1Introduction



Yüklə 55,5 Kb.
tarix30.10.2018
ölçüsü55,5 Kb.
#76179


VUDU Embedding Architecture: An Overview

October 30, 2018
Highly Confidential

1Introduction

VUDU provides a complete, end-to-end solution for delivering instantaneous digital video on demand to consumers over their broadband internet connections. VUDU’s unique user experience is characterized by the following key features:




  • Lean-back TV experience.

  • Instant access to titles in both standard definition and high definition.

  • Instant seek anywhere within the movie, no waiting.

  • Uninterrupted streaming even when user’s broadband speed fluctuates.

  • Rich browse and search experience.

This document describes VUDU’s streaming architecture with a particular emphasis on security. The security mechanism for the streaming architecture is practically identical to the security mechanism for the download-and-play architecture, with the following notable differences:



  • Streamed content is not stored on permanent storage.

  • Rental expiration times are enforced directly by the server instead of needing to trust the client.

The content encryption scheme, key transmission methods, and content decryption schemes remain essentially identical to the download-and-play architecture.



2VUDU Streaming Architecture

This section provides a high-level overview of the VUDU system architecture with particular emphasis on content flow and security.


The VUDU architecture is uniquely structured to offer low-cost delivery of content to endpoint devices while still guaranteeing instant access and a practically unlimited library size. The architecture consists of novel elements involving networking, security and content encoding/decoding.
frame1

The flow of content in the VUDU system may be described by the following steps (Also see Figure 1):




  1. Content is encoded in digital form in-house or at a secure studio-approved, partner encoding facility.

  2. Content is encrypted at the Encryption Station in VUDU’s facility.

  3. Encrypted content is then distributed among VUDU content servers. Note that the content servers do not possess any content keys.

  4. When a client device orders a title, it contacts the VUDU server through a secure channel which has been established via a mutual authentication protocol.

  5. After validating the box and checking that its account is in good standing, the server contacts the CA system to generate a unique license authorizing that particular box for playing back the movie, and providing the bulk keys required for decrypting the movie.

  6. The license file is sent to the security software on the set-top box, which decrypts the file to obtain bulk keys. The bulk keys are available only in wrapped form, using encryption that is uniquely individualized to that particular client device.

  7. The wrapped bulk keys are passed on to the client’s secure processor hardware to decrypt and play back content.

  8. The server also authorizes one or more content servers to transmit the encrypted title to the ordering box.

  9. The encrypted title is streamed in real-time to the box and is played back without needing to be permanently stored on a persistent storage device.



3Security Architecture

3.1Overview

The security of the VUDU architecture fundamentally stems from the following properties:



  • Content is encrypted using AES-128 in CBC mode, a secure cipher.

  • Keys are delivered wrapped in a form that is unique to each client, preventing the possibility of replay attacks on a different device.

  • Keys are not exposed in the clear to client software, instead leveraging wrapping mechanisms to keep them encrypted.

  • Keys are only provided from the server “on demand”, ensuring that time-based rental expiration policies may be enforced from the server.

  • Content is streamed, and always stays encrypted until just before decode and display.

  • A secure boot process ensures that rogue software cannot execute on the client.

The following sections describe the security features in greater detail.



3.2Content Encryption

A/V content is encoded as H.264 video and Dolby Digital/Dolby Digital Plus audio encapsulated in an MPEG2 Transport Stream container.


The transport stream is encrypted at the Encryption Station using AES-128 in CBC mode. The CBC mode uses Residual Block Termination (http://en.wikipedia.org/wiki/Residual_block_termination) to ensure that no padding is required for encryption.

3.3Purchase Process

When the user desires to play a movie, the following steps happen:




  1. A secure connection is established between the box and the head-end using two-way mutual authentication.

  2. The above ensures that the box cannot spoof its identity to the server, nor can the box be tricked into talking to a server different from the VUDU server.

  3. A purchase request is sent from the box to the server for the specified movie at the specified price.

  4. The server forwards the request to the back-office system for validation that the offer being requested is legitimate, that the user’s account is in good standing, and that the device has not been revoked.

  5. Once the backoffice system approves the request, the user’s account is charged, and the user is notified of a successful transaction.



3.4Key delivery to the client


  1. Once the client has been notified of a successful purchase, it may request a license file to play back the movie.

  2. The license file request is made at the time the user desires to start playback, thereby allowing the server to know when to “start the clock” on a rental transaction.

  3. Upon receiving a license file request, the server verifies with the back-office system that the user is indeed authorized to view the title.

  4. A license file (called a “ticket”) is then generated that is unique for the specific box and user.

  5. The ticket contains the bulk encryption keys used to encrypt the content.

  6. Each of the bulk keys is uniquely wrapped such that it may only be decrypted and used by the specific client that made the purchase request. [Therefore avoiding any possibility of replaying the keys on a different device.]

  7. The license file is transmitted to the box over the secure link described in Section 3.2.



3.5Key Protection on the client



When the client receives an encrypted ticket (license file), a secure module holds the ticket. As A/V content is being played back, the player provides notifications about the current position in the video to the secure module, which then selects a corresponding “wrapped” bulk key to deliver to the decryption hardware.
Because the bulk key is “wrapped” in a fashion that is hardware-specific and unique to each client, the keys are protected against attacks on the software and cannot even be replayed on a different client.

3.6A/V Streaming

The actual bulk A/V stream is always in encrypted form (whether stored on a CDN or being downloaded to a client). Because of the fact that content is streamed, the media is not even stored persistently on the client, instead remaining in RAM for the duration necessary for buffering.


Decrypted video is always decoded immediately and displayed.

3.7Platform Security

The platforms embedding the VUDU service fulfill essential robustness requirements designed to ensure that they cannot be easily hacked. Among the robustness requirements are the following:



  • Secure boot: Software signatures are checked prior to execution to prevent the execution of rogue software.

  • Hardware security: JTAG ports are disabled preventing an attacker from easily gaining access to the hardware. DRAM scrambling may be used to prevent snooping on memory to extract content or keys.

  • Single-chip decryption and decode: All content decryption and content decoding occurs within the same chip, resulting in a single device that accepts encrypted digital content as input and produces HDCP-protected digital or protected analog video outputs.



3.8Output Protection

[Note: This section does not apply in the cases where the client is a television in itself.]


Analog and digital video outputs are both protected as follows:
Analog Standard-Definition Outputs: Protected by CGMS-A (Lines 20 and 21) and Macrovision copy protection.
HDMI Output: Protected by HDCP.
Component Out: HD downscaling set by policy.

3.9Revocability and Renewability



Forced Software Upgrades: The VUDU system is a two-way system with the client having to contact the server in order to accomplish almost all of its functionality. This provides the opportunity for the system to forcibly upgrade the software on the client.

Client Revocation: Since the entire system is a two-way system, the process of revoking a specific client – for example, when it is determined that a particular box has been compromised – is extremely easy. The VUDU server maintains a list of revoked clients and immediately cuts off all access to content from those devices.


Yüklə 55,5 Kb.

Dostları ilə paylaş:



Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©genderi.org 2024
rəhbərliyinə müraciət
    Ana səhifə
Psixologiya