistant to collusion

� Anchored in secure hardware; but that’s not enough (it will be broken)

� Renewability

� Things will be broken, must be able to respond, best have a backup in between

� To be effective boundary must be flexible

� Diversity

� Prevent against ecosystem or class based breaches

16

Enhanced Security Proposal


Enhanced Security Proposal

� Accountability and Control: Trust Authorities

� Certifies the end-to-end security of part of the ecosystem

� Few enough to ensure complete coverage

� Able to certify, audit, revoke and renew (forced update)

� Support for multiple without burned in key dependence in hardware

� Responsibility and Capability: Enhanced Security Providers

� Rooted in hardware security, stronger through combination

� Secure platform software resilient to hardware compromise; with fallback

� Create diversity where hardware creates small attack set

� Robust forensic marking

� Diversity and Renewability: Self Protecting Digital Content

� Enhanced from teachings of BD+

� More flexible, more secure

� Anchored in hardware root of trust

� Associate devices with monetary event: Proof of Purchase

� Online activation bound to the physical device allow monitoring and control

18


Key Differences from BD+

� Not a self-regulated system: Trust Authorities

� Platform protected key mgmt and video path

� e.g. GPUCP with Secure GPU execution, ARM TZ, proprietary secure

kernel and playback environment

� Access to resources from virtual machine to allow adaption to changing landscape of attacks (e.g. video device drivers, kernel system tables, physical memory map)

� Virtual machine protected by hardware cryptographic anti-emulation

� Robust forensic marking

� Supports distribution (server) based forensic marking

� Allows the most robust client-side forensic marking due to hardware anchor

� Forensics as a fundamental system design goal will limit constraints

� Online activation allows forensic source data to evolve over time

� Proof of purchase (online activation)

� Allows binding of content key to secure device

19


Benefits of a Trust Authority

� Manages content security obligations between parties in the ecosystem

� Content Providers

� Enhanced Security Provider

� DSP/LASP

� Devices

� SoC Manufacturer

� Content Providers have fewer 3rd parties to negotiate content security requirements

� No need for ambiguous C&R rules as the Trust Authority takes responsibility for ensuring that content security is implemented properly throughout the ecosystem

� Certificates are downloaded from the Trust Authority based on the hardware root of trust and a secure Identity, Capability and Integrity software component assertion

20


Benefits of Enhanced Security Provider

Low Barrier to Adoption

� Low cost to device manufactures

� Pre-integration with SoC Manufacturers

� Ongoing management of security issues

� The ESP provides Security Clients

� The ESP provides Ecosystem Monitoring and Security Updates

21


Trust Authority & UV Ecosystem Example

Content Provider

Content, Keys &

Policy Data

CertifiedDeviceCapability

Device SRM

• ContentFulfillment

• ES License Request

• Device Attestation

• ES Credentials• Content Distribution• ES Content License

Proposed

Existing

(Enhanced Security)

DSP / LASP

(Enhanced Security)

Device

Trust Authority

SoCManufacturer

Retailer

CertifiedSoCCapability

New

Existing

Enhanced

Security Subsystem Implemented by ESP

22


Benefits of Self Protecting Digital Content

� Content code delivered with media or during online activation

� Allows media to authenticate and verify playback environment

� Allows playback environment to verify content code

� Protects content beyond simple encryption

� Can be applied to media itself or license data (content keys)

� Dynamic content code makes protection diverse and renewable

� Online activation + license focus far less constrained than BD+

� Extended VM available from software Conditional Access system

23


Android/ARM Example Architecture

DRM Core Functions

Operator UI

Media FrameworkSecure Kernel

Agent

Hardware Capability

Robust, Renewable Component

Memory Protections

Video Decode

Output Protection Render

Device ID

Secure OS, Root of Trust, DRM IDs

AndroidOS

ARM TZ

ARM SoC

Secure OS

Content Code VM + Media Transforms

Watermarking Services

Identity, Capability & Integrity Attestation

Cryptography

Video Memory Protections

Rich OS component

24


Content Code

Security Boundary

Enhanced Security Proposal Overview

25

Physical Media

Online Server

Content CodeCapability & Integrity Verification

VMSecured In Hardware

Secure Hardware

Per-Instance

Watermark Content

[delivery or read]

Proof of PurchaseChallenge-ResponseAllows content code to unlock licenseMuch less constrained than BD+

Provider-independent mechanism to download private keys

Content Code in media or delivered onlineMutual verification between content codeand VM secured in hardwareTranscryption possible (even cipher can change)(Content Key)E public, also challenge-response

Trust AuthorityCertify, Audit, Monitor,

Revoke, RenewDevice Assertion

Encrypted contentPublic key

Irdeto Technology


Key Irdeto Technology

� Ecosystem certification� Existing STB certification processes

� Trust Authority independent keying� BNetZa & ETSI standardization� Does not require knowledge / sharing between them

� Self-protecting digital content� Protecting licenses rather than content� Online activation + license focus make this far less constrained than BD+� Extended VM available from software Conditional Access system

� Identity, Capability & Integrity Assertion� Ability to test and trust hardware

� Secure Platform� Secure Kernel Agent for Linux systems (including Android)

� Proof of Purchase� For online download and physical media

� Irdeto Intelligence� Existing detection and response services� Linked with session based forensic video marking

� Session based forensic video marking� statistical methods improve robustness and mitigate against collusion; must introduce enough

noise to be effective; must be invisible� Image mark vendor independent

� ActiveCloak Media� secure, multi-DRM client-server solution

27

Thank you!

28

unleashing content’s potential · conditional access tv middleware customer care & billing...

Documents