Upload
sanjeev-verma-phd
View
99
Download
0
Embed Size (px)
Citation preview
Downloadable DRM in TEE
Sanjeev Verma, PhD
Samsung R&D Institute America,
San Jose
10/31/13 1
Trends & Challenges in Content Distribution Eco-System
10/31/13 2
Trends & Challenges
• Content Distribution eco-system is becoming ubiquitous with the availability of mobile devices: – Mobile devices such as smartphones, tablets and
hybrids are increasingly becoming preferred entry point in the content distribution framework.
– Multimedia Traffic emerging as main driver for mobile traffic.
• Challenges: – Secure distribution of the content to a large number
of heterogeneous devices. – Meet the commercial motivation of all the
stakeholders in the Content distribution eco-system.
10/31/13 3
Trend: Emergence of Mobile Devices As Point of Entry and Primary Screen
Miracast: Wi-Fi wireless Display
Link protection
DRM
• Mobile devices becoming primary screen: • Driven by availability of devices
such as Chromecast and other solutions based on Miracast and MHL standards.
• Better User Experience for content sharing and discovery in Home.
10/31/13 4
Trend: Pre-dominant Share of Video Traffic
10/31/13 5
Challenge: Heterogeneity
Source: 2013 Streaming Media Survey of 758 Media Industry Executives on Over-The-Top (OTT)Video and Security Trends.
10/31/13 6
Challenge: Fragmentation
11,868 distinct Android devices in 2013 compared to 3,997 in 2012.
(Source: OpenSignal.com)
10/31/13 7
Challenge: Security Assurance
Source: 2013 Streaming Media Survey of 758 Media Industry Executives on Over-The-Top (OTT) Video and Security Trends.
10/31/13 8
Commercial Motivation of Various Stakeholders in Content Distribution Eco-System
Content Rights Holders
• Increase Media Content monetisation through:
• Licensing dependent on usage policy and better reach of audience.
Content Aggregators and Service providers
• Monetisation through better user experience:
• Recurring Subscription or Pay per View of content packages.
OEMs
• Product sales through differentiation in user experience or content services:
• Faster time to market, lower BOM costs.
10/31/13 9
Issues
• Common Issues before stakeholders:
– How to support various business models requiring different content protection solutions?
– How to support heterogeneous devices and platforms?
– Certification & Security Assurance.
• Goal: Any Device, Anywhere
10/31/13 10
Multiple DRM Management Issue: Any Device, Anywhere
10/31/13 11
Multiple DRM Management: OEM Perspective
• Current Implementation Scenario for an OEM :
– Multiple versions of the same device to meet specific content protection needs of different service providers and eco-systems:
• Complex to manage custom made solution for every service provider and market.
– Support multiple DRM solutions in the device at the manufacturing time :
• Costly option to support multiple DRM solutions in a single device.
10/31/13 12
OEM Motivations
• Motivations for an OEM: – Support content protection mechanisms to meet
business needs of various service providers/eco-systems at low cost.
– Minimize inventory management and cost of implementing content protection solution.
– Standardized certificate regime to ease content license acquisition.
• Goal: – Anywhere at low cost.
10/31/13 13
Significant Preference for a Solution Based on a Single Content Security Platform
Source: 2013 Streaming Media Survey of 758 Media Industry Executives on Over-The-Top (OTT)Video and Security Trends. 10/31/13 14
Multiple DRM Management: Architectural Approaches
• Popular Approaches: – Eco-system Centric Approach
• An eco-system (or a service provider) supports multi-DRM solutions that work across a large number of devices implementing one or more DRM mechanisms approved in the eco-system: – UV adopts this approach, where a device needs to support one of the
several DRM systems adopted by an eco-system. – Any Device—as long as all popular DRM solutions are supported in an
eco-system.
– Device Centric Approach • Alternative approach is device centric, where a device implements
a generic secure trusted platform. • Device can then download a DRM agent supported by the service
provider or eco-system. – Anywhere -work with any eco-system or service provider.
10/31/13 15
Downloadable DRM-Advantages
• Downloadable DRM:
– Advantages:
• Attractive for an end user, who could buy a device from a retailer and use it in an eco-system or service provider of his/her choice.
• Ability to support multiple markets in cost effective manner for an OEM.
• Ability to distribute content to multiple devices & platforms for Service Providers.
• Better reach of audience for Rights Holders.
10/31/13 16
Downloadable DRM Challenges
• Main challenge is the formulation of Comprehensive Security Framework specifications: – Download DRM mechanism needs specification of the
secure trusted platform in the device satisfying the C&R requirements of the various DRM vendors and Content Providers.
– Needs a Standardized certification regime: • Every instance of the trusted platform need to be certified as
conformant and compliant. • Rules need to be specified regarding the downloaded code
that specifies where it can run.
10/31/13 17
Multiple DRM Management through GlobalPlatform
10/31/13 18
GlobalPlatform Enabled Multiple DRM Management
• GP Premium Content TF intend to address following Issues:
– Comprehensive Set of Security Features to support both downloadable and pre-integrated DRM solutions.
– Standardized APIs for trusted Video Path Access by multimedia applications.
– Certification and Compliance Regime.
DRM TA Media Player Application
TEE Client API
Communications stack
TEE
Platform/ Hardware
Media Buffer View
Messages
Rich Execution Environment (REE)
Trusted Execution Environment (TEE)
Media Buffer
Media Playback
Link Control
10/31/13 19
Positioning of TEE
• TEE as a part of the Trusted Media Playback Platform provides
– Isolated Environment within SoC for secure execution of tasks.
– Set of security features for robust DRM installation.
– Interface with other secure peripherals and Elements to realize trusted video rendering path
10/31/13 20
10/31/13 21
Streaming App Browser
Watermark,Decrypt & Decode
Encrypt Decrypt
Global Platform APIs for the query and validation of End-to-End Trusted Video Rendering Path
Remote Security Validation of the End-To-End Video Rendering Path.
TEE Role in Trusted Media Playback Platform
• TEE role in providing secure end-to-end trusted video path: – Complements Trusted Media Playback platform by enabling robust
DRM implementation and protecting assets such as: • DRM App secrets and keys; • License Storage and management; • Usage Policy and • Account Info.
– Interfaces with other components of Multimedia Framework in secure and normal world • for media playback, scheduling and rendering. • for secure download of DRM module and integration with rest of the
multimedia framework.
– Provides static and dynamic attestation information for the various elements of video rendering path in the device.
– Integrates with higher level of application layers such as HTML5 and W3C extensions for user interface.
10/31/13 22
Advantages of TEE based Downloadable DRM and Final Remarks
10/31/13 23
Content Piracy Prevention through TEE
• Content Piracy Prevention – Risk management can provide effective deterrent and
prevent piracy from destroying the value of the content • Self-Protecting Digital Content-Tech. Report by Cryptographic
Research Institute: – http://www.cryptography.com/public/pdf/SelfProtectingContent.pdf.
• TEE for Piracy Prevention – Acts as a security plugin to the platform OS (Android,
Windows or Tizen) • TEE provides secure environment for sensitive tasks without
exposing cryptographic credentials.
– Provides a programmable security environment where updates can be provided in case of security breach.
10/31/13 24
10/31/13 25
Windows Platform
Android Platform
Trusted Execution Environment [System on Chip Module (SoC)]
Provides security plugin or services to platform OS
Summary
• TEE-based Downloadable DRM in Global Platform – Provides a standardized security plugin to platform OS that
enables the secure execution of tasks in the end-to-end trusted video rendering path: • Addresses Heterogeneity, Fragmentation and Security Assurance
Issues.
– Achieves the common goal of various stakeholders • Any Device, Anywhere.
• Challenge: – Formulation of Comprehensive Security Framework. – Standardized Certification & Compliance Regime.
10/31/13 26
10/31/13 27