AN APPROACH TO SECURING VIDEO SERVICES DELIVERED VIA THE INTERNET (IPTV)
by Norman Lievaart
SYNOPSIS -
Digital media content (both conveyed and stored) is vulnerable to attempts at making perfect copies at a fraction of the cost of the original content.
Protection of this content is essential for both content owners and operators of digital media delivery platforms to prevent dilution of revenues. Broadband IP networks offer new business opportunities for operators but expose them to the demanding anti-piracy requirements of the content providers. There is thus an operator need for a content management solution that is trusted by content providers and that securely protects digital media delivered via broadband networks. This paper offers a short overview of IPTV techniques, how operators can secure content conveyed in such networks and describes the two secure network topologies that are typically deployed.
INTRODUCTION
The growth in digital cable and interactive deployments, together with the accelerating consolidation of operators and operations, has highlighted the importance of increased delivery network efficiencies. An Internet Protocol Television (IPTV) network offers advantages such as: high capacity, large network flexibility and the ability to dynamically manage programming. It also offers an open, competitive and low-cost solution to modern video networking.
IPTV is the concept that describes the delivery to consumers and businesses of video and entertainment services over standard IP networks. These services could be for example: broadcast services, Pay-TV, music, Video On Demand (VOD), gaming and web browsing. The content is wrapped or encapsulated into IP packets and is conveyed to the end-user as if it were IP. These services are usually offered to customers via a broadband Asynchronous Digital Subscriber Line (ADSL) or Fibre To The Home (FTTH) network. The client device for rendering the content can be either a suitably equipped PC or IP Set Top Box (STB).
IP networks are attractive to service providers because:
- Standards-based IP protocols, as well as low-cost software and hardware are universally available. This lowers procurement and support costs for the operator. Internet routing is efficient, leading to lower bandwidth overheads and more useful capacity for the network.
- The build-out of broadband cable networks is starting to reach a critical mass. These broadband networks, if not ADSL or FTTH, are increasingly Gigabit-Ethernet networks. The marginal cost of adding video capability to such an IP network is low.
- More services can be efficiently bundled in an IP environment. The Triple Play offering of (Internet) data services, telephony and television becomes increasingly simpler and cheaper to provide via the same infrastructure. These services permit the operators Average revenue Per Subscriber (ARPU) figures to grow.
- The inherent bi-directional nature of IP provides a natural platform for interactive television services such as VOD, gaming and Television (T) -commerce.
CONTENT PROTECTION & SECURITY
Overview
A commonly heard comment is My network is a closed network. I therefore only need authentication to protect my content. Existing Internet security protocols will protect my content. These statements are briefly addressed in the following sections:
- It is true that authentication can be securely achieved but it is incorrect to assume that authentication is sufficient to ensure secure content delivery. Although point-to-point networks may be deployed e.g. ADSL, PPP and IP protocols are open protocols. This means that IP and non-repudiation attacks cannot be prevented and that copy protection is not achieved.
- Furthermore, the SSL protocol can be used for securing small data units only and it offers no copy protection. As it is based on the RSA algorithm, its throughput is slow.
- IPsec offers link security but no copy protection. It is not yet a standard as some of its flaws remain to be addressed. It also requires IPsec-compliant devices in the network i.e. routers.
An additional dedicated layer of security is therefore essential in all networks that deliver valuable media content.
IP Multicast & Security
The IP Multicast protocol is not currently permitted on the Internet because it is vulnerable to broadcast flooding attacks. All routers on the Internet are therefore programmed by default to not let IP Multicast-addressed traffic pass. Multicast techniques are therefore limited for use within an operators own (closed) IP network.
The multicast protocol permits users to join and leave multicast sessions without notifying the sender. This is undesirable for an operator streaming valuable content to subscribers. Effective Content Protection systems centralise access control in such a way that only authorised subscribers have access to designated services on the network.
Why Content Protection?
In making content available to operators, the typical views of the US movie studios are:
- Valuable content in the public domain must be in scrambled format
- Stored content (network or local) must be encrypted
- Copy protection mechanisms are to be in place
- Operator-access to valuable content will be denied if suitable protection is not in place
Broadcast video material and potential pirates consider VOD content high value. Pirate attacks on these services are and will accordingly remain a concern for both operators and the owners of the distributed content. As outlined above, transport networks and IP multicast streams are not impenetrable and other threats do exist. The protection of content i.e. the restriction of access to content and the prevention of its reproduction as it is consumed, is thus of paramount importance in an IPTV operation.
Content Protection Requirements & Solutions
The general requirements for a secure content management system, together with the Irdeto Access response to each, are detailed in the following table:
REAL-TIME ENCRYPTION SOLUTION
Description
In real-time encryption techniques, content is encrypted at the head-end, as it is played-out from the content server or streamed from a broadcast. Unique encryption keys are generated for each session to ensure a high degree of security. This technique is however unsuitable for large subscriber bases for on-demand content (Pay Per View services), as the encryptor cost rises rapidly as the number of concurrent subscribers increases. Streamed (broadcast-like) services, on the other hand, can be efficiently processed by making use of the IP multicast protocol in a closed network.
The advantages of the real-time encryption technique are:
- Encryption keys have a very short life span and are only used for a specific consumer
- It prevents attacks on the Content Protection system through key redistribution techniques
The benefits that the real-time encryption technique offers operators are:
- Compatibility with any IP packetised data (content agnostic). This significantly reduces time-consuming up-front integration with middleware and video servers
- Significantly reduced start-up costs for operators by eliminating costly up-front licenses
- Lower operating costs, as there are no operational activities such as monthly pre-encryption of the content. It is thus ideal for small operations with few technical staff
Deployment Example
Irdeto Access recently supplied a content protection system, similar to that outlined above, for a broadband IPTV operation (10 000 current subscribers) to SureWest, one of the largest independent telcos in the US. SureWest deploys video over an IP network and is one of the first in the USA to deploy video simultaneously over a DSL and an FTTH network. The integrated Content Protection solution included Minerva® iTVManager video services management software, Kasennas media servers and MediaBase XMP software. The iTVManager controlled the interactive television services, while the Kasenna system managed, distributed and delivered VOD content. Aminos digital STBs, equipped with Irdeto Access smart cards, completed the system.
PRE-ENCRYPTION SOLUTION
Description
In pre-encryption techniques, content is encrypted before it is stored on the video file server at the head-end (or regional node). In this system, encryption keys are static as the encrypted content has been stored (in a secure environment). Content should however be re-encrypted on a regular basis to ensure that the stored and encrypted content remains a moving target for pirates. In this technique, content is also safe for storage on the edge of the network (at regional nodes), making pre-encryption well-suited to offering Pay Per View events to subscribers.
The advantages of the pre-encryption technique are:
- It is a combination of the advantages of the real-time and pre-encryption techniques. It therefore is a good defense against the weaknesses inherent in some pre-encryption solutions.
- It offers the ability to add a watermark or fingerprint that is unique to the VOD session. This allows the source of pirated content to be traced.
The benefits that the pre-encryption technique offers operators are:
- Compatibility with any IP network equipment.
- The costs of on-line encryptors for stored content are eliminated
- Significant reduction in the costs of securely protecting stored content (as it is already encrypted)
- It is a highly scalable to larger architectures, simplifying future expansion of the operation
CONCLUSION
IPTV is a content distribution technique that allows valuable video content to be securely and cheaply transported to subscribers. IPTV networks can be deployed by a wide variety of telco, FTTH and cable operators, as well as broadband ISPs. These operators can bundle these advanced video services together with Internet access and IP telephony services to create so-called Triple Play offerings to their subscribers. Verage Revenue Per Unit (ARPU) figures rise because the investment and operating costs are spread across the three service platforms.
Irdeto Access IPTV programme meets broadband IP network operators needs for a secure content management solution that is trusted by content providers. Our solutions, based on our established product and service methodology, offer operators a variety of alternatives for implementing access control for video services delivered via their IP networks. Encryption, copy protection and watermarking technologies are supported to provide end-to-end security for valuable content in IP networks, and to secure transactions relating to this content.
For further details on how our secure IPTV solutions can benefit your business, please contact your nearest Irdeto Access representative from the list offered on our web site at: http://www.irdetoaccess.com
|