Premium Video Services for a Multi-Screen Environment

White Paper
Premium Video Services for a Multi-Screen Environment –
The DRM & Business Logic Requirements
Les Collines de l’Arche, Tour Opéra C, 92 057 Paris La Défense Cedex, France
Phone:+33 1 44 45 64 65 – Fax: +33 1 44 45 64 80 –
CONFIDENTIAL – This document is the intellectual property of Viaccess-Orca. It is stricly confidential; any copy is forbidden.
1. Multi-Screen Environments – TV Everywhere
In today’s always-on, connected world, TV content is no longer consumed only on traditional
Television sets. Connected devices, such as tablet PCs, smartphones and more, enable users to
consume over-the-top (OTT) video content anywhere and anytime.
The underlying video delivery infrastructure is forced to expand beyond traditional closed,
managed networks to vast, unmanaged ones. In this diversified, open environment, delivering
premium live and on-demand video services poses a number of serious security & protection
challenges for content service providers and Pay TV operators.
Rights Management Driven Business Logic
In order to fulfil contractual obligations with content owners in a multi-screen environment, new
types of business rules need to be added to the solution. The new business logic will regulate;
how many concurrent streams can be played in a family and the type of content allowed for each
device type of according to the device’s intrinsic security level.
Content Security Now & Over Time
Content service providers also face the challenge of securing premium content over time across a
wide variety of open client devices. As part of this on-going effort, providers will need to monitor
pirate activities and effectively manage security upgrades. While this has always been a challenge
in Pay TV distribution, it is now greatly amplified with the dramatic increase in device types
operating over open, unsecured networks.
Device diversification
Today, providing TV Everywhere services often means providing support for multiple Conditional
Access (CA) and DRM standards. The specific type of CA/DRM depends on the client device.
Microsoft based devices such as PC’s and XBOX are secured by running Microsoft PlayReady.
Set-top-boxes, tablets and smartphones will be configured to run vendor specific (e.g. ViaccessOrca) CA/DRM. At present, content service providers need to cope with multiple DRM
configurations and content packaging.
2.1. Standardization Trends
The industry is moving towards a set of common OTT standards for streaming, encryption and file
structure that will help support different DRMs in future. The objective is to enable operators to
encode and encrypt content just once for distribution and playback across all the target devices
they may want reach in a TV Everywhere deployment.
There are two parallel and complementary standards movements driving the convergence trend;
MPEG-DASH and UltraViolet. Both have adopted the Common File Format (CFF) and Common
Encryption (CENC) for transmission of video, which lays the foundation towards a unified, online
video framework.
MPEG’s Dynamic Adaptive Streaming over HTTP (MPEG-DASH), enables high
quality streaming of media content over the Internet delivered from conventional HTTP web
servers. It works by breaking the content into a sequence of small HTTP-based file segments and
encoding each one in a variety of different bit rates. As the content is played back by an MPEGDASH client, the client automatically selects from the alternatives the next segment to download
and play back based on current network conditions.
Formed by the Digital Entertainment Content Ecosystem (DECE), UltraViolet (UV) is a digital
rights authentication and cloud-based licensing system. It allows users of digital home
entertainment content to stream and download purchased content to multiple platforms and
2.2. Towards a Scalable DRM Infrastructure
Separating the encryption from the DRM is an essential step in creating a large-scale OTT
infrastructure. It enables content service providers to effectively support a multi-DRM environment
from a single head-end and encrypting once.
This separation acknowledges the fact that, while there is broad agreement now that CENC
provides sufficient protection for video content, there will be different DRMs to suit varying device
platforms and service requirements. It means that specific DRMs can be deployed on particular
devices to satisfy the requirements of content owners.
The Common Encryption Scheme (CENC) specifies standard encryption and key mapping
methods that can be exploited by many key management systems. As a result, any given file can
be decrypted using different DRMs. The idea is similar to what the DVB achieved with Simulcrypt;
agreeing on a common encryption system and providing DRMs and Conditional Access (CA)
systems freedom in the key distribution method.
The CENC scheme operates by defining the common format for the encryption-related metadata,
which is necessary to decrypt the protected streams. It leaves rights mappings, key acquisition
and storage, and rules over DRM compliance, to the DRM system, or to the system supporting the
encryption scheme.
3. Content Security in End Devices
Pay TV service in a multi-screen environment needs to strike a delicate balance between the level
of protection and the ability to reach a wide and growing audience. DRM interoperability is a major
step in the right direction. However, there are additional security aspects that have to be taken into
In the traditional Pay TV market, a STB is used to control content viewing. To achieve the maximal
security level, the CAS/DRM technologies have had a deep hardware anchor in the STB; part of
the memory access is restricted only to the DRM technology; secret keys are never exposed to
any 3rd party, to prevent the loading of malware on the STB any 3rd party software code has to
verified and signed by the CAS/DRM technology providers.
In an OTT environment, where the end clients are a wide variety of smartphones, tablet, PCs and
more, this approach is in most cases not viable.
3.1. Trusted Execution Environment (TEE)
One initiative designed to enhance the security of mobile devices by using a “hardware anchor” is
the Trusted Execution Environment (TEE). TEE is a secure area that resides in the main
processor of a smartphone, tablet, or any mobile device. It ensures that sensitive data is stored,
processed and protected in a trusted environment. The TEE's ability to offer safe execution of
authorized security software, known as 'trusted applications', enables it to provide end-to-end
security by enforcing protection, confidentiality, integrity and data access rights.
TEE has 3 main market applications, which are driving the technology’s adoption:
Video consumption over smartphones and tablet
devices is soaring. Content service providers,
seeking to capitalize on this market by delivering
premium content need to ensure the content’s
Mobile payment and mobile banking
Security measures are critical in mobile payment and
mobile banking applications. It is necessary to
ensure that no software application has access to or can log the PIN code entry or screen activity.
Bring your own device (BYOD)
As more and more employees bring their devices to work, access to highly confidential corporate
information over the corporate Intranet may be compromised. New measures are required to
guarantee security and prevent unauthorized access.
TEE based products will be commercially available in 2013. At this point, it will be possible to
download a DRM agent on smartphones and tablets that leverage a TEE to enhance security.
However, like all new technology, it will take time for TEE to gain significant market share.
4. Unification in the Face of Diversity
Today, multi-screen DRM systems need to address multiple DRM applications and file types,
operating across a wide range of client devices. In order to comply with content owners’
requirements for OTT distribution, new, advanced content & device management features must be
The DRM system needs to be aware of
The robustness limitation of each device
The number of devices associated with a single household
How the content is accessed (at home, outside, abroad)
The number of concurrent steams and/or downloads for an asset
The authorized device set for an asset
Armed with these new business capabilities, content service providers will be able to enforce the
business rules required by content owners. It empowers providers to enforce specific rules and
limitations based on specific device and content scenarios.
Here are 3 different examples of business rules affecting content, users, devices and the delivery
Stream HD content
on a STB but not on
tablet or PC
VOD can only be
streamed once to a
device associated
with the household
VOD has to be
viewed at home
over the Wi-Fi
In order to successfully secure and manage the rights of premium content in an OTT environment,
the DRM solution needs to broaden its scope. It needs to effectively store content, user and device
related information and implement the relevant, cross functional business rules. Furthermore, the
DRM solution needs to have built in support for the emerging standards including MPEG-DASH,
UltraViolet and TEE in order to ensure future compliance with content protection requirements.
5. VO Unified Service Platform
As highlighted in the previous section, DRMs in a multiscreen environment shall not be limited to a
set of compliance and robustness rules, they need to evolve in order to encompass content
management and device management.
Viaccess-Orca DRM is part of the company’s Unified Service Platform, which is based on 4 main
systems: Content Management, Business Management, Content Security and Content Discovery
& Personalization. The DRM is an inherent part of Content Security and will be discussed in detail
in the following sections.
However, the 3 other systems have key roles in implementing the business rules and storing
related user and device information.
Content Management – During the
content publishing and delivery, the
VO Content Management solution
implements relevant business rules;
ensuring that users gain access only to
content that is allowed on their device
type. The solution also helps to
enforce content owner requirements
regarding the number of concurrent
devices, license period and the
number of allowed views/downloads.
Business Management – This system
stores the information regarding the
number of household members and
information is provided to the Content
Management and Service Delivery
Platforms, enabling them to comply with the imposed rights management requirements.
Content Discovery & Personalization – This system is not directly involved in enforcing the
content owner’s business rules. However, it empowers content service providers to provide a
superior customer experience and avoid disappointment. By cross-checking content
recommendations with the rights management business rules, VO Content Discovery &
Personalization solution ensures that the customer will be able to consume the recommended
content on the specific device.
VO’s Unified Service Platform combines best-of-breed business and security solution into a single
pre-integrated platform. With flexible business models, support for business rules and scalability,
the solution is designed to help content service providers meet the challenges of delivering live
and on-demand Pay TV services to multiple screens operating in an OTT environment. With the
VO Unified Service platform, providers can launch OTT services such as live TV, Video on
Demand, Catch-up services and Subscription VOD.
6. VO Security Paradigm
Piracy represents a constant threat for Content Providers’ revenue. Protecting premium content
against increasingly skilled hackers who always deploy new forms of piracy requires state-of-theart security mechanisms, a secure implementation and a sound piracy management approach.
There are 3 main types of piracy threats that deal with illegal access to protected, distributed
Application Cloning/Emulation
DRM Keys illegal access and redistribution
Protected Content illegal redistribution
With over 20 years of experience in the Conditional Access and Digital Rights Management
business, VO has created a 360° security strategy that takes into account the diversified
environment and varying levels of achievable device security.
Hardware based content protection and secure implementation on devices (protection
against reverse-engineering, tampering, DRM key protection, secure audio/video path,
secure boot…)
Secure application (including the player)
Secure device identification
Secure license delivery
Support of Multiple DRM standards (PlayReady, VO DRM)) in compliance with
ISOBMFF standard and the Common Encryption CENC scheme
On-going security service for piracy monitoring and analysis
Design and deployment of countermeasures and security solution updates.
7. VO DRM Architecture
As discussed in the previous section, the VO DRM architecture employs several parts of the VO
Unified Service Platform. It delivers content protection and enforces the required business rules,
while operating in diversified environments, multiple DRMs and file types.
VO’s solution uses a multi-DRM licenser that supports both Microsoft PlayReady and VO DRM.
This approach provides a single licensing module that provides DRM licenses for Microsoft based
devices such as PC’s and XBOX running Microsoft PlayReady, as well as set-top-boxes, tablets
and smartphones running VO DRM.
Since the VO DRM is fully interoperable with Microsoft PlayReady, the same content can be
played on PlayReady enabled devices or VO DRM enabled devices.
ABR technology
VO DRM supports MPEG-DASH adaptive bit rate (ABR) technology, which is the first industry
standardized ABR protocol. MPEG-DASH uses a common encryption scheme “CENC” that enable
the content to be encrypted once. The encrypted file can be decrypted by any DRM technology
that supports CENC.
VO DRM is also fully compatible with Microsoft SmoothStreaming and the PIFF file format.
Content service providers that have already invested in equipment and content preparation can
reuse their ‘already packaged’ content to offer VOD services for smartphones, tablets and STBs.
Live TV security
VO DRM addresses specific, live TV security requirements imposed by regulators and premium
Pay TV channels. It supports key rotation (live content encryption keys are changed on a regular
basis; minutes, hours, days) in order to maximize the security level. In accordance with
government regulations, VO DRM also supports parental control.
Multi-level device security
VO DRM is available in different implementations that leverage on what it is possible to do on the
device to provide the maximum level of robustness.
Enabling deployed hybrid STB with premium “OTT” services and content
A great number of STBs already deployed support an IP connection. For Pay TV operators, it is an
asset on which they could leverage to launch VOD, catch-up services.
However in order to provide the highest level of security, it is necessary that the DRM technologies
to be downloaded on STB relies on a hardware root of trust.
Most of STB with Viaccess-Orca conditional access system have secure chipset that have been
personalized with Viaccess-Orca’s keys. This will allow Viaccess-Orca to upgrade the STB with its
VO DRM agent and enable Pay TV operators and service providers to deploy their VOD, catch-up
services will benefit from the highest level of security.
8. Security Adapted to the Device
VO’s solution offers the maximal security based on the client platform. The solution addresses 3
different types of client environments:
STB with the secure chipset (legacy Pay TV deployed STBs, or new OTT boxes),
a secure software player on Mobile/smartphone running on Android or iOS when a Trusted
Execution Environment (TEE) is not available,
A secure software trustlet installed on a TrustZone based TEE on tablet/smartphone running on
8.1. VO DRM for STB
VO’s DRM solution for STB clients is based on a secure, VO-approved, chipset, which includes
secure boot and secure audio/video path. As the evolution of the Viaccess-Orca CAS agent, it can
be easily and securely deployed on existing, legacy STBs using Viaccess-Orca CAS.
The secure chipset contains individualized, unique secret-keys that are programmed during
chipset serialization process at the production stage. It also contains a public, VO signature key,
which is used in the STB secure boot verification process. This is the foundation for the
establishing a ‘root of trust’ in the authentication chain. With this base, each sensitive software
application is securely signed prior to being downloaded to the STB.
In case of an ISOBMFF ES stream, the encrypted stream will be deciphered in buffer mode using
AES decryption capabilities of the coprocessor in the secure chipset. As a result, the DRM keys
are never exposed to the host CPU. Similarly, the secure Audio/Video path is also provided
through the HW based implementation and the Audio/Video buffers are never exposed to the host
CPU in clear mode.
The secure chipset and STB design are reviewed and verified as part of the VO approval process.
This process examines all the debug ports to make sure JTAG and other such ports are securely
closed and the output control protection policy (for example HDCP for HDMI ports).
VO’s DRM for STB is a high-security solution based on a robust hardware-based implementation,
a secure chipset with state-of-the-art security methodologies. It is similar to the CW protection
schemes provided by traditional CAS mechanisms.
We illustrate in the following table the attack factors that would require getting illegal access to
DRM keys and critical security parameters together with the security mechanisms in place to
mitigate such attacks.
Time required: In the range of years for attack identification and exploitation
Equipment required: Professional test equipment used by the semiconductor industry
Level of expertise: Several hardware and software security experts
Security Level in place: Hardware Security Level including Chipset Security
mechanisms, secure boot, secure audio/video path, software security
8.2. VO DRM for TEE-based Mobile Devices
VO’s DRM solution for TEE-based mobile devices relies on the secure TEE environment to
execute the VO DRM Agent. The solution leverages the secure APIs provided by the TEE for
secure storage of DRM keys and critical security parameters. Secure audio/video path and output
control protection functions are also enabled through the chipset’s secure APIs.
Additional mechanisms, such as hardware based secure boot, are integrated to enable the end-toend authentication chain-of-trust for all sensitive, embedded software or rooting detection. In this
manner, the secure player is also protected against rooting attacks and is able to continue working
in such hostile conditions.
VO’s DRM for TEE-based mobile devices is part of a comprehensive DRM solution. In the case of
an attack, the security service provides selective disabling for any device, which has been
compromised. As part of the recovery path, it also supports a version upgrade and service
reactivation for the device.
We illustrate in the following table the attack factors that would require getting illegal access to
DRM keys and critical security parameters together with the security mechanisms in place to
mitigate such attacks.
Time required: In the range of year for attack identification and exploitation
Equipment required: Reverse Engineering Software tools, Hardware equipment
Level of expertise: Hardware and Software Security experts
Security level in place: Hardware Security level including TEE hardware and software
security mechanism, secure boot, secure audio/video path.
8.3. VO DRM for generic iOS or Android devices
VO’s DRM solution for generic iOS or Android devices (without TEE) is based on a software
secure player. In such devices, hardware-based root-of-trust or hardware-hardening cannot be
achieved. However, by employing a set of anti-debug and anti-tampering mechanisms together
with code and data obfuscation techniques the VO DRM Agent code, associated keys can be
protected. As a result, sensitive data confidentiality and integrity can be enforced.
Device-bound key material is derived at run time from various device dependent parameters,
software integrity mechanisms and cryptographic integrity checks on the secure player code itself.
This approach provides Anti-Tampering protection. VO’s DRM solution also provides the
necessary security parameters for the output control protection and enforcement.
In case of device rooting or jailbreak, VO’s DRM solution detects if the user has gained a root
access and applies restrictions on the service and content playback.
We illustrate in the following table the attack factors that would be required to get illegal access to
DRM keys & critical security parameters together with the security mechanisms in place to
mitigate such attacks.
Time required: In the range of months for attack identification and exploitation
Equipment required: Reverse Engineering/Debugging Software tools
Level of experts: Software security expert
Security level in place: Software security level including Software anti-debug and anti-tampering
security mechanisms, code and data obfuscation and integrity checks mechanisms
8.4. Continuous Security
Piracy is and will remain an unfortunate aspect of Pay TV services. The OTT environment only
compounds the complexity of revealing and dealing with occurrences of piracy.
With over 20 years of experience in securing video content, Viaccess-Orca has adopted a 360°
Security solution for content service providers. In addition to the DRM solution, VO provides an ongoing security monitoring service, which consists of screening relevant forums and collecting
information from the field about piracy situations in deployed VO platforms across the globe.
At VO, we value our on-going partnership with our customers as we strive together to combat
piracy and content theft. To achieve transparency and productive collaboration, the information we
gather is shared regularly in targeted committees and through regular security update letters.
In case of a potential security breach in the field, Viaccess-Orca investigates the piracy situation.
Together with the provider’s team, appropriate countermeasures and action plans are established.
If the situation directly impacts the VO DRM system, Viaccess-Orca provides software renewal
plan together with relevant security services.
Indeed, in case of compromised devices, a security service allows selective disabling of
compromised devices, and the necessary upgrade of the version to recover from an attack.
9. Acronyms
ABR Adaptive Bit Rate
Conditional Access
CAS Conditional Access System
Common Encryption
CFF Common File Format
CPE Consumer premises equipment
DASH Dynamic Adaptive Streaming over HTTP
OTT Over The Top
STB Set top box
TEE Trusted execution environment
10. Reference documents
# Title Reference Version
ISO/IEC 23009-1:2012(E) - Dynamic adaptive streaming over HTTP (DASH) — Part 1:
Media presentation description and segment formats
R2. ISO/IEC 23001-7:2012 - MPEG systems technologies -- Part 7: Common encryption in ISO
base media file format file
ISO/IEC 14496-12:2012 - Coding of audio-visual objects -- Part 12: ISO base media file
ISO/IEC 14496-14:2003 - Coding of audio-visual objects -- Part 14: MP4 file format
ISO/IEC 14496-1 5:2010 & ISO/IEC 14496-15:2010/Amd 1:2011 - Coding of audio-visual
objects -- Part 15: Advanced Video Coding (AVC) file format