INTERNATIONAL TELECOMMUNICATION UNION FOCUS GROUP ON IPTV

TELECOMMUNICATION FG IPTV-C-0217
STANDARDIZATION SECTOR
STUDY PERIOD 2005-2008 English only

WG(s): 3 2nd FG IPTV meeting:

Busan, 16-20th October 2006
CONTRIBUTION
Source: Cisco Systems Inc.
Title: End-to-End IPTV Security: Assets, Risks and Threats

Abstract:
This paper examines end-to-end IPTV security based on asset types so providing an overall
structure for the Security and Content Protection Working Group (WG3) to work from.
It starts with a top-level end-to-end architecture and distribution model for IPTV and lists the
data and service assets at each point in the distribution chain. It considers the risk to those assets
including potential attacks on asset integrity, confidentiality and circumvention of access
controls. It characterizes the attackers into four broad groups that can potentially exploit these
risks and threaten an asset. Finally, mechanisms are suggested for mitigating the risks to the
assets.
Proposal:
We propose that this document be added to the “live” list for use as a baseline document.

Contact: Cisco Systems Inc.

Mark Baugher Email [email protected]
Phone: +1 503 245 4543
Email [email protected]
Jeffrey Goldberg
Phone: +44 7802 570405
Attention: This is a document submitted to the work of ITU-T and is intended for use by the participants to the activities of ITU-T's
Focus Group on IPTV, and their respective staff and collaborators in their ITU-related work.  It is made publicly available for
information purposes but shall not be redistributed without the prior written consent of ITU.  Copyright on this document is owned by
the author, unless otherwise mentioned.  This document is not an ITU-T Recommendation, an ITU publication, or part thereof.
 Table of Contents

Introduction........................................................................................................................3
End-to-end IPTV Architecture..........................................................................................4
Assets, Risks and Threats.......................................................................................5
End-to-End IPTV Assets........................................................................................5
Risks to Assets........................................................................................................6
Who Threatens the Assets?....................................................................................6
Content Work Assets.........................................................................................................7
Cryptographic Assets.............................................................................................8
Metadata Assets....................................................................................................10
Network Service Assets...................................................................................................10
Acquisition Network............................................................................................10
Core, Metro, Access and Home Networks...........................................................10
Metadata Assets....................................................................................................12
Service Assets..................................................................................................................12
Terminal Assets...............................................................................................................13
Subscriber Assets.............................................................................................................15
Security and Protection Mechanisms...............................................................................16
Content protection mechanisms...........................................................................17
Network security mechanisms..............................................................................18
Terminal protection mechanisms.........................................................................20
Subscriber security mechanisms..........................................................................21
Acknowledgements..........................................................................................................21
Glossary .........................................................................................................................21
References........................................................................................................................24
 -3-

Introduction
A complete end-to-end security analysis of an IPTV system is an enormous task, and one that is
ultimately unique to a particular service. We don’t intend to perform such an analysis in this
document but instead take an overview of the entire chain of an IPTV system. IPTV consists of
much more than television over Internet Protocol (IP), for example it contains “last kilometre” IP
delivery, efficiencies in the head-end data centre, storage, metropolitan and wide-area network.
End-to-end IPTV security therefore consists of multiple network sub-systems along a distribution
chain from producer to distributor to the consumer of multimedia content. At each step, each
network along the delivery chain contains security or content protection issues.
This document identifies five types of “assets,” which have security or content protection issues.
 Content assets, which reside on transit networks controlled by IPTV businesses along the
distribution chain, on networks owned by the IPTV consumer and on the IPTV terminal
device.
 Network assets, which are networks operated by entities along the distribution chain, and
the home network of the residential consumer.
 Service assets, which support network services and IPTV applications.
 Terminal assets, which the residential consumer uses to process and store content works
and other information related to the IPTV service.
 Subscriber assets, which consist of information about the subscriber, the subscriber
household, and their IPTV transactions that are processed at multiple points along the IPTV
delivery chain.
An “asset” is defined to be data or a service resource in the distribution chain. There are different
types of risks associated with each asset. A “risk” is an attack on an asset that only jeopardizes the
asset if the risk is exploited through an “attack.” The exploitation of a risk in an attack is called a
“threat”. A “passive attack” is one in which the attacker merely gains access to the asset. In an
“active attack,” the attacker is able to alter, manipulate, route, or otherwise actively change the
asset. This paper defines key terms such as assets, risks, threats and attacks in the Glossary chapter.
The issues described in this paper include both conventional security challenges that are
characteristic of enterprise networks today and also content protection issues that are found in
systems that manage access to copyrighted content works. The problems and technical solutions
are different, however, between security and content protection:
 Computer and network security assumes that the endpoint is not under the control of the
attacker and that those in control of each endpoint have a vested interest in protecting
secrets.
 Whilst Content Protection assumes the endpoint is untrusted and possibly under the control
of the attacker.
A true definition of security necessarily includes the physical security of systems and the
procedures that people follow when they access those systems. Content protection systems,
however, are widely deployed in consumer environments having little physical security and no
human procedures for protecting content works, particularly if the human user at the endpoint
wishes to circumvent the copyright protections on a particular content work. A determined
individual who has the end device and its secrets under their control can practically always
circumvent the content protection system. Content protection mechanisms, therefore, keep honest
 -4-

people honest and do not have the mathematical certainties of security technology. When content
works are protected by physical security and security procedures, as in IPTV businesses, this
document uses the term “content security” rather than “content protection”.
The IPTV business networks in the distribution chain face security challenges that include breach of
confidentiality, denial of service and other attacks common on business networks today. The
distribution of copyrighted content works from third-party providers, however, increases the
likelihood of certain types of attacks, such as attacks on data integrity. In the IPTV case, moreover,
a third-party provider of content works may wish to have additional protections, such as a forensic
watermark, applied to their titles as a check on the security of their distributors. In this case,
content protection mechanisms may be used in the business environment in addition to content
security mechanisms. In the home environment, security mechanisms are needed on consumer
devices in addition to content protection mechanisms: The consumers’ devices and home networks
face threats to privacy and system integrity as well as the novel challenges of content protection.
This document is concerned with both security and content protection along the distribution chain.
Chapter 2 of this paper describes the IPTV security architecture in terms of the IPTV delivery
chain, protocols and processes. A distribution model is presented and chapter 2 characterizes the
end-to-end IPTV Assets, Risks and Threats (ART). The ART for content works, network, terminal
and subscriber assets are described in subsequent chapters. These chapters are followed by a
discussion on security and protection mechanisms to be applied to those assets.

End-to-end IPTV Architecture

Figure 1: End-to-end Distribution Chain

The focus of entertainment content protection is often on the “last kilometre” of a long distribution
chain where copyrighted content works might be illegally copied and then redistributed on the
Internet. The greatest economic threat to entertainment content distribution, however, often occurs
at the very beginning of the distribution chain shown in Figure 1. Post-production houses have
access to newly released movies before they even reach the movie theatre. Theft of a content work
at this point of the distribution chain enables DVD counterfeiting, which is the greatest threat to
movie studio’s revenue.
The work of professional criminals at the earlier stages of the distribution chain can have the
greatest economic impact on content revenues. Unlike the consumer, however, employees in the
production and distribution centre can be subject to security procedures and fired for violating them.
Thus, good content-level security is needed in the enterprises that process IPTV content works as
well as in the households that purchase or view them.
Professionals can work from a consumer’s residence in cases where a perfect copy can be obtained
using only subscriber equipment. This problem is addressed in IPTV conditional access and DRM
 -5-

systems that are deployed in the home. As a general rule, these systems should be robust against
attempts to obtain an unauthorized copy through circumvention up to the point where other avenues
of attack become cheaper and easier. Whilst it may be impossible to prevent an unauthorized copy
from being made, it should be difficult, apparent to the copier that they’re circumventing a control
[Marks & Turnbull], and amenable to forensics. Ideally, unauthorized copying results in a degraded
copy of the content work, but this is often not possible to achieve.
Experience has shown that the overwhelming majority of consumers want to enjoy entertainment
content works rather than engage in the illegal trade of them. Content protection, therefore, must
not intrude on the customer’s experience, otherwise, content protection will encourage
circumvention of content access controls, as explained by the “Darknet” paper [Darknet]. It is also
of great importance that the very best service is provided that is free of denial of service attack,
attacks on the integrity of the content work, and attacks on the privacy of consumers and the
security of their home networks. These attacks can occur at various points in the distribution chain
of Figure 1. In the core, metro network, access network, and even (rarely) on the consumer’s home
network. The nature of these attacks, the assets that need protection and the protection mechanisms
are considered throughout the remainder of this document.

Assets, Risks and Threats

Table 1 lists the basic definitions that are used throughout this document.

Table 1: Definitions of Asset, Risk and Threat

TERM DEFINITION
Asset A data resource or service that is of value to
supplier, distributor or user in the distribution
chain.
Risk Some potential access or action to an Asset that
may result in harm to the interests of the supplier,
operator or user of the network.
Threat A means to exploit a risk

End-to-End IPTV Assets

This document classifies assets according to one of four types. Each type is defined in Table 2 and
has a chapter devoted to it. Thus, the chapters are organized by the asset type and analyze the type
of risk, risk severity, the source of each threat and its likelihood.
 -6-

Table 2: List of Assets

ASSET DEFINITION
Content work Streams or files “at rest” or “in motion” on the
network.
Network Network bandwidth, intermediate systems such as
routers or firewalls, end systems that are vital to a
service such as servers and directories.
Terminal End systems that render, store, and process content
works
Subscriber Information about the residential consumer and
their transactions

Risks to Assets
Table 3 contains a list of risks to each asset. Each risk in the “Risk” column of the table has a
severity and a set of threats by those who might attempt to exploit the risk in an attack. The
severity, threats, potential attackers and the likelihood of attack are considered in the chapters that
follow for each type of asset.
Table 3: Lists of Risk to Each Type of Asset
ASSET RISK
Content Work Theft of content
Denial of service
Network Theft of service
Unauthorized access or modification of messages
Denial of service
Terminal Unauthorized relocation or use
Unauthorized access
Circumvention of protection mechanisms
Denial of service
Subscriber Theft of subscriber or transaction information
Unauthorized modification of information

Who Threatens the Assets?

Ultimately, an Asset, Risks and Threats analysis classifies and lists the potential attacks on service
and information assets. As part of this analysis, it is useful to consider who is in a position to attack
an asset in a particular way and with a particular likelihood. Table 4 classifies each type of attacker,
describes them and their motivation.
 -7-

Table 4: The Attackers

SOURCE DESCRIPTION MOTIVATION
Cracker Person with skill and opportunity to Personal fame, revenge, ideological
threaten an Asset predilection
Professional Unlawful reseller of an Asset Gain from crime
Insider Person employed by supplier or operator Gain from organized crime, revenge,
who threatens an Asset desire to hurt employer or help
competitor, personal fame or ideological
predilection
Consumer Person in a residential household who Free service access or unauthorized use of
uses an Asset in an unauthorized manner a content work

Content Work Assets

Table 5 illustrates an important fact with regard to content work assets: Assets do not have the
same value over a lifetime of use. Content work assets therefore need more protection during the
earliest stages of initial or subsequent release to protect the brand of the rights holder and content
distributor.
Table 5: Movie Release and Revenues Window [Lieberfarb]
Window 3 6 9 12 15 18 21 24 27 30 33 36 39-
(months) 50
% of Total 11 13 21 13 6 9 9 6 3 2 2 2 3
Revenue
US Theatrical 80% 20%
US Home 65% 35%
Video
US Pay TV & 15% 25% 25% 20% 15%
VoD
US Network 40% 30% 30%
TV
US Syndicated 15% 15% 15% 55%
TV
Int’l Theatrical 15% 70% 15%
Int’l Home 15% 25% 25% 25% 10%
Video
Int’l Television 10% 10% 10% 10% 10% 10% 10% 30%

Table 6 lists the assets, risks and threats (ART) for content works. The severity of an attack and
likelihood of an attack on these assets is specific to an IPTV service and may therefore differ for a
particular service. The values in the table are generic and intended to illustrate the concepts of
severity and likelihood of attack. We RECOMMEND that an ART analysis be performed not only
during the development of standards but also in the design, implementation and deployment of
those standards. This chapter gives an overview of what content types need to be protected from
what risk and from whom. Future work needs to be done to add detail to this overview and to
consider attacks on content assets.

Home Video
45%
 -8-

A particular service that implements IPTV security and protection standards, moreover, will likely
need to further refine the ART analysis depending on the content types offered by the service. In
the case of some music titles, for example, encryption is not used whereas in cases such as video it
usually is.
Table 6: Content Work ART
ASSET RISK SEVERITY THREAT LIKELIHOOD
Compressed, Unauthorized copy High if the work is Cracker High
plaintext content obtained from within the release
work network, network window or deemed Professional
device or end highly valuable by
system the provider; Insider
Medium to Low
depending on the Consumer Medium to Low
work.
Compressed, Unauthorized Low Cracker Low unless the
encrypted content access Professional key is obtained
work and High
Insider otherwise
Consumer Low
Any content work Denial of service High Cracker Low
attack Professional Low
Insider Low
Consumer Low

Cryptographic Assets
For encrypted content works, a key management system (KMS) establishes a hierarchy of keys
called a “key ladder”, which can use asymmetric and symmetric keys, as shown in Figure 0 1. The
identity keys, which identify and 8nrols8th8te the Terminal, are typically RSA keypairs though
DSA, El Gamal, or Diffie-Hellman keys may be used [MVV]. Public key encryption and private
key signature can establish a key encrypting key (KEK), which is typically a 3DES or 128-bit AES
key. The KEK encrypts a “content key” for content encryption or decryption. A content key might
be for a DVB conditional access, SRTP or ISMAcryp content-decrypton key [DVBCA, SRTP,
ISMACryp]. In SRTP and ISMACryp, the content key is called a “master key”, which is input to a
key derivation algorithm to obtain 128-bit AES decryption and HMAC integrity keys.
The identity key(s) might be pre-installed on the Terminal or installed with a special KMS
procedure. The KEK is installed by a KMS key-establishment protocol [RFC3547]. The master
key is “key wrapped” in the KEK or directly installed using an identity keypair, e.g. public-key
encryption.
The KMS handles authentication, key installation, pair-wise key establishment, group key
establishment, end-system revocation, and identity replacement.
 -9-

Figure 01: Assumed Key Ladder

ASSET RISK SEVERITY THREAT LIKELIHOOD

Identity key Unauthorized High in broadcast Cracker Medium in
access: Copy networks; medium broadcast
obtained from end in 2-way networks Professional networks; medium
system to low in 2-way
Insider networks

Consumer Low

Key encrypting Unauthorized High Cracker High

key (KEK) access: Copied Professional
from end system
device Insider
Consumer Low
Content key Unauthorized High Cracker Medium
access: Copied Professional
from end-system
Insider
Consumer Medium if KEK is
obtained; low
otherwise
 - 10 -

Metadata Assets

ASSET RISK SEVERITY THREAT LIKELIHOOD

Information about Unauthorized Medium Cracker Medium
content assets access: Disclosure Professional Medium
to unauthorized
party Insider High
Unauthorized Medium Cracker High
access: Professional Low
Modification by
unauthorized party Insider Low
Information about Unauthorized Low Cracker High
security, access: Disclosure Professional High
cryptography and to unauthorized
content protection party Insider High
Unauthorized High Cracker High
access: Professional High
Modification by
unauthorized party Insider High

Network Service Assets

We consider that network service assets, risks and threats along with the severity and likelihood of
attacks are specific to an IPTV service and may therefore differ for a particular service. The values
in the table are generic and intended to illustrate the concepts of severity and likelihood of attack.
We RECOMMEND that an ART analysis be performed during the development of standards and in
the design, implementation and deployment of those standards. This chapter gives an overview of
what in the network needs to be protected from what risk and from whom. Future work needs to be
done to add detail to this overview and to consider attacks on network assets.

Acquisition Network
It is a widespread practice today for studios and large content providers to use satellite delivery for
movie and TV programming files to network distributors. This practice is likely to continue for the
foreseeable future given the economies and existing infrastructure. Satellite conditional access
systems typically provide security for these satellite feeds and this solution has proven to be
practically free of attack. The transport of these feeds, moreover, typically does not use IP or IP
routing. For these reasons, the Acquisition network is not considered further in this document.

Core, Metro, Access and Home Networks

The core network is a valuable target of crackers who wish to disrupt network operation for the
purposes of demonstrating that they can do such a thing. It is also an attractive target for
Professionals who may want to expropriate the network for their uses or disrupt the core network as
part of an extortion scheme. Disruption of the core network disrupts a national service.
Disruption of the metro network disrupts service across a metropolitan area and is therefore an
interesting target for crackers and professionals. In all but the smallest metropolitan areas, it is and
will continue to be common in IPTV delivery architectures to connect multiple local access
 - 11 -

networks to a single backbone network that spans a metropolitan area or region. This document
assumes that the Assets, Risks and Threats for the Metro Network are no different than for the core
network.
The following table lists assets, risks and threats for the Core Network, which is shown in Figure 1.

ASSET RISK SEVERITY THREAT LIKELIHOOD

Network Denial of service Medium Cracker High
bandwidth attack Professional Medium
Insider Low
Consumer Low
Unauthorized High Cracker Medium
access or use Professional High
Insider Low
Consumer Low
Network Messages Unauthorized High Cracker High
access Professional Medium
Insider Low
Consumer Low
Unauthorized High Cracker High
modification Professional Medium
Insider Hlowigh
Consumer Low
Replay High Cracker High
Professional Medium
Insider Low
Consumer Low
Routers, Denial of service High Cracker High
intermediate attack Professional Medium
systems, access
servers and system Insider Low
hosts Consumer Low
Unauthorized use High Cracker High
Professional Medium
Insider Low
Consumer Low

The network assets are the same for access and home networks, but their value as targets for
crackers and professionals, who are unlikely to bother with an concerted attack on a particular home
network. Today, crackers and professionals focus on launching attack on Internet servers and
resources from home networks that are “infected” with viruses and other malware. This topic is
further considered in the Terminal chapter below.
 - 12 -

Unlike the home network, the access network does have shared resources, servers and hosts that are
attractive to crackers and professionals who could use these resources for launching more extensive
attacks on other networks such as the metro network and the core.

Metadata Assets
In addition to network assets on various networks of the distribution chain, there is value and risk to
information about these assets. A cracker or professional can often make use of information about
the network service in an active attack in which information is modified. An attacker with this
power can redirect requests up to and including control of routing. The

ASSET RISK SEVERITY THREAT LIKELIHOOD

Information about Disclosure to Low Cracker Medium
network service unauthorized party Professional Low
Insider Low
Consumer Low
Modification by High Cracker High
unauthorized party Professional High
Insider High
Consumer Low
Information about Disclosure to Low Cracker High
security, unauthorized party Professional High
cryptography and
content protection Insider High
Consumer Low
Modification by High Cracker High
unauthorized party Professional High
Insider High
Consumer Low

Service Assets
We consider that service assets, risks and threats along with the severity and likelihood of attacks
are specific to an IPTV service and may therefore differ for a particular service. The values in the
table are generic and intended to illustrate the concepts of severity and likelihood of attack. We
RECOMMEND that an ART analysis be performed during the development of standards and in the
design, implementation and deployment of those standards. This chapter gives an overview of what
service assets need to be protected from what risk and from whom. Future work needs to be done to
add detail to this overview and to consider attacks on service assets.
 - 13 -

ASSET RISK SEVERITY THREAT LIKELIHOOD

Domain Name Denial of service Medium Cracker High
Server attack Professional Medium
Insider Low
Consumer Low
Unauthorized High Cracker High
access Professional Medium
Insider Low
Consumer Low
Electronic Denial of service High Cracker High
Program Guide attack Professional Medium
Insider Low
Consumer Low
Unauthorized High Cracker High
access Professional Medium
Insider Low
Consumer Low
Media Servers and Denial of service High Cracker High
multiplexers attack Professional Low
Insider Low
Consumer Low
Unauthorized High Cracker High
access Professional Low
Insider Low
Consumer Low
CAS and Denial of service High Cracker High
Subscriber attack Professional Low
Management
Insider Low
Consumer Low
Unauthorized use High Cracker High
Professional Low
Insider Low
Consumer Low

Terminal Assets
This chapter considers assets, risks and threats for the “terminal” or end-system device where
content works are stored, rendered, and in some cases forwarded to other devices. This chapter
considers potential risks to those assets as well as the severity and likelihood of attack by each class
of attacker. The severity of an attack and likelihood of an attack on these assets is specific to an
IPTV service and may therefore differ for a particular service. The values in the table are generic
and intended to illustrate the concepts of severity and likelihood of attack. We RECOMMEND that
 - 14 -

an ART analysis be performed during the development of standards and in the design,
implementation and deployment of those standards. This chapter gives an overview of what
terminal assets need to be protected from what risk and from whom. Future work needs to be done
to add detail to this overview and to consider attacks on terminal assets.
As with the other assets, a terminal has a set of assets that can be listed in a table. In addition to
assets, a terminal asset typically has the important property of “Localization” because the device is
assumed to be close to a subscriber, for example within the physical boundaries of the subscriber’s
house, or in the pocket of a subscriber for a mobile terminal device. Localization is often important
to the protection of a content work or service when access is to be controlled to devices that belong
to a household. These assumptions may underlie a variety of future services and content-work
business models [DVB CPCM], and this makes “locality” an asset that can be attacked in various
ways.
The other terminal assets are the physical resources of the terminal, which are processor, disk, and
output interfaces. In the case of most services, the output interfaces will be protected interfaces
such as HDCP or HDMI interfaces (see Glossary for definitions). Other terminal assets are
described in separate chapters of this document: Content work assets and subscriber assets have
their own chapters; these are referenced but not duplicated in this chapter.
Table 2: Terminal
ASSET RISK SEVERITY THREAT LIKELIHOOD
Locality Fixed-location Medium Cracker Low
device that is Professional Low
outside residence
is given service Insider Low
Consumer Medium
Mobile device Medium Cracker Low
owned by non- Professional Low
subscriber is given
service Insider Low
Consumer Medium
Processor and Disk Infection by High Cracker Low unless
malware executables
downloaded from
the network
Professional Low
Insider Low
Consumer Low
Unauthorized use High Cracker Low
Professional Low
Insider Low
Consumer Low
Interface Subversion of Medium Cracker Low
content protection Professional Low
controls (e.g.
HDCP, HDMI) Insider Low
Consumer Low
 - 15 -

Subscriber Assets
Subscriber information is at risk as recent leaks of corporate and government records have shown.
As with many of the assets discussed in this document, subscriber information can be obtained from
multiple points in the delivery chain such as at servers in the metropolitan network or attached to
the core network.
This chapter considers potential risks to subscriber assets as well as the severity and likelihood of
attack by each class of attacker. The severity of an attack and likelihood of an attack on these assets
is specific to an IPTV service and may therefore differ for a particular service. The values in the
table are generic and intended to illustrate the concepts of severity and likelihood of attack. We
RECOMMEND that an ART analysis be performed during the development of standards and in the
design, implementation and deployment of those standards. This chapter gives an overview of what
subscriber assets need to be protected from what risk and from whom. Future work needs to be
done to add detail to this overview and to consider attacks on subscriber assets.
Loss of transaction information is also a risk. As with subscriber information, this asset may be
exposed on the Access Network, Metropolitan Network, Core Network, and server repositories.

Subscriber ART with Severity and Likelihood of Attack

ASSET RISK SEVERITY THREAT LIKELIHOOD
Subscriber Unauthorized High Cracker Medium
information access: Disclosure Professional Medium
to unauthorized
party Insider Low
Consumer Low
Unauthorized High Cracker Medium
access: Professional Medium
Modification by
unauthorized party Insider Low
Consumer Low
Transaction Unauthorized High Cracker Medium
information access: Disclosure Professional Medium
to unauthorized
party Insider Low
Consumer Low
Unauthorized High Cracker Medium
access: Professional Medium
Modification by
unauthorized party Insider High
Consumer Low

Security and Protection Mechanisms

“Content security” offers a higher-level of protection for content works than “content protection”,
which lacks policies to ensure physical security of end systems, trained personnel who are
motivated to follow security procedures, and auditable processes that find and correct
vulnerabilities. Such security mechanisms and procedures offer a higher level of security than the
 - 16 -

content protection mechanisms found on customers’ terminals. These mechanisms and procedures
can be implemented on distributors and producers networks but not in the consumer’s home. One
might argue that content protection is the technology used to protect content works on Terminals
and the end-to-end distribution chain is no more secure than its weakest link. In some cases,
however, the content work that is provided to the terminal is not of the same quality or form as what
a content distributor stores on its servers and other systems. The content work may be provided to
certain terminals only in a lower resolution, or as a stream rather than as a file, or not before a
certain date. Thus, there are often very good reasons for the content distributor and producer to
offer a higher level of security for content works than are provided to the terminals of their
customers. These security mechanisms are described under separate bullets below.
 Strong identity and authentication. A state of the art public key infrastructure can be
maintained within a single enterprise or between enterprises that uses at least 2048-bit keys
that are securely provisioned on end systems and managed by a certifiably secure credential
system.
 Physical security of end systems. Servers, caches, hosts and other end systems that store
plaintext content works or keys to encrypted content works will be in a room or closet that
has restricted access to only authorized maintenance personnel.
 Documented and auditable security procedures. Personnel who manage the content security
system will follow documented security guidelines for access and use of the systems that
process plaintext content works or keys to encrypted content works.
 Integrity protection of files and streams. All content works will be uniquely identified in
plaintext format by a strong integrity protection system that is at least as strong as the SHA-
256 algorithm.
 Encryption of files and streams. The system should be capable of handling encrypted
versions of any plaintext content work in the form of a file of stream. An obvious exception
to this mandate is the case where content works are not encrypted as a matter of policy.
 Selectable level of security. The system should be robust enough to handle plaintext or
encrypted formats of content works, with replaceable algorithms and key sizes. The content
security system should easily accommodate content protection mechanisms such as
watermarking and other types of steganography.

Many of the above mechanisms are used by content protection and digital rights management
(DRM) systems with the exceptions of physical security of end-systems and the presence of trained
personnel who follow security procedures. Content protection and DRM systems make greater use
of steganography, such as digital watermarking, and tamper-resistant key stores. Throughout this
chapter of the document, both content security and content protection mechanisms are considered
 - 17 -

Content protection mechanisms

ASSET RISK SECURITY MECHANISM

Plaintext content work
Plaintext content work
Encrypted content work
Content work
Unauthorized modification
Unauthorized access
Unauthorized access
Denial of service attack
Integrity protection of files and
streams
Encryption of files and streams
Content policy specification
Selectable security level
Strong identity and authentication
Physical security of end-systems
Documented/auditable security
system
See network security mechanisms

In cases where the provider of a content work does not trust the security or practices of the recipient
of the work, “content protection” mechanisms raise the bar to illegal or unauthorized uses. These
mechanisms are discussed under separate points below.
 Ease and simplicity of use. According to the “Darknet” paper, cumbersome and intrusive
protection mechanisms encourage circumvention of protection mechanisms and
unauthorized access to content works [Darknet]. It is therefore important that Terminal
applications make it very easy for works to be accessed by the consumer in the desired ways
but very hard to access works in unauthorized ways. For this to have the desired effect, the
types of authorized access need to meet the customer’s needs and expectations.
 Limited exposure of plaintext content works. Terminal, intermediate, and server systems
should be capable of processing encrypted content works to the latest point in the rendering
process. This of course is an unnecessary requirement for unencrypted works, but all
systems that handle content works should be designed to send, receive, and store encrypted
images of those works.
 Integrity protection. The system needs some means to distinguish an authorized copy of a
digital content work from a modified or derived work.
 Stream-level encryption. Limited exposure of a content work in the form of a stream entails
stream-level encryption in which the work is encrypted at the point of transport and
decrypted prior to rendering at the terminal.
 File-level encryption. Limited exposure of a content-work contained in a file entails file-
level encryption in which the content work can be downloaded or streamed while encrypted
as done in the MPEG-4 Encryption and Authentication standard [ISMACRYP].
 Content policy specification. The types of access that the residential customer is authorized
to perform needs to be specified. This may be specified per content work, such as an XrML
rights specification that is bound to a particular content work. Or it can be bound to a class
of content works or the entire service, as is done in Apple iTunes™.
 Protected outputs. Terminal systems that process encrypted content works must support
protected outputs such as HDCP, DTCP, and other standards that are appropriate to the type
of interface.
 - 18 -

 Digital watermarking. Forensic and copy-control watermarks are two types of content-level
protection mechanism that are widely used today. Systems that process a watermarked
content work must preserve the watermark up to and including Terminal rendering.
 Protected key store. All keys need appropriate protection and a scalable level of protection
needs to be supported. Home theatre systems that process newly-released movies, for
example, may need keys stored on a secure processor or separate token card that are tamper-
resistant. At the other extreme are content works that are distributed for use on PCs, such is
the case for practically all music titles today and a secure co-processor is not generally
available. Thus, high-value content works such as newly released movies are unlikely to be
licensed for use on a PC today or in the near future. In the case of a PC, the keystore should
at least be inaccessible using the facilities of the operating system such as a text editor. In
general, the keys to valuable content works in the earlier phases of their release window
will likely require hardware-level protections such as a co-processor that does not expose
keys on the bus or system memory.
 Scalable level of protection. Not all works need to be encrypted or watermarked and not all
works that are encrypted need to be encrypted in the future. The Terminal, intermediate and
server systems that process content works should support a variety of policies and
mechanisms for content protection including no content-protection mechanisms at all.
Possibly the only mechanism that is universally desirable for digital content works is
integrity protection, which is a content-security mechanism discussed above.

Network security mechanisms

ASSET RISK SECURITY MECHANISM

Network bandwidth
Network messages
Routers and intermediate systems
Network service information
Denial of service Firewalled perimeter
Unauthorized use
Unauthorized access Firewalled perimeter
Access Controls
Unauthorized modification VPN
Access Controls
Replay VPN
Denial of Service Firewalled perimeter
Unauthorized use Access controls
Intrusion protection
Documented and auditable
security procedures
Unauthorized disclosure Access controls
Integrity protection
Unauthorized modification Documented and auditable
security procedures

Network security has a set of widely used and commercially available mechanisms that include
firewalls, end-system access control, intrusion detection, secure end-systems, certified intermediate
systems, and virtual private networks. In many cases, there is a trade off between security and
performance in an IPTV system. In many cases, transport security is redundant to security at the
 - 19 -

application layer. For example, if encryption and integrity protection are applied to a content work,
then there is less of a requirement for securing network messages. In the core and even in the
access network, VPN service is often more service than is needed and a drain on system
performance.
The security requirements also differ depending on the type of network. As shown in the Assets,
Risks and Threats tables of the preceding chapters, the severity of the risk to a network asset differs
between core, access and home network. For example, the home network is less of a target for
denial of service; it is much more effective instead to target shared resources that affect many users
and large web sites rather than a single home network.
The basic security mechanisms are similar between different types of networks. Devices on a home
network may use VPNs (virtual private networks) between home network devices. And home
gateways need access controls as do core routers. These mechanisms are discussed below.
 Firewalled perimeter. Access to all networks should be through a packet filtering firewall.
In some cases, an application-layer firewall or gateway may also be needed. In particular,
the perimeter of the core network should be protected by firewalls to restrict access to
authorized devices and networks.
 Access controls. Access controls are needed on network devices, multicast streams, and
media files. Device access controls serve to authorize access both at the console as well as
over a network. For devices, strong passwords are needed at minimum and two-factor
authentication, such as by password and token device, is preferred; this is particularly true of
security critical devices such as core routers, servers and intermediate systems. Multicast
access controls perform authorization on receiving devices that attempt to join the multicast
group and or senders who attempt to send to a multicast group. File access controls require
authorization as a pre-requisite to decrypting or receiving a file.
 VPN (Virtual Private Network). On some networks, it is desirable to use an encrypted and
integrity protected connection between devices or between Terminal application programs.
On IPTV core and access networks, however, the overhead of VPNs is often inconsistent
with the performance demands of IPTV applications and unneeded when content-level
security is used. On these networks, packet-filtering firewalls are preferred to VPN tunnels
between devices.
 Intrusion detection and prevention. When intrusion by hackers or professionals is
considered to be a major threat, intrusion-control mechanism might be used on access
networks. These systems correlate access patterns with different types of attacks and take
defensive actions.
 Integrity protection. Records and other information that are critical to network
configuration, management, and operation typically need to be integrity protected on the
device as well as on the network.
 Documented and auditable security procedures. Personnel who manage the network system
need to follow documented security guidelines for access and use of the systems that process
plaintext content works or keys to encrypted content works.
 - 20 -

Terminal protection mechanisms

ASSET RISK SECURITY MECHANISM

Terminal locality Unauthorized relocation of fixed-
location device
Unauthorized sharing of mobile
device
Processor and Disk Unauthorized access such as by
malware or remote access
Terminal interface Circumvention of content
protection controls through a
Terminal interface
End-system localization
Visible Fingerprinting
Household localization
Signed code
Secure Bootloader
Secure Keystore
Network access controls
Approved copy-protected outputs
Approved outputs to authenticated
devices

When content works are licensed to a household, it is desirable that the content work be accessible
only by members of the household or visitors to the household. In an extreme and probably rare
case, a fixed-location device might be moved outside of a household. Or the secret identity key that
identifies and authenticates the device is copied to a remote device, possibly to circumvent regional
controls on broadcast content or simply to share content works beyond the household. It also might
threaten the provider’s business model if content works are shared across a home network to
another home network. “Localization mechanisms” address these threats by associating a Terminal
with a household. Localization can be done once at the time of Terminal installation by an installer,
or it can be done by the consumer, possibly over the telephone. Often localization can be
accomplished by a physical procedure involving a dongle or a 20nrols20th device that requires
physical proximity. Localization also applies to mobile devices. A localization of a mobile device,
for example, might require that the device be brought back into the home periodically where it
automatically registers with a proxy or other fixed-location device in the household. These
localization techniques are listed in the table below.

Method Localization
Installation Employee of IPTV service installs device in subscriber’s home.
Telephone Subscriber 20nrols device over the phone through a provider’s interactive voice response
system to identify a device as belonging to the subscriber or subscriber’s household.
Dongle Subscriber uses a USB drive or other dongle device to identify the device as belonging to the
subscriber or household.
Proxy A device such as a settop device, network gateway or modem associates multiple devices
using some localization method such as a dongle or Bluetooth.

Localization is of interest to a number of content business models. It is important to note, however,

that the greatest security threats on the Internet today are from malware such as computer viruses
and Trojan horses that the user unknowingly installs on their personal computer. If the Terminal
device downloads executable code such as Java, it will be vulnerable to malware attacks, which can
propagate throughout the home network and the IPTV network. The IPTV provider can mitigate
this threat by not supporting downloadable executables or by requiring that all Terminal software be
signed code in which a hash of the software is signed by the provider and checked by the Terminal
before the code is downloaded or used. This procedure would be implemented by the secure
 - 21 -

bootloader in which all software and keys are integrity protected and securely downloaded to the
device, which checks their integrity and performs the necessary decryption. These keys will
typically be kept in secure storage in which the identity and key decrypting keys are not exposed on
external interfaces such as a system bus. In some cases, even content decryption keys might be so
stored. When there is such variability in the security capabilities of a Terminal device, some means
may be needed to communicate the secure key-storage capabilities of the device at the time of
bootloading.
In addition to signed code and secure bootloading, network access to the Terminal device needs to
be strictly controlled and authorized by the Terminal and the IPTV provider. A secure connection
such as a VPN connection may serve the purpose of authenticating and authorizing remote access to
the device.
In addition to controlling inputs to the Terminal such as code and remote commands, rights holders
of content works typically require that outputs be protected as well. An “approved output” is an
interface that has appropriate encryption and integrity protection. These mechanisms are specific to
the interface device. High-bandwidth Digital Content Protection (HDCP) is used for High
Definition Multimedia Interface (HDMI) devices. Digital Transmission Content Protection
(HDCP) is used on USB and IEEE 1394 devices, and CPRM is used for recordable DVDs, to name
only a few.

Subscriber security mechanisms

ASSET RISK SECURITY MECHANISM

Subscriber information
Transaction information
Unauthorized access
Unauthorized modification
Unauthorized access
Unauthorized modification
Terminal access control
Transaction VPN
Integrity protection of subscriber
and transaction information

As described in the previous chapter, access to the terminal over the network needs to be strictly
controlled to prevent unauthorized remote access to subscriber information. Depending on the
nature of the service, it may be desirable to restrict the subscriber’s information from local access to
the Terminal from the console, if there is a console on the terminal device. In general, it is prudent
to use encrypted and integrity-protected connections (such as a VPN) between the Terminal and the
service provider’s equipment when information about the subscriber and the subscriber’s
transactions is carried over the network.

Acknowledgements
Glossary

AACS Advanced access content system for DVD and network media, see
http://www.aacsla.com/home

Asset A data resource or property that is of value to the supplier, distributor,

or consumer in the content-work distribution chain.
 - 22 -

AVC H.264/AVC codec and payload type

CAS Conditional access service that controls access to a service by excluding

non subscribers to the service.

CE “Consumer electronic” or “consumer electronics”.

CPRM Content Protection for Recordable Media standard for writable DVDs.

Content protection Mechanisms that control access to a content work when the end device
is not physically secured or under the control of personnel who are
trained and managed to obey a set of security procedures.

Content security Mechanisms that control access to a content work when the end-system
devices are physically secured and/or managed by trained personnel
who are trusted to follow security procedures.

Content title See “content work”.

Content work A video, musical or other work, which is typically copyrighted and
distributed as a stream or file.

Distribution chain The sequence of networks and devices that span one or more businesses
and terminate in a household that is a subscriber of the last business in
the distribution chain. Content works, subscriber information, network
data, and other resources are stored and transmitted across the
distribution chain.

DRM Digital rights management is a technology for rights transfer between a

business and a consumer or consumer household for a copyrighted title.
In general, any system that protects content independently of its
transmission or storage format is termed “DRM”. This paper uses a
narrow definition of rights transferral between two entities, the provider
and the consumer/customer.

DTLA Digital Transmission License Authority, see http://www.dtcp.com/

DTCP Digital Transmission Content Protection specification of the DTLA

DVD CCA DVD Copy Control Association, see http://www.dvdcca.org/

File encryption An MPEG-4, Quicktime or other media file containing ciphertext media
and plaintext metadata. Files that are enveloped using Cryptographic
Message Syntax (CMS) may be encrypted as well as integrity-protected
using CMS, but CMS does not leave certain parts of the file in
plaintext, such as plaintext metadata.

HDCP High-bandwidth Digital Content Protection standard for link-level

authentication and encryption over HDMI.

HDMI High Definition Multimedia Interface for uncompressed audio/video

streams including standard, enhanced, and high-definition video.

Household A set of devices associated with a subscriber and authorized to play

certain titles depending on the business model and DRM of the title
provider.
 - 23 -

Identity key An RSA or some other key that allows an entity to prove that it is in the
possession of a secret, such as the private key belonging to an RSA
public/private keypair.

Indemnification A fine or fee that is incurred when a device vendor fails to comply with
its agreement with a License Authority.

Internet content An aggregator or other content distribution business that does not
provider necessarily own the network or access network to their customer homes
nor control the their customers’ end-systems.

IPTV TV services over Internet Protocol include the distribution of content

works at any point in the distribution chain regardless of whether every
point in the distribution chain uses IP transport.

Key ladder A set of related keys with a “master key” to access a stream or file, a
“key-encrypting key” to access a master key, and “identity keys” used
to encrypt, sign, or decrypt the key-encrypting key

KMS Key Management Service for establishing a key ladder in a device.

License authority A body that licenses devices that comply with a particular specification
or set of specifications.

Licensed content See “Licensed Data”

Licensed data Data from a copyrighted work that are restricted by prevailing law to
reside or be rendered on a licensed device.

Licensed device A device that compliance with the specifications or requirements of a

particular license authority.

LMI LLC Licensed Management International, LLC is a professional device

licensing business that administers the licensing associated with a
particular content protection standard such as CPRM.

Robustness A property of a device that makes it difficult to circumvent its access

controls or to gain access to device secrets, such as its identity key. A
device that can be revoked or that can be renewed with a new secret is
also said to be “robust”.

RTCP The control protocol for RTP.

RTP Real-time Transport Protocol.

RTSP Real-Time Streaming Protocol.

SDP Session Description Protocol Library.

SRTP Secure Real-time Transport Protocol

Stream A sequence of packets carrying video or other continuous-time media

that is typically rendered upon reception or else stored using a media
ingestion system.

Title See “Content work”.

 - 24 -

Value chain See “Distribution chain”.

References
[Content Guard] Content Guard Licensing, http://www.contentguard.com/patents.asp
[DVBCPCM] DVB Copy Protection and Copy Management, http://www.dvb.org/technology/dvb-cpcm/.
[Darknet] P. Biddle et. Al., Darknet and the Future of Content Distribution,
http://msl1.mit.edu/ESD10/docs/darknet5.pdf, 2002.
[DVBCA] ETSI ETR 289 ed.1 (1996-10): “Digital Video Broadcasting (DVB);Support for use of scrambling
and Conditional Access (CA) within digital broadcasting systems”
[ISMACRYP] ISMA 1.1 Encryption and Authentication, Internet Streaming Media Alliance, 2006
[Lieberfarb] W. Liebarfarb, private communication, 2005.
[MPEG-LA] MPEG License Authority Programs in Development, DRM, http://www.mpegla.com/pid/drm/
[MVV] A.J. Mendes, P.C. vonOorschot, S.A. Vanstone, Handbook of Applied Cryptography CRC Press LLC,
1997.
[OMADRM2] Open Mobile Alliance DRM Version 2,
http://www.openmobilealliance.org/release_program/drm_v2_0.html
[WAX] R.J. Anderson, et. Al., Secure Books: Protecting the Distribution of Knowledge,
http://www.cl.cam.ac.uk/~rja14/Papers/wax-securebook.pdf
[Marks & Turnbull] D.S. Marks, B.H. Turnbull, Technical protection measures: The intersection of
technology, law, and commercial licenses, Workshop on Implementation Issues of the WIPO Copyright
Treaty (WCT) and the WIPO Performances and Phonograms Treaty (WPPT), World Intellectual Property
Organization, Geneva, December 6 and 7, 1999
(http://www.wipo.org/eng/meetings/1999/wct_wppt/pdf/imp99_3.pdf).

___________