Scribd
Upload
20 views22 pages

iVG VGS and DRM

iVG VGS and DRM

Uploaded by

Divya
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
20 views22 pages

iVG VGS and DRM

iVG VGS and DRM

Uploaded by

Divya
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 22

iVG, VGS and DRM

Overview
Sridhar S

Confidential ©NDS Ltd 2007. All rights


Agenda

• iVG
• VGS
• DRM

Confidential ©NDS Ltd 2007. All rights reserved.


What is iVG?

iVideoGuard (iVG) is an add-on to NDS VideoGuard. The


purpose of iVG is to enhance interactive television
systems by:
 Providing CA awareness for interactive applications
 Providing end-to-end return path security
 Managing the storage of application data on the STB
 Forwarding application data from the STB over the return path
to the headend
 Providing the facility for applications to adapt themselves to
the profile of the individual subscriber
 Providing operator control over STB activity and memory usage
iVG is deployed both on the headend side as well as the
STB

Confidential ©NDS Ltd 2007. All rights reserved.


iVG - Features

• Conditional Access for Interactive (CA4iTV)

• Individualization

• Controlled and Secure Return Path (CRP/SRP)

• Secure Store and Forward (SSF)

• iVG BMail, Application Signing, ICO

Confidential ©NDS Ltd 2007. All rights reserved.


iVG – CA4iTV

• Data (interactive application files) may be


scrambled and assigned CA criteria
• Rules for primary and secondary components
(A/V vs. data)
• Interactive applications have an API for obtaining
CA statuses of the currently tuned-to service as
well as other services (via iECMs)
• Interactive applications have API for checking
points of decision, purchasing, PIN entry

Confidential ©NDS Ltd 2007. All rights reserved.


iVG - Individualization

• An API for interactive


applications obtains values Automatically
for various subscriber determine
profile data from the smart viewer’s
card (e.g., sub ID, card ID, location
zip code, region bits)
• An example of such an
application is the weather
report displaying regional
forecasts

Confidential ©NDS Ltd 2007. All rights reserved.


iVG – CRP/SRP

• Controlled or Secure Return Path


• Real-time return path allowing interaction
between the interactive application in the STB
and an HTTP application server
• The segment of the return path between the STB
and iChannel proxy may be non-secure (CRP) or
secure (SRP)
• Authentication of Client and Server
• Encrypted and Signed Messages
• Examples of applications include voting,
shopping, and banking

Confidential ©NDS Ltd 2007. All rights reserved.


iVG - SSF

• Data may be stored to STB memory in the form of


files and may be accessed from these files.
Storage/access parameters are defined in an
accompanying certificate
• Storage is encrypted and complete privacy of data
• Advantages of forward over return path (real-time) is
the consolidating of many messages into one phone
call.
• The phone calls can be evenly spread over a defined
period of time
• Forwarding is over a secure line, similar to SRP

Confidential ©NDS Ltd 2007. All rights reserved.


iVG – BMail, Application Signing,
ICO

• BMail
– Same Bmail functionality as in Videoguard, but with simpler
API for Interactive Applications

• Application Signing (only MH Core)


– Extra security with 3rd party Application Providers

• ICO
– Manages Application specific resources as IVG Config
Object
– Provides Application access to resources via URI based
queries
– Provides Application with ability to query embedded iECMs

Confidential ©NDS Ltd 2007. All rights reserved.


iVG – Headend Components

• Radius Server: network authentication of incoming calls using


CHAP based on NDS smart card/iSSH CHAP secrets. CAMC
provides the RADIUS server with information about currently
authorized cards.
• iChannel: Return path proxy. Used for CRP, SRP, and Forward.
– Provides walled garden validation of incoming requests and their
security settings Provides authentication/encryption service in the
case of SRP.
• iVG Console: iVG MANAGEMENT System
• iVG Config Server: Component responsible for generating iCO
(iVG Config Object) file and transferring to the iPlayer
• Databases: 3 Database schemas: RADIUS, iVG Config, TSS
• TSS: Transaction Server (TSS). Supports transaction monitoring
of the iVG system. TSS can also be used as an application server,
for example, logging votes for a voting application.
• FS^3 / SQUAD: Accessed by iVG Config for signing Store &
Forward certificates

Confidential ©NDS Ltd 2007. All rights reserved.


Agenda

• iVG
• VGS
• DRM

Confidential ©NDS Ltd 2007. All rights reserved.


Why VGS was developed?

• Designed for cable and IPTV markets


– Telcos don’t like smart cards – they run networks and
don’t believe smart cards are necessary on 2-way
network where they provide the service protection
– STB costs could be reduced
– Total system cost could be reduced
– Feature upgrade was easier
– System could be upgraded without mailing
– All keys were communicated in a secure channel

Confidential ©NDS Ltd 2007. All rights reserved.


What is VGS?

• A CA STB security solution that does not make use of a


smart card
• For STBs that rely upon a dependable, bi-directional
network infrastructure
– One-way networks need to store entitlements securely on STB
– Two-way networks can store entitlements on head-end and
supply them to STB on request
• Relies on head-end security server and secure chip in STB
• Designed to co-exist on a network that supports smart card
based security and SimulCrypt
• VGS utilizes K-LAD technology implemented within existing
decoders to implement SAC (Secure Authenticated Channel)
– Now implemented by Broadcom, Conexant, Sigma, ST with
others pending

Confidential ©NDS Ltd 2007. All rights reserved.


VGS - Security

• Each device uses standard Video Processor Chip with


unique Private Key embedded in silicon (OTP)
• Video Processor in device will ONLY accept encrypted
keys, controlled by burned unique ID (in silicon chip
fuses) and NDS K-LAD (3 tier key ladder utilizing either
Triple-DES or AES)
• NDS has developed and installed Serialization Tools at
major silicon manufacturers for burning OTP unique
keys
• VGS Server manages Security Groups
– Each Security group 20,000 devices
– Business Models & Key Generation managed within
headend and not within consumer premise device

Confidential ©NDS Ltd 2007. All rights reserved.


VGS – Security Contd…

• Each VGS headend server contains unique Smart Card


Chip(s) and FPGA
– Customer specific security, avoids domino effect
– Hardware security (in H/E) is replaceable without affecting the
rest of the system
• VGS does not rely upon software to retrieve decryption key
from secure memory, which must usually pass over readable
memory bus
• NDS Operational Security does certify K-LAD implementation
– NDS operational security audits OTP serialization facilities, K-LAD
implementations on Video Processors, and STB design
• VGS does not perform DRM (business-logic, key-
management, monetization) within consumer premise
equipment

Confidential ©NDS Ltd 2007. All rights reserved.


What is IPTV?
What is it not?

• IPTV offers “Pay TV” like service over two-way


broadband networks such as
– ADSL
– VDSL
– Fiber
– WiMax, etc.
• Supplementary hybrid systems for VOD,
download, nPVR
• Not entertainment delivered over open Internet
– Streaming services (e.g. ESPN 360)
– Downloading services (e.g. iTunes)
– Video sharing platforms (e.g. YouTube)
– Peer to Peer applications (e.g. BitTorrent)

Confidential ©NDS Ltd 2007. All rights reserved.


Agenda

• iVG
• VGS
• DRM

Confidential ©NDS Ltd 2007. All rights reserved.


VideoGuard® Positioning

CA DRM
Service Protection Content Protection

STB PC PMP MOBILE MEMORY


CARD

Standards-based
Mobile DRM such as OMA and 18c

Confidential ©NDS Ltd 2007. All rights reserved.


Service vs Content
• SERVICE CONTENT
• A broadcaster provides a • A content provider wants
service to his customers; this to sell content to many
service needs protection people; this content needs
protection
• Service is (among other
things): • Content selling is:
– On-going relationship with the – No relationship with
customer (recurring revenue) specific customer
– Added value to the subscriber – One-time revenue from
(EPG, DVR, Interactive, etc.) specific user for specific
– Keep your customer content
(Reduce Churn)

vs.

Confidential ©NDS Ltd 2007. All rights reserved.


DRM – What is it?

• Enables secure distribution, promotion and sale of digital


content
• Content is controlled using a “rights” license
• The rights license describes the usage rules of the content
– Purchase, Preview, Rental, Metering, Gifting etc.
• The usage rules are enforced by a secured consuming device

Content

DRM Protected
Package Content
Rights

Confidential ©NDS Ltd 2007. All rights reserved.


VideoGuard DRM Components

• VideoGuard Unified HeadEnd


– Includes CAS + DRM
• VideoGuard Key (VGKey)
– A hardware device that can be attached externally to an
existing device to supply HW-based security such as:
secure storage for entitlements/keys (form factors: SIM,
USB key, SD Card)
• VideoGuard TSK – Trusted Secure Kernel
– A security module integrated into CE device that embed
CAS/DRM functionality
• VideoGuard TSP – Trusted Secure Player
– TSK + integrated secure player (video decoder/player)
Unified Headend

TV Application
VideoGuard
DRM Server Trusted Secure Player (TSP)
Existing Trusted Secure Kernel (TSK)
CAS Headend

Confidential ©NDS Ltd 2007. All rights reserved.


Questions?

Thank you

Confidential ©NDS Ltd 2007. All rights reserved.

You might also like