white paper: keys & credentials: the linchpin into success

www.irdeto.com © 2017 Irdeto. All Rights Reserved.

Last modification: 9-06-2017 / 02:45 PM GMT+01:00

White Paper

KEYS & CREDENTIALS: THE LINCHPIN TO SUCCESS FOR PAY TV SERVICE PROVIDERS

Irdeto’s Security Asset Management Platform overcomes a major impediment to premium service expansion.

www.irdeto.com 2© 2017 Irdeto. All Rights Reserved.

Keys & Credentials: The linchpin to success for pay TV service providers - White Paper

EXECUTIVE SUMMARYAs pay TV service providers strive to maintain their “must have” status in the fast-evolving premium service marketplace nothing is more vital to success than establishing a foundation for securing content that maximizes their flexibility to deliver what customers want.

Until now, service providers could incrementally add operational support for the security processes that are essential to extending premium services to ever more devices. However, conditions have now reached a point where a new solution is called for. This document explains how these new operational challenges are taxing the resources of even the largest pay TV service providers and describes a new approach operators can take to alleviate this burden.

Specifically, the solution posed here is the Irdeto Keys & Credentials (K&C) service to free the operator from the encumbrances of managing security across a vast and expanding ecosystem of devices. K&C is an important development in premium service operations that allows operators to cost effectively achieve their service goals no matter how daunting the security management requirements might become over time.

The need for such a solution is clear. Not only are manufacturers of unmanaged IP-connected devices pumping out new products at an accelerating pace, the range of security processes tied to specific device types, subscriber authentication, home network security and much else is expanding as well. Moreover, pay TV providers’ efforts to free themselves from reliance on set-top boxes and other managed devices controlled by legacy suppliers of conditional access (CA) systems and their OEM partners has shifted responsibility for core chip-level security provisioning from OEMs to the operators themselves.

At the most fundamental level, operators must be able to implement an operator-controlled root of trust that allows them to have the control necessary to provision whatever conditional access (CA), digital rights management (DRM), authentication processes and other security measures may be required to deliver premium content to a given device. In the case of managed devices such as operator-supplied set-tops and media gateways, operators must be able to securely generate and provision a root of trust into chipsets during the manufacturing process.



At the same time, for unmanaged devices they must be able to generate and provision roots of trust in whatever ways are dictated by the CE manufacturers or by doing what is possible using the exposed features of the device.

Once an operator-controlled root of trust is in place, service providers must be able to provision additional security layers and content protection technologies. This will involve working with third party CA, DRM and other suppliers to ensure that encryption keys, subscriber authentication keys and metadata, usage policies and other security assets are provisioned accurately and securely. And beyond the production and provisioning of these security assets they must be able to retain exclusive control over these assets through their entire lifecycles with the ability to update or revoke and replace them as conditions require.

These trends are mandating a much more comprehensive and efficient approach to security management than service providers have undertaken so far. With Irdeto’s K&C Managed Service, they now have recourse to a solution that frees them to focus on the service innovation and execution essential to maintaining their competitive edge. And because K&C is operated as a completely vendor-neutral platform, operators retain total freedom to choose their suppliers of CA, DRM and other security products.

K&C employs high-security facilities, advanced cryptography and a team of experts in security management and service provider operations to deliver a broad set of managed services, solutions and processes supporting the requirements of a next-generation security management system. Leveraging Irdeto’s nearly 50 years of experience as a global leader in content security, K&C allows operators to benefit from the efficiencies of a shared-cost infrastructure with assurance that each company’s security requirements and its relations with vendors are tailored to their unique needs with full insulation from all other companies’ security operations.



TABLE OF CONTENTS

Executive Summary 2

The new security asset management imperative 5

Securing set-tops and media gateways 6

Securing unmanaged devices 7

Managing security relationships common to all types of devices 8

Irdeto Keys & Credentials 9

Keys & Credentials architecture and functions 10

Ecosystem management 11

Security asset management 11

Managing new security requirements 14

The experience that makes Keys & Credentials possible 14

Conclusion 15



THE NEW SECURITY ASSET MANAGEMENT IMPERATIVEThe ability to deliver high value services with premium content and innovative features to subscribers wherever they are has now become a fundamental component of operator strategies worldwide. Operators realize that failure to do so is to concede to OTT competitors the opportunity to serve the growing tide of consumers who are accessing long-form, professionally produced video via broadband IP-connected devices.

Not surprisingly, according to a recent survey of pay TV service providers conducted by Informa, service innovation is now the top priority of 65% of operators worldwide, which means they must free themselves from the restrictions on applications, features and service reach imposed by legacy set-tops and headends. But in order to bring an ever-expanding range of devices into their premium service ecosystems, operators must have the means to efficiently provision and manage whatever security mechanisms are required to authorize and sustain the use of any given device for subscription TV access.

This is a daunting task. To accomplish these requirements operators must be able to:

Provision and manage multiple types of security assetsWhile historically, pay TV operators only had to focus on the security of the CA-based content delivery system, today their services involve other content protection and security technologies. This may include subscriber authentication, DRMs, link protection and other measures. These security technologies require keying material and other security assets to be persistently operational and updated to accommodate new advancements.

Inter-operate with all ecosystem playersOverseeing encryption key production, provisioning and lifecycle management for all the security applications intrinsic to different device types requires an ability to manage relationships with a wide variety of SoC manufacturers, OEMs, software system suppliers and licensing authorities. Each step in the key provisioning and security upgrade processes associated with these interactions must be rigorously secured in accord with established industry practices.

“Service innovation is now the top

priority of 65% of operators worldwide.”



Provide full lifecycle support for all security assetsOperators must also be able to manage each security asset through its entire lifecycle as long as it’s part of the premium service ecosystem. This requires an ability to support security upgrades at all points in the management ecosystem down to each device on the network. Operators also need to support revocation and replacement of security in rapid response to system breaches wherever they may occur. And to accomplish all this they must be able to maintain comprehensive analytical records of end-to-end performance of all security-related processes.

Accommodate all variations in DRM and modes of provisioning for managed and unmanaged devicesComplexities are compounded by the different procedures required for managing security assets for managed devices (i.e., operator-controlled set-tops and media gateways) versus unmanaged devices (i.e., smartphones, tablets, laptops, smart TVs). In the case of managed devices, root of trust security associated with a specific operator can be implemented in the manufacturing process.

The breadth of devices introduces other complications for security management as well. Different classes of devices require different types of DRMs and the procedures required for implementing security on those devices vary from one model to the next.

Securing set-tops and media gatewaysTo speed the pace of innovation and other benefits from competition among STB and STB component vendors, pay TV service providers are taking aggressive action to end their reliance on integrated proprietary solutions that traditionally have locked them into deploying set-tops tied into whoever supplies the CA system. The fact that the security processes are tied to chipsets selected by the CA supplier limits operators’ flexibility to leverage innovation from multiple SoC (system-on-chip) suppliers.

In growing numbers operators worldwide are working with multiple SoC suppliers, OEMs and middleware vendors to define new types of controlled devices, including “headed” and “headless” media gateways conforming to modular architectures that tap best-of-breed innovation at all levels. Comcast, for example, has taken a big step in this direction by defining a gateway Reference Design Kit (RDK) to serve as a uniform communications layer by which SoCs interface with tru2way-compliant middleware components to execute CableCARD CA and QAM tuner mechanisms.



By licensing the RDK, major OEMs and SoC manufacturers have positioned themselves to compete with other suppliers within their respective domains while freeing themselves to work with multiple suppliers at other levels. But as pre-integrated tie-ins between SoCs, CA systems and set-tops and gateways give way to mix-and-match modularity, Comcast and other pay TV providers following this path are confronted with the need to take on the security management role that was once the purview of the OEMs and CA suppliers.

This means the operator must be able to work with each of its SoC suppliers at the core level of implementing the operator-controlled root of trust encryption key identifiers that tie each chipset to the operator’s service domain. In other words, the operator must be able to generate provision and maintain these security assets with absolute assurance that their codes will be installed on the appropriate chipset at the factory without any chance of a breach in security.

In tandem with these endeavors, operators must interact with OEMs to provision the corresponding key packages they can embed into their set-tops and gateways to work with the SoCs the operator has certified for each model. Here, too, tight security with all transfers is essential.

The emergence of set-tops and gateways that incorporate DRMs, link protection and other content protection technologies over IP compound the problem and the security assets that need to be provisioned. These set-top boxes and services are often designed to transmit protected premium content over home networks to IP-connected devices. This brings the need for an operator-controlled root of trust and asset management into the other side of the device ecosystem, namely, uncontrolled IP-connected devices.

Securing unmanaged devices Consumers around the world are increasingly watching content on unmanaged devices, such as smartphones, tablets and computers. Operators must be able to support these devices in and out of the home to compete. When it comes to security management in the unmanaged device realm, the distinguishing factor compared to security management of managed devices is that operators do not control the hardware. OEMs determine what SoCs to use, define their device system architectures and select the OS and, by extension, the mode of security to be used with protected content.

If operators want to maximize their service reach by bringing as many devices as possible into their domains, they must be able to match all their security mechanisms to the requirements of each device.



The details of how security is implemented on devices vary by OS, chipset and by generation, meaning that within any given OEM’s product line different models of smartphones or tablets can require different approaches to security. Other variations include the types of DRMs used or the means by which operators authenticate the devices.

For premium content, native DRMs with hardware root of trust are often required. For example, on Android devices Google Widevine is required, on iOS devices Apple FairPlay is required and on Windows platforms Microsoft PlayReady is required. This means operators may need to support up to 5 major DRMs if they want to reach as many devices as possible.

Managing security relationships common to all types of devicesAs operators introduce IP premium service capabilities to both managed as well as unmanaged devices they must be able to work with multiple DRM licensing authorities who are responsible for generating the encryption keys with each session to ensure usage policies as dictated by the content licenses and the terms of each user’s subscription agreement are enforced. Moreover, when it comes to setting up link protection for devices connected in the home, they must also work with the DTLA (Digital Transmission Licensing Administration), the licensing authority that generates keys for DTCP (Digital Transmission Content Protection) support.

In addition, an arcane but important aspect of the key management process has to do with ensuring the JTAG (Joint Test Applications Group) ports into the inner workings of electronic hardware that are used by OEMs to debug devices are not available for hackers to use as gateways into devices. This means operators must be absolutely sure the ports have been closed at the end of the manufacturing process. Depending on how JTAG port verification is performed in the dealings between operators and OEM suppliers, there may be instances where the operator must attain and manage keys and passwords from JTAG to handle the verification process in-house.

“Operators must be able to

support these devices in and out

of the home to compete.”



IRDETO KEYS & CREDENTIALSWith so much riding on achieving an efficient way to manage security assets and all the relationships and processes essential to maximizing success in the multiscreen era, multiple major operators have engaged Irdeto to implement K&C for security asset management. K&C enables operators to take control of their platform and future by breaking vendor lock-in:

• Freedom of choice in partners and suppliersK&C gives operators the freedom to introduce or switch to new technologies throughout the lifetime of managed devices (e.g., for CA, DRM, subscriber authentication).

• Time to market for new services The cloud provisioning feature of the service enables operators to quickly respond to market developments by rolling out new and updated keys to devices already in the field.

• Future-proof STB with built-in flexibility Designing the K&C capability into the next-generation platform (e.g., PVR, UHD devices) from the start is the best way to future proof operators’ platform. Irdeto has established agreements and processes in place with all major licensing authorities, STB and chipset providers. This means operators have a wide array of choices ready to go, reducing the time and cost needed to launch their platform and services.



IRDETO SECURE KEYING CENTER VENDORS

Technology-agnostic formaximum flexibility

Flexible provisioning options Management of all vendors

Operator

Dedicated, secure production facilities Secure asset distribution across complete key lifecycle

SoC CA / DRM

OTT service provider

MiddlewareSTB

Keys & Credentials architecture and functionsIrdeto has positioned K&C to serve as the crucial intermediary between the operator, licensing authorities, OEMs, SoC vendors and devices targeted for premium service distribution to streamline execution of all the functionalities essential to end-to-end security management. As illustrated in Figure 1, Irdeto provides full support for all facets of security asset and ecosystem management that are required to support distribution of premium services to managed and unmanaged devices.

Figure 1: Irdeto Keys & Credentials for security asset and ecosystem management



Ecosystem managementPutting all these assets to use in commercial operation requires ecosystem management that coordinates security asset creation and provisioning across the entire supply chain. This requires integration of the operator’s security asset management system into the workflows of SoC suppliers and OEMs along with the know-how to work with 3rd party licensing authorities and OS app stores. K&C also performs the monitoring and reporting that’s required to track performance of all processes in the supply chain, including reporting on performance back to the service provider. Significantly, as will be described later, Irdeto goes beyond maintaining a blacklist describing unreliable devices by also providing a “whitelist” that lets operators know which devices have the right pairing of SoC root trust and key packages. This ensures that only whitelisted devices can be introduced into the operator’s managed network domain.

K&C employs facilities, cryptographic technology and secure transfer mechanisms with capacity to provide support for multiple operators targeting multiscreen services to millions of subscribers. These highly secure regional facilities are staffed by cryptographic experts, data center operations technicians and ecosystem professionals dedicated to managing relationships with service providers, SoC vendors, OEMs, licensing authorities and other parties to the content protection processes.

Irdeto’s secure facilities follow a well-established governance model, including regular auditing of all processes and are compliant with the rigorous security requirements of the ISO’s 27001 ISMS (Information Security Management System) used in management of high-value assets throughout the IT community.



Security asset managementThrough its asset management capabilities, K&C enables all the targeted device types to be part of the operator’s managed network. It supports control of security assets throughout their lifecycles, including production, provisioning, renewal and revocation.

To execute asset management requires a thorough knowledge of all security requirements for managed and unmanaged devices. K&C personnel have the necessary knowledge and technology to address security provisioning to unmanaged devices. On the managed device side, they have a deep understanding of the underlying security architectures of SoCs from multiple suppliers.

Managed device security processesResources are in place to support high-volume cryptographic generation of keys, along with aggregation of keys from 3rd party licensing authorities into key packages. This includes the processes associated with generating and transferring the root trust key certificates that must be embedded in the chipsets that SoC vendors are supplying to set-tops and gateways on order from a given operator. As discussed earlier, the processes are vital to the flexible approach to managed device design that operators are implementing to free themselves from the traditional CA-set-top tie-in.

Factory provisioning:

• Embeds operator root of trust onto SoC.• Deploys operator key packages onto STB which are locked to the

operator’s root of trust.• Enable operator to manage devices through white and black lists.

Figure 2: Producing and provisioning keys

Operator

CA

IRDETO SECUREKEYING CENTER PARTNERS

Service delivery

Keys with hardware root of trust



The process as shown in Figure 2 is as follows:

Step 1Irdeto Secure Production Center generates SoC-specific personalization files and sends them securely to the SoC vendor. These files contain highly confidential, unique data which is securely stored into the SoC by the SoC vendor. How the data is securely stored differs among SoCs and is determined by Irdeto working closely with the SoC manufacturer. As part of the process Irdeto installs a secure server (blackbox) at the SoC foundry to which K&C securely delivers keys for direct injection into the chip at the point of fabrication. This ensures that the data is not compromised during transmission and is only accessible by authorized parties at the SoC vendor personalization center. The process establishes a root of trust that Irdeto can lock into when it generates the OEM key packages that will contain DRM keys, authentication keys and other key material that are required for the service provider to deliver premium video services to the STB.

Simultaneously, while working with the SoC vendor, Irdeto also generates a number of key packages which are cryptographically tied to the SoC personalization files. Irdeto, through its secure production facility, will generate the necessary keying material or securely import pre-generated keys from the required licensing authorities. The production center then builds the keys into unique and encrypted key packages which are transmitted in batches to the STB OEM.

Step 2When the OEM produces a STB, they will pair the individualized SoC with the correct key package.

Step 3The OEM delivers new STBs to the operator with the correct key packages incorporated. Through this process, Irdeto has maintained a list of provisioned devices. This “white-list” is shared with the operator where the operator may choose to use this list to ensure only identified STBs are allowed to join their network.

It is important to note that the Irdeto blackbox and key provisioning process for managed devices is in no way linked to the root of trust process used by third-party CA systems. These roots of trust are created by the CA vendors as part of their relationships with the service provider and the chosen SoCs. The operator-controlled root of trust created by Irdeto functions at a parallel level for purposes of supporting the operator-specific environment for implementing all the security-related applications not related to the CA, as listed above.



Managing new security requirementsIt should be noted that the expansion of multiscreen pay TV service to encompass delivery of the full complement of high-value live and on-demand HD content to all types of uncontrolled devices poses new security challenges. When it comes to adding new security approaches, K&C aims to be technology-agnostic, working to manage the underlying security systems an operator might choose. It is important to note that Irdeto is a partner that operators can turn to for customized solutions and managed services built to address the operator’s unique challenges.

The experience that makes Keys & Credentials possibleIrdeto is uniquely positioned to meet operators’ needs for a comprehensive K&C Managed Service, not only by its long history as a supplier of advanced security products, but also because it has taken a leading global role in providing various types of managed security services to chipmakers, OEMs, content owners, anti-theft alliances and other entities as well as network service providers. As a result, Irdeto has amassed invaluable experience as a neutral third party integrator and supplier of theft monitoring and protection services, regardless of whatever specific proprietary CA, DRM and other security systems are in play.

Irdeto has also taken a leadership role in working with SoC vendors by developing processes that support integration of its CA system with chipsets. This entails the type of high-security transfer and integration support processes that are intrinsic to the capabilities Irdeto is offering through its K&C platform.

In addition, Irdeto has engaged with many SoC and OEM vendors to provide the types of managed services embodied in the K&C platform. With this managed security model in operation across the supplier community, the groundwork has been laid for operators to transition to the K&C model without having to engage in complex negotiations or to educate SoC and OEM vendors on the processes involved.



CONCLUSIONThe complexities of managing security for multiscreen premium services have reached a point where the burden of meeting these requirements through an in-house operation can restrict service providers’ ability to grow their services on a scale commensurate with market demand. Given the pace of CE product development and the requirements for ever more rigorous security now emerging with the addition of ever more high-value content to the multiscreen service stream, the climb will only get steeper for service providers in the months and years ahead.

Moreover, there’s no way to know what the security requirements will be a few years hence. Not only will operators need to keep up with the increasing security requirements and outpouring of new devices; they cannot be assured that the processes and infrastructures they are putting in place now will accommodate future security modes and methodologies.

By entrusting this crucial aspect of its operations to Irdeto’s K&C Managed Service, several tier 1 operators around the world have freed themselves to pursue service innovation and expansion without having to overcome the operational impediments of maintaining an in-house security asset management system. By leveraging the shared facilities of this hosted platform, the K&C customers have cut operations costs while benefitting from the expertise of professionals with long experience in a realm that is new to its own personnel.

white paper: keys & credentials: the linchpin into success

Documents