( ( ( Kaleidescape(Secure(Content(Delivery(System( (KDRMBC)(

Transcription

1 ( ( ( Kaleidescape(Secure(Content(Delivery(System( (KDRMBC)( ( ( ( ( ( ( ( Security(Review(Management(Report( Version1.1(Final) Author:(Tom(Thomas,(Ian(Whitworth( T F Copyright 2014Farncombe Belvedere BasingView Basingstoke RG214HG

2 ( ( ( ( CONFIDENTIAL Thisdocumentandtheinformationcontainedhereinisthesubject ofcopyrightandintellectualpropertyrightsunderinternational convention.allrightsreserved.nopartofthisdocumentmaybe produced,storedinaretrievalsystemortransmittedinanyformby anymeans,electronic,mechanical,oroptical,inwholeorinpart, withoutthepriorwrittenpermissionofthecopyrightholder. Thisreportmaynotbecopiedorissuedinwholeorinpartwithout theexpresspermissionofkaleidescapeincandthenonlysubjecttoa confidentialityagreementbetweenkaleidescapeincandthe recipients.extractsfromthereportmayonlybeissuedwiththe expresspermissionoffarncombetechnologyandkaleidescapeinc. Disclaimer Thefactsandopinionscontainedinthisdocumentarebasedon informationgiventofarncombetechnologylimitedbykaleidescape Incinwrittenform,andindiscussionduringthereview.Whilst reasonableefforthasbeenmadetoensuretheaccuracyofthe report,farncombetechnologyshallnotbeliableforanyerrorsor misrepresentationthatmaybepresent,norforbusinessdecision madebyanythirdpartyoutoftheopinionexpressedhereafter. DISCLAIMER:Thisdocumentisconfidentialandmaybeprivilegedorotherwiseprotectedfromdisclosureandmayinclude proprietaryinformation.unauthorisedreproductionordisclosureofthisinformationinwholeorinpartisprohibited. 2

3 Table(of(Contents( CONFIDENTIAL ( 1 ExecutiveSummary Introduction KaleidescapeSystemOverview Overview Customerdiscimport KaleidescapeStore ClientDevice(CPE)Components Server MediaPlayer PhysicalDiscStorage KaleidescapeStoreContentIngest Indirect viaopticalmedia OffsiteContentPreparation ContentFilePackaging Direct viamezzaninefile SecureMediaEnvironment(SeME) Assetarchive/backup Keygenerationandbackup CustomerEquipmentSoftwareandRobustness KeyLadder KDRMMasterKey SecureBoot KaleidescapeOS(kOS)Software ContentPathProtection ContentPath Cinaviasupport Player3 rd partysecuritymechanisms ContentWatermarking SoftwareFieldUpgrades DeviceLocking/Unlocking ObservationsandRisks Observations Risks Recommendations ThreatAnalysis Conclusions AppendixdIntroductionof4K/UHDContent DRMSystemBestPractices Cryptography Connection HackOne,OnlyHackOne SoftwareDiversity Revocation&Renewal Outputs&LinkProtection...26 DISCLAIMER:Thisdocumentisconfidentialandmaybeprivilegedorotherwiseprotectedfromdisclosureandmayinclude proprietaryinformation.unauthorisedreproductionordisclosureofthisinformationinwholeorinpartisprohibited. 3

4 CONFIDENTIAL 11 AppendixdListofReviewedDocuments...27 DISCLAIMER:Thisdocumentisconfidentialandmaybeprivilegedorotherwiseprotectedfromdisclosureandmayinclude proprietaryinformation.unauthorisedreproductionordisclosureofthisinformationinwholeorinpartisprohibited. 4

5 Version Date Author Comment 0.1Draft 13/08/2014 TomThomas IanWhitworth 0.2Draft 15/08/2014 TomThomas Revisions A CONFIDENTIAL Redactedfromtechnicalreport 0.21Draft 15/08/2014 TomThomas AddedThreatTableguidance 1.0Final 17/08/2014 TomThomas Releaseversion 1.1Final 20/08/2014 TomThomas Minormodificationsandtypogpraphicals DISCLAIMER:Thisdocumentisconfidentialandmaybeprivilegedorotherwiseprotectedfromdisclosureandmayinclude proprietaryinformation.unauthorisedreproductionordisclosureofthisinformationinwholeorinpartisprohibited. 5

6 CONFIDENTIAL 1 Executive)Summary( TheKaleidescapeDigitalRightsManagement(KDRM)Systemsecurityreview,comprisingcontentimport/ingest, encryption,headdendprocessesandclientdsideequipmentwascarriedoutatkaleidescapeofficesinwaterloo, Canada,from21 st to25 th ofjuly2014,withthefullcooperationofseniorpersonnelanddevelopmentteam members. ThisreportreviewsthesecurityoftheKDRMSystemfordeliveryofHDA/Vcontent.Particularattentionispaidto thesuitabilityofthesystemforhandlingpremiumhdcontent,withqualityequaltothatonbludraydiscs. TheKaleidescapesystemcomprisestwomainproductfamilies thekaleidescapepremierelinesuiteofdevices, andthecinemaonedevice.bothproductfamiliesusethesamecontentcodingandcontentprotection. KaleidescapePremiereLineconsistsofoneormoreServers,DiscVaultsandMediaPlayersconnectedbyahome LAN,withInternetconnectiontotheKaleidescapeStorefordownloadingcontent.CinemaOneisastanddalone PlayerwithintegratedcontentstorageandhomeLANandInternetconnection,whichmaybeusedinconjunction withadiscvault.discvaultsprovidephysicalstorageforacustomer'sdvdsandbludraydiscs,andallowtransfer ofencryptedphysicaldisccontenttoserverorcinemaonestorage. TheKaleidescapeStoreisthecontentretailwebdbasedsourceof1)A/VcontentfromoriginalDVDandBludray discs,and2)inthenearfuture,highqualitymezzaninefiles.contentispackagedinaproprietarykaleidescape containerformat,togetherwithmetadataandscannedcoverart,whichcustomersmaypurchaseanddownload forofflineconsumption. KaleidescapeofferaparticularlyattractiveUserInterfacetothesystem,allowingaCustomertoeasilyorganise, selectandplaycontentfromharddiskstorage,withoutthedelayandinconvenienceofhandlingdvdsandblud raydiscs. ContentstoredinKaleidescapeformatisencryptedAESd128andprotectedbyaproprietaryDigitalRights Management(DRM)system.ThePlayerdevicesemploysecurebootandsecurehardwarekeyladder;thecontent pathprotectionmeetsthecurrentbestpracticeforembeddeddevicecontentpathmanagement. Kaleidescapearewelladvancedinthedesignofasystemallowingtheingestofcontentindigital(mezzanine) form,directlyintothekaleidescapestore.thissystem,initscurrentstatus,isalsoreviewedinthisreport. Kaleidescape(uses(industry(best(practices(in(their(content(distribution(headend(architecture(and( implementation.(content(encryption(uses(best(practice(algorithms(and(key(lengths.( The(system(meets(the(security(requirements(for(distribution(of(premium,(highest(quality(HD(content.(Our( Observations(and(Recommendations(identify(opportunities(that(may(enhance(the(security(of(the(product(in(the( future.( Kaleidescape(has(a(mezzanine(ingest(facility(with(a(wellBprogressed(design((on(target(for(a(Q2(2015( deployment)(that(meets(security(requirements(for(premium,(highestbquality(hd(content.(there(is(an( opportunity(to(increase(the(security(of(this(facility(for(handling(4k(content.( We(have(also(included(a(brief(commentary(on(the(readiness(of(the(system(for(4K(content(support(in(section(10.( DISCLAIMER:Thisdocumentisconfidentialandmaybeprivilegedorotherwiseprotectedfromdisclosureandmayinclude proprietaryinformation.unauthorisedreproductionordisclosureofthisinformationinwholeorinpartisprohibited. 6

7 CONFIDENTIAL 2 Introduction( FarncombeConsultingGroupisaspecialisedprofessionalservicesfirmoperatinginthedigitalbroadcastingand telecomssectors.farncombeconsultinggroupleveragesitsexpertiseinsecuritytooffersecurityreviewsofpayd TVsystems.Thesesecurityreviewsareusedbymajorstudiosandnetworkstoaidintheirassessmentofsecurity solutionsusedbycontentproviderstodeliverpremiumcontenttotheirsubscribers. KaleidescapeIncisacorporationfoundedin2001,withitsHeadOfficeinSunnyvaleCA,aproductdevelopment officeinwaterloo,canada,andasalesofficeinbracknell,uk.theheadofficeactivitiesincludemediaingestand preparationandgeneraloperations;thecanadianofficehoststhemajorityofthedevelopmentandengineering teams. FarncombehavebeenaskedtoreviewtheKaleidescapesecuritysystemasitexiststoday,withaviewonthe ingestworkflowandrobustnessformezzaninedsourcedcontentandstreaming,whichisinadvanced developmentwithseveralcontentproviders. ThisreviewhasbeencarriedoutwiththefullcooperationofthefollowingseniorKaleidescapepersonnel: CraigMcKinley dseniordirector,softwareengineering MarkMcKenzie dprincipalengineer,directorhardwareengineering KevinHui ddirector,coresystems(bytelephonefromsunnyvale) JamesKleist ddirector,engineeringservices MatthewManjos dmanager,itoperations TroyMoure dseniorsoftwareengineer DISCLAIMER:Thisdocumentisconfidentialandmaybeprivilegedorotherwiseprotectedfromdisclosureandmayinclude proprietaryinformation.unauthorisedreproductionordisclosureofthisinformationinwholeorinpartisprohibited. 7

8 3 Kaleidescape*System*Overview( 3.1 Overview( CONFIDENTIAL Kaleidescape'smainconsumerproductsare: KaleidescapePremiereLine,whichconsistsofServers,MdclassM300andM500PlayersandDiscVaults connectedtoahomelan.servers,usedinconjunctionwithanmdclassplayersanddiscvaults,are productswhichstorethekosoperatingsystem,storagesystemaswellasthemovieguide.thesystem providespracticallyunlimitedstorage,byaddingdiskcartridgestoexistingservers,orbyaddingmore Servers.M300Playersplaycontentexclusivelyfromserverstorage;M500Playershaveanintegrated opticaldrive,andcanplaycontenteitherfromserverstorage,ordirectlyfromtheopticaldrive. KaleidescapeCinemaOne,whichconsistsofaKaleidescapeMdclassPlayerwithenoughintegrated storagefortheequivalentof100bludray,or600dvddqualitymovies. DV700DiscVault,whichmaybeusedwitheithersystem,andwhichwillacceptupto320DVDsorBludray discsandimportandtransferthecontentstopremierelineserverorcinemaoneplayerstorage.bludray discsmustremaininthevaulttoenabletheserverdiskcopytobeplayed(confirmationofdisc ownership). AsimplifiedrepresentationoftheKaleidescapeecosystemisshowninFigure3d1. Kaleidescape premises/ studio designated premises Customer system Optical Mezzanine Disc vault (optional) disc ingest ingest Player 1 Home LAN Store Public internet Server device Player N Figure(3B1(Kaleidescape(ecosystem( DISCLAIMER:Thisdocumentisconfidentialandmaybeprivilegedorotherwiseprotectedfromdisclosureandmayinclude proprietaryinformation.unauthorisedreproductionordisclosureofthisinformationinwholeorinpartisprohibited. 8

9 3.1.1 Customer(disc(import( CONFIDENTIAL WhenadiscisplacedintoaDiscVault,itscontentiscopiedtoPremiereLineServerstorage,orinthecaseof CinemaOne,itscontentiscopieddirectlytotheintegratedstorage.Suchcopiesarenotviewablefromany networkedcomputers,arenotrecordabletoanymediaandcannotbeexportedtotheinternetdatdlarge.copies withintheservercanonlybedeleted.thisdisccopywillretaintheoriginalcss(dvd)oraacs(bludray)content protection.iftheimporteddiscrepresentsatitleinthestoreandthereisnetworkconnectivity,thecustomeris offeredtheopportunitytopurchaseanddownloadthattitleasa'discdtoddigital'copy,directlytoserveror CinemaOnestorage Kaleidescape(Store( CustomerSystemsareaugmentedbytheKaleidescapeStore,thathasbeenoperationalforapproximatelytwo years,andwhichhostsawebinterfaceforcontentbrowsing,purchaseanddownloadrequests.eitherfull virgin purchasesor disctodigital upsellproductsareavailable.thestoreserviceiscurrentlyofferedintheus,canada andtheuk Encryption,(packaging(and(licenses( ContentisencryptedusingKaleidescapeDRM(KDRMdC),packagedusingaproprietarystructureandheld encryptedinthestore,alongwithmetadata,includingdvd/bludraycoverart,addedbykaleidescape.thereare separatekdrmmasterkeysforthesdandhdcontentcatalogues(see4.1.1).aplaybackcertificate(pbc)is createdatthetimeofcontentencryption,whichconsistsoftheencryptedcontentkey. PBCsareissuedtoCustomersaspartofasignedPlaybackLicence(PBL).PBLsareconstructedandmanagedby theplaybackauthorisation(pa)serviceonddemand,signedandspecifictoacustomerdevice(serverorcinema One) Hosting( TheStoreandPAServicearehostedbyheaddendserverslocatedinasecureDataCenterinSantaClara,CAalong withallothercustomerdfacingfunctions. 3.2 Client(Device((CPE)(Components( AttheCustomer'spremises,theexternalnetworkconnectionmayeitherbetoaKaleidescape1Uor3UServer,or thekaleidescapecinemaoneproduct Server( TheServerorCinemaOnedeviceregularlypollstheKaleidescapeheaddendfortheallowabledownloadlistof titlesandplaybackauthorisations,andfetchesplaybacklicencesasappropriate.itdownloadscontentfromthe Store,andmaintainsalocaltableofPBLs Media(Player(( Kaleidescapeofferstwo'Mdclass'MediaPlayersaspartofthePremiereLinesystem.TheCinemaOneproductis functionallyanmdclassplayerwithintegratedserverfunctionality. DISCLAIMER:Thisdocumentisconfidentialandmaybeprivilegedorotherwiseprotectedfromdisclosureandmayinclude proprietaryinformation.unauthorisedreproductionordisclosureofthisinformationinwholeorinpartisprohibited. 9

10 CONFIDENTIAL NOTE:(There(are(various(legacy(Kaleidescape(SDBonly(capable(players(that(are(capable(of(accessing(SD(Store( content(only.(these(devices(are(no(longer(offered(to(customers Physical(Disc(Storage( KaleidescapeofferaDiscVaultproduct.ItallowscustomerimportofcontentfromDVDandBludraydiscsto ServerorCinemaOnestorageandongoingphysicalstorageforthesediscs. DISCLAIMER:Thisdocumentisconfidentialandmaybeprivilegedorotherwiseprotectedfromdisclosureandmayinclude proprietaryinformation.unauthorisedreproductionordisclosureofthisinformationinwholeorinpartisprohibited. 10

11 4 Kaleidescape*StoreContent&Ingest( CONFIDENTIAL TheKaleidescapeStoreispresentlypopulatedwithcontentsourcedfromDVDandBludraymedia,butisplanned toincludecontentsourcedfromdigitalmezzaninefilesinq Indirect( (via(optical(media( Contentmaybeingestedfromphysicalmediaatsitesdesignatedbythestudioorcontentprovider,orat KaleidescapeHeadquartersinSunnyvale.Thediscsareusuallystandardcopiespurchasedfromretail,howeverin somecircumstancescontentproviderswillmakecopiesavailabletokaleidescapeupto2weeksbeforestreet date Offsite(Content(Preparation( KaleidescapepackagesandprotectsHDcontentoffsite,infacilitiesagreedwitheachcontentprovider. (All(Content(Keys(are(presently(protected(with(only(a(single(static(global(Master(Key.(This(is(acceptable(to(date( for(kaleidescape s(handling(of(blubray(quality(hd(content.(key(diversity(should(be(introduced(for(4k(content( (see(10(for(further(detail).( (Kaleidescape(should(specify(a(base(level(of(security(for(their(ingest(equipment(when(it(is(operated(at(a(3 rd ( party(site,(as(part(of(their(contract(with(that(party.( Content(Integrity( Encryptedcontentvideo,audio,andmetadatafilesarestoredinacontainerstructurecalledaMediaObject,with protectedfilesegments.this(is(an(effective(mechanism(for(cryptographically(ensuring(that(content(being(played( back(is(bitbforbbit(identical(to(that(which(was(ingested(at(the(headbend.(see(section(5.4.2(for(more(details.( Content(File(Packaging( Afteringestatthestudioddesignatedsite,theDVD/Bludraydiscsandharddiskscontainingprotectedcontent(and theoperatingsoftwarefromtheingestserver)arephysicallyshippedbacktothekaleidescapeheadquartersin Sunnyvaleviaregisteredcourier,wheretheDVD/Bludraydiscsaresecurelystored(archived).Theharddisksare insertedintoakaleidescapeserverlinkedtolocalnetworkattachedstorage(nas)andoverdedicatedfibreto thedatacenterheaddend.abundlerservicepackagesthekcffilesfordownload.theheaddendservernetwork usesadedicatedfibredopticlink. This(optical(media(ingest(process(is(acceptable(for(the(handling(of(premium,(BluBray(quality(HD(content.( 4.2 Direct( (via(mezzanine(file( MezzanineingestiscurrentlywellprogressedindevelopmentwithseveralContentProviders(CPs),withatarget deploymentforq22015.weunderstandthatthemainitemstobecompletedaredetailsregardingtranscode profilesandautomationofworkflowjobs. AsimplifiedrepresentationofthemezzanineingestarchitectureisshowninFigure4d1. DISCLAIMER:Thisdocumentisconfidentialandmaybeprivilegedorotherwiseprotectedfromdisclosureandmayinclude proprietaryinformation.unauthorisedreproductionordisclosureofthisinformationinwholeorinpartisprohibited. 11

12 CONFIDENTIAL CP a CP n Public internet Kaleidescape/Internap Firewall Backup server Content ingest area SeME (transcode, encrypt, package) restricted command interface Ingest management /control Figure(4B1(Summary(of(mezzanine(ingest(architecture( Secure(Media(Environment((SeME)( KaleidescapehasdesignedtheSecureMediaEnvironment(SeME),whichpresentsarestricted,lowlevel, sanitisedcommandinterfacetothelowersecurityheaddendservers,allowing macro controlofcertain operations,e.g.downloadfilexfromcontentprovidera,transcodeandencryptfilex,etc. LinkstoContentProviderhostsarerestrictedatthefirewallleveltothespecificproviderIPaddressesonspecific ports. TheSeMEwillexecutetranscodeofingestcontentfromContentProviderspecificcodecintoappropriateMP4 variablebitdrateformats,packagedinacontainerformatiscalledkcfdb. TheassetContentKeyisencryptedwithaKDRMdCMasterKeyandincorporatedintoaPBC,whichissignedwith thesemeprivatekey.thepbcanditssignatureareprovidedtothekdrmdpahostserviceoveraseparate mutuallydauthenticatedchannel.thisactionisdonesuchthatifadditionalcontentbecomesavailablefromthecp aspartofanasset(e.g.laterdissuedbonusfeatures),thesemecanverifythesignaturefortheasset spbc, therebyverifyingthatpbcwasoriginallygeneratedbytheseme. DISCLAIMER:Thisdocumentisconfidentialandmaybeprivilegedorotherwiseprotectedfromdisclosureandmayinclude proprietaryinformation.unauthorisedreproductionordisclosureofthisinformationinwholeorinpartisprohibited. 12

13 CONFIDENTIAL The(essential(design(of(the(SeME,(as(it(is(being(implemented,(is(appropriate(for(secure(ingest(and(processing(of( premium,(highest(quality(hd(content.(during(this(development(stage,(preparations(to(improve(security(of(4k( content(could(be(made.( Asset(archive/backup( Rawmezzaninefilesarealsoexportedassingleassetarchivefilestoalocalserver,AESencryptedwithaunique keygeneratedinsidetheseme. Theassetencryptionkeybackupisexpectedtousethekeyringasdescribedinsection Key(generation(and(backup( KeysaregeneratedintheSeMEbysoftware.AllkeyspersistedwithintheSeMEarestoredonasinglepassphrased protectedkeyring. (In(the(SeME(as(currently(proposed,(the(confidentiality(of(the(Master(Key(is(secured(using(software(techniques( (albeit(hardened),(which(may(be(improved.( (We(recommend(that(Kaleidescape(use(a(FIPSBcertified(random(number(generator.( (We(recommend(that(a(separate(key(ring(be(considered(for(each(Content(Provider. ( ( DISCLAIMER:Thisdocumentisconfidentialandmaybeprivilegedorotherwiseprotectedfromdisclosureandmayinclude proprietaryinformation.unauthorisedreproductionordisclosureofthisinformationinwholeorinpartisprohibited. 13

14 CONFIDENTIAL 5 Customer(EquipmentSoftware)and)Robustness( TheKaleidescapestandalonePlayers,MV700DiscVaultandCinemaOneproductalluseanHDdcapableSoC. This(SoC s(features(are(representative(of(a(typical(level(of(security(for(an(hdbcapable(platform.( 5.1 Key(Ladder( TheSoCcontainsadedicatedSecurityCPU(SCPU)thatisresponsibleforexecutingthefirststageofsecureboot aswellasthehardwaredisolatedkeyladderfunctions.thefirmwarerunningonthescpuissecuredwitha proprietarymechanism onlyasetoflowlevelapisisprovidedtothehostcpuforperformingcryptographic operations KDRM(Master(Key( TheKDRMMasterKeyisheldinuniquelydencryptedforminFlash. 5.2 Secure(Boot( TheSoCsupportsathreedstagesecureboot. 5.3 Kaleidescape(OS((kOS)(Software( KaleidescapedevicesusetheKaleidescapeOperatingSystem(kOS),whichisderivedfromaLinux distributionforthesoc,modifiedbykaleidescape.thisiseffectivelyaproprietaryos,andhasbeenheavily strippeddowntopreventsubversion,includingremovalofunnecessarydaemonsandservices. 5.4 Content(Path(Protection( ContentpathprotectionintheKaleidescapeMdclassPlayerismanagedbytheSoCfirmware.CurrentPlayers, exceptthecinemaone,includeanalogueoutputs,protectedbymacrovision.theseoutputsaredisabledforhd contentplayback.hdmioutputsareprotectedbyhdcpv Content(Path( Content(path(protection(meets(the(current(best(practice(for(embedded(device(content(path(management.( Cinavia(support PlayersimplementCinaviaaudiowatermarkdetectionintheaudiopostdprocessingpipeline,aspartof Kaleidescape saacs/bludraylicenseobligations Player(3 rd (party(security(mechanisms( HDCPandAACSrevocationactionsareparsedandmanagedbyKaleidescapesoftware. DISCLAIMER:Thisdocumentisconfidentialandmaybeprivilegedorotherwiseprotectedfromdisclosureandmayinclude proprietaryinformation.unauthorisedreproductionordisclosureofthisinformationinwholeorinpartisprohibited. 14

15 5.5 Content(Watermarking( CONFIDENTIAL ThereisnoformofwatermarkingappliedtocontentintheKaleidescapesystem,eitheratheaddendorclient. 5.6 Software(Field(Upgrades( AllCustomerequipmentsoftwareupgradesaretriggeredthroughaSystemserverupgrade.Thereisnoconcept ofincrementaldevicepatching;afullarchivecontainingencryptedsubdarchivesforotherdevicesisalways downloaded(regardlessofwhatdevicesexistonthecustomernetwork).upgradesarerolledthroughthe populationinaphasedrollout. TheVersioningserveronlyallowsrollforward;norollbackispossible. 5.7 Device(Locking/Unlocking( KaleidescapehasafeatureintheirkOSdbaseddevicesthatallowsdevelopmentsoftwaretobeloaded.Unitsare manufacturedandshippedina'locked'state,wherenounsignedsoftwarecanbeloadedontothedevice.the opendsourceredbootembeddedbootstrapenvironmentcanbeusedwithanunlockeddevicetoallowdownload andexecutionofsignedembeddedapplicationsviaserialornetwork(ethernet)ports.redbootisembeddedin everykosdevice (We(regard(the(device(unlock(software(that(is(included(in(all(MBclass(players(as(an(unnecessary(risk.(There(is(no( need(for(devices(in(the(field(to(allow(unlocking.(( DISCLAIMER:Thisdocumentisconfidentialandmaybeprivilegedorotherwiseprotectedfromdisclosureandmayinclude proprietaryinformation.unauthorisedreproductionordisclosureofthisinformationinwholeorinpartisprohibited. 15

16 6 Observations,and,Risks( CONFIDENTIAL 6.1 Observations( WemakethefollowingobservationsregardingtheKaleidescapesystem: 1. Thesystemarchitectureissound.4KdevelopmentwillgivetheopportunitytomovetoanalternateSoC. 2. Theheaddendserversandnetworkinfrastructureareofexcellentdesignandphysicalsecurity,and representbestpractice. 3. Theuseofstandardencryption(AESd128,256,andRSAd2048)representsbestpractice. 4. TheKaleidescapesoftwaredevelopmentprocessandmanagementiswellorganisedandcontrolled. 5. Softwareupgradesaremadeascompletecodeimagesratherthanaspatches. 6. Thereisanexcellentnetworkmonitoringandlogginginfrastructureinplace. 7. Theusername/passwordcredentialusedforSSLiscommontoallCustomerServers.Whilstthishasnotso fargivenrisetoanyproblems,itdoesnotrepresentbestpractice. 6.2 Risks( WhilstwefindthattheKaleidescapeDRMSystemmeetstherequirementsforpremiumHDcontentingestand distributionfromdvd/bludraydiscs,wehavereviewedthesystemforanyremainingriskstosystemsecurity.we havegivenrecommendationsinsection7tofurtherimprovesecurityinthesystem,asitisdevelopedto encompassmezzaninefileingestandtohandle4kcontent. DISCLAIMER:Thisdocumentisconfidentialandmaybeprivilegedorotherwiseprotectedfromdisclosureandmayinclude proprietaryinformation.unauthorisedreproductionordisclosureofthisinformationinwholeorinpartisprohibited. 16

17 CONFIDENTIAL 7 Recommendations( WhiletheexistingsystemmeetsthesecurityrequirementsforpremiumHDcontentalready,wehavethe followingrecommendationsthatwethinkwillfurtherenhancethesecurityofthekaleidescapesystem: 1. AHardwareSecurityModule(HSM)shouldbeemployedintheSeMEordertoprovidebestdindclass confidentialityofheaddendmasterkeysandtheiruseintheencryptionofcontentkeys. 2. ApenetrationtestshouldbecommissionedontheSeMEinfrastructure. 3. DisabletheunlockfeatureinallproductionunitsthatareshippedtoCustomers. 4. Introducediversificationbyoverdencrypting(orreplacing)anykeysthatarecurrentlywrappedwithstatic globalkeys,usingadevicedspecific,accountdspecificorasessiondspecificuniquekey. 5. StrengthenthecryptographicbindingbetweenaLicenceandaServer. 6. Introduceregularsecurityaudits/inspectionsofthemanufacturingfacility. 7. IntroduceIntrusionDetectionSystems(IDS)insecuritydsensitivenetworkdomains. DISCLAIMER:Thisdocumentisconfidentialandmaybeprivilegedorotherwiseprotectedfromdisclosureandmayinclude proprietaryinformation.unauthorisedreproductionordisclosureofthisinformationinwholeorinpartisprohibited. 17

18 CONFIDENTIAL 8 Threat'Analysis" NOTE:"In"the"compilation"of"the"Threat"Table"ratings,"only"HD=capable"platforms"have"been"included." THREAT" VENDOR" FARNCOMBE" DESCRIPTION" COMMENT" 1" Access"to"or"modification"of" secret"keys/licenses"stored"in" the"security"device" Littleornoprotection 2 Protectionnottomodernstandards,e.g.chip securityfuseslocatable 3 Protectionconsistentwithindustrygood practice,e.g.useofstatepofpthepartchips,good layout 4 Needssignificantresourcestodefeat protection,e.g.physicalreversepengineering 5 WellPprotected,largeamountsofdatatofind, customlogicandhardware 2" Illegal"use"of"the"service" (sharing"account,"url"sharing" )" Trivialsoftwareattackallowsillegaluse 5 Bestpractice;licensecryptographicallybound todeviceandaccount 3" Vulnerability"to"attacks"on" system"interfaces"including" internal"interfaces"in"the" device"(for"example"passing" decryption"keys"from" software"to"hardware" decryptors)" Keysopenlyexposedtosoftware 2 Keysexposedinanomalousmodeofoperation e.g.diagnosticmode 3 Keysinsoftwarereliantonsecureboot environment 4 Keysinsoftware,protectedbytrusted executionenvironment 5 Keysprotectedbyhardware,neveraccessible byanysoftware DISCLAIMER:Thisdocumentisconfidentialandmaybeprivilegedorotherwiseprotectedfromdisclosureandmayincludeproprietaryinformation. Unauthorisedreproductionordisclosureofthisinformationinwholeorinpartisprohibited. 18

19 CONFIDENTIAL 4" Vulnerability"of"servers" (protections"of"keys," operating"system)" 5" Attacks"on"system"protocols," bad"message"types" 6" Attacks"on"system"protocols," replay"attacks"" Secretshiddeninsoftware;poorheadPend isolationfromnetworkconnection 2 Limitedprotection;e.g.systemfirewall,access authentication 3 Secretsprotectedbysoftwareencryption; relianceongoodosconfigurationand maintenance 4 Secretsprotectedbyacombinationof hardwareandsoftware 5 SecretshiddenindualPkeyhardwareandnever exposedininitialisationoruse Nomessagevalidation 2 Protocolmodificationspossibleandsomehave apredictableimpactonthesystembehaviour 3 Protocolmodificationspossibleandcouldhave anunpredictableeffectonthesystem 4 Malformedmessagesrejected 5 Malformedmessagesrejectedandlogged Replayattackspossiblethatcanbeshownto modifythesystembehaviour 2 Replayattacksnotrejected,butcannotbe showntomodifysystemsfunctionalbehaviour 3 Replayattacksimpactperformance,butnot functionalbehaviour 4 Replayattackshavenoapparenteffecton systembehaviour 5 Replayattacksmaybeformallyshowntobe rejected,andnottoaltersystemfunctionality DISCLAIMER:Thisdocumentisconfidentialandmaybeprivilegedorotherwiseprotectedfromdisclosureandmayincludeproprietaryinformation. Unauthorisedreproductionordisclosureofthisinformationinwholeorinpartisprohibited. 19

20 CONFIDENTIAL 7" Attacks"on"cryptography," brute"force" Weakcryptographywithconsequencesforthe system 2 Recognisablypoorimplementationof acceptablecryptography 3 Useofstandardcryptographybutwithlimited implementationtesting 4 Independentvalidationofcryptographydesign andimplementationinisolation 5 Independentlytestedorstandardised cryptography,wellimplementedandtestedinthe application Gooduseofcontemporaryalgorithmsand keylengths 8" Attacks"on"the"application"of" cryptography,"e.g."man"in"the" middle"attacks" 9" Attacks"arising"out"of"poor" software"integration"quality" including"weaknesses"in"the" implementation"process" (insertion"of"trojans"etc)"that" might"not"be"detected"in"the" development"and"integration" process" Significantattacksareshowntobepossible 5 Resistanttoalltheoreticalattacksconsidered duringthecourseofthereview Developersinchargeofallstagesof implementation.nodefinedprocesses 2 Definedprocesses,poorlyPobserved 3 Gooddesignreviewsbutlimitedformal integrationandtestprocesses 4 Goodprocesses,butlimitedexternalreview 5 WellPdefinedprocessesincludingpeerreview andformalqualityandtestprocesses 10" Attacks"arising"out"of"poor" overall"system"design"and" quality" Nopeerreview,overPcomplexdesign 2 SomeadPhocreviewofsystemsdesignand implementation 3 Internalsystemdesignreviewonly,withadPhoc processes 4 ExternallyPrevieweddesign,notallprocesses Unlockcapabilityisunnecessary DISCLAIMER:Thisdocumentisconfidentialandmaybeprivilegedorotherwiseprotectedfromdisclosureandmayincludeproprietaryinformation. Unauthorisedreproductionordisclosureofthisinformationinwholeorinpartisprohibited. 20

21 reflectbestpractice 5 Simpledesign,reviewedatallstagesin developmentandimplementation CONFIDENTIAL 11" Illegal"storage"of"content" (when"the"solution"forbids" recording)" 12" Key"management," weaknesses"in"the"key" hierarchy"and"or"the" provisioning"processes" 5 N/A 1 Trivialsoftwareattackallowsrecording 5 Recordingprohibitedbyvirtueoftrusted softwareorhardwaremechanism Staticandsharedkeysthroughout 5 Bestpractice;useofHSMs,noglobalstatic keys,regularrotation Useofglobal/statickeysisnotbest practice DISCLAIMER:Thisdocumentisconfidentialandmaybeprivilegedorotherwiseprotectedfromdisclosureandmayincludeproprietaryinformation. Unauthorisedreproductionordisclosureofthisinformationinwholeorinpartisprohibited. 21

22 CONFIDENTIAL 9 Conclusions" TheKaleidescapesystemisspecificallydesignedasahighIendmediasystemtomeettheneedsofwealthy discerningcustomers.itsatisfiestherequirementswell,andhasalltheadvantagesofatwoiwaysystem(mutual authenticationbetweenheadiendserversandcustomerequipment,securesessionestablishment,etc.).the presentdesignmeetstherequirementtoorganizeandaugmentacustomer'sphysicalmedia(cd,dvd,bluiray) collection,withaddedivaluedownloadsfromthekaleidescapestore,derivedfromphysicalmediasecuredby Kaleidescape. Followingindustrypractice,Kaleidescapeplantomigrateawayfromadependenceonphysicalmedia,towards digitalmezzaninefileacceptanceandstorage,andhavedesignedasecuresystemforacceptingcontentfrom studios,andprocessingitforthekaleidescapestore.thissystemhasbeendeveloped,butisnotyetdeployed. Ourobservationsofthedevelopmentindicatethatitisofgooddesignandelectronicandphysicalsecurity. KaleidescapehaveasecureandwellIprovenheadIendsystembasedinasecureDataCenterfacilityinCalifornia; theheadiendnetworkarchitecturefollowsbestpractice,andusesupitoidatefirewallsandloadibalancing capability.thereisanexcellentloggingandmonitoringfunctionforallheadiendequipmentandservices. ThePlayerdevicesemploysecurebootandsecurehardwarekeyladder;thecontentpathprotectionmeetsthe currentbestpracticeforembeddeddevicecontentpathmanagement. The"Kaleidescape"Customer"systems"(Kaleidescape"Premiere"Line"and"Cinema"One)"use"a"secure"System<on< Chip"(SoC)"to"process"downloaded"and"stored"content,"and"Playback"Licences."The"security"of"the"Customer" system"is"appropriate"for"high<value"hd"content." Kaleidescape"has"a"mezzanine"ingest"facility"that"has"a"well<progressed"design"but"is"not"yet"deployed."The" ingest"design"is"appropriate"for"high<value"content"handling."we"have"provided"suggestions"to"further"enhance" its"security"and"to" future<proof "the"setup." Regarding"other"system<level"requirements"for"4K"content,"we"have"included"a"discussion"in"section"10." DISCLAIMER:Thisdocumentisconfidentialandmaybeprivilegedorotherwiseprotectedfromdisclosureandmayinclude proprietaryinformation.unauthorisedreproductionordisclosureofthisinformationinwholeorinpartisprohibited. 22

23 CONFIDENTIAL 10 Appendix"<Introductionof4K/UHD%Content" Movielabs( outlinesguidelinesandbestpracticesatboththedrmandsystemlevel,forplatformsintendedtosupport4kor UHDcontent(whichwewillrefertoas4Kcontenthereafter). Eachofthefollowingsectionsistakenfromthe DRMBestPractices sectionofthemovielabsdocument.ineach sectionwehavestatedourunderstandingoftherequirementsandtheimpacttheyhaveonthedesignofa4ki compliantdrmsolution. AsneitherMovieLabsnorthestudioshavereachedadefinitivepositionontherequirements,wecannotsay definitivelywhichoftherequirementswillbeenforcedincarriageagreements.movielabsthemselvesstatethat each%studio%will%determine%individually%which%practices%are%prerequisites%to%the%distribution%of%its%content%in%any% particular%situation.unlessstatedtothecontrary,webelievethattherequirementsprovideagoodfoundation foraspecification. IneachofthefollowingsectionsthetextinitalicsistakenverbatimfromtheMovieLabsEnhancedContent Protectionspecification DRM"System"Best"Practices" Cryptography"" % a) The%system%shall%use%state%of%the%art%cryptographic%functions,%e.g.,%a%cipher%of%AES%128%or%better. % TheKaleidescapesystemusesAESthroughoutforcontentencryptionandkeyprotection.RSAI2048isusedfor codesigning,soweforeseenoissuehere.however,thesealgorithmsalonewillnotmeetthediversity requirementsspecifiedlaterinthissection(seesection10.1.4). % % b) The%system%shall%be%resistant%to%side%channel%attacks. % Thisisanessentialrequirementforanyreasonablecontentprotectionsystem.Sidechannelanalysisdependson repeateduseofthesamekeysoraccesstothesamedata.rootkeyprotectionisparticularlycritical;however transientkeysthatareusedinfrequentlywouldnotbegoodcandidatesforsidechannelanalysis. OurunderstandingisthattheleadingSoCvendorshavepreIexistingsideIchannelprotection,certainlyaround areassuchassecureboot,thatpreidatestheircurrent4kcapabilities,andassumingthatdedicatedhardware accelerationisusedforcriticalkeydecryptions,thenwebelievethatthisrequirementcanbemet,although furtherdiscussionwiththesocvendorsisrecommended Connection"" a) The%system%shall%allow%the%content%provider%to%hold%back%the%delivery%of%license%keys%to%the%device%until% the%street%date. % DISCLAIMER:Thisdocumentisconfidentialandmaybeprivilegedorotherwiseprotectedfromdisclosureandmayinclude proprietaryinformation.unauthorisedreproductionordisclosureofthisinformationinwholeorinpartisprohibited. 23

24 % CONFIDENTIAL TheKaleidescapesystembydesignwithholdsPlaybackLicensedeliveryuntilpermissionisgrantedintheHeadI end.althoughthesolutiondoesnotstrictlysupportitcurrently,thecapabilityfor preidownload ofcontentto Customerscouldbemadepossiblewithminormodifications. % b) Systems%supporting%copy%or%move%shall%require%the%license%to%be%reEprovisioned%through%an%online% process%that%is%performed%using%keys%not%present%on%client%devices%after%a%copy%or%move. % % ThisitemisnotapplicableItheKaleidescapesystemdoesnotsupportcopyormoveinthestrictsense;titlesare purchasedatonetimeforacustomer sentiredeployment,withsomeconstraints(upto5systems),whichmay beacrossseveralserversatdifferentlocations Hack"One,"Only"Hack"One" % a) The%system%shall%bind%the%ability%to%decrypt%a%license%key%to%a%particular%device%(host%and/or%storage).%% License%keys%shall%be%encrypted%such%that%they%cannot%be%decrypted%without%the%keys%of%the%individual% device%for%which%the%license%was%issued. % Thisisanessentialrequirementofanycontentprotectionsystem. ThisisanissuefortheKaleidescapesystemasitstands.Aswehavediscussedinsection5.1.1,theMasterkey thatsecuresthecontentkeysheldwithinlicensesiscommonacrossthepopulation. Therequirementimpliesasecure,hardwarebasedrootoftrust.ThismustbeprogrammedatthetimeofSoC manufactureandusedappropriatelyinakeyladderfunction. % b) The%compromise%of%the%keys%for%a%set%of%devices%shall%not%make%it%easier%to%derive%the%keys%for% another%device. % Thisrequirementimpliesdiversitybetweensetsofdevicesbothintermsofthewaythatkeysarestoredand possiblytheapplicationofthecryptography.readliterally,thiscouldbequiteanonerousrequirement,implying avariationinthedrmclientisideimplementationacrosssetsofdevices(althoughitisnotclearwhatwould constitutea set inthecontextofthekaleidescapesystem).wethinkthatthisrequirementmaybeabletobe satisfiedbutwouldrequireasounddemonstrationofhowtheplatformwasrobustagainstattack,i.e. Kaleidescapemustbeabletodemonstratehowtheyusesecurebootandupdate,atrustedexecution environment,securevideopath,andmostcritically,keydiversity Software"Diversity" Systems%relying%on%software%that%is%potentially%subject%to%attack%shall%be%implemented%in%diverse%ways%so% that%an%attack%is%unlikely%to%be%portable.%this%diversity%shall%vary%by%version%of%the%system,%by%platform%and% by%individual%installation. % Forhighlysensitivekeydecryptions,theKaleidescapesystemdoesnotusesoftwareandsowethinkthatthis itemwouldnotbeapplicable.rightshoweverarecurrentlymanagedinsoftware rightswouldhavetobe DISCLAIMER:Thisdocumentisconfidentialandmaybeprivilegedorotherwiseprotectedfromdisclosureandmayinclude proprietaryinformation.unauthorisedreproductionordisclosureofthisinformationinwholeorinpartisprohibited. 24

25 CONFIDENTIAL cryptographicallyboundtothedeviceandthisprocessingmanagedinhardwareorarobusttrustedexecution environmentinordertomeetthisrequirement Copy"&"Title"Diversity"" The%content%protection%system%shall%provide%capabilities%so%that%in%the%event%of%a%breach%on%one%title%or% version%of%a%title,%additional%work%is%needed%to%breach%the%content%protection%on%the%next%title%or%another% version.%(nb:%simply%using%different%content%keys%is%not%sufficient%to%satisfy%this%practice.) % Wethinktheideaofincreasingthediversitybeyondsimplychangingkeysisagoodone,howeverthisisanissue forthekaleidescapesystemasitstands.onewayofaddressingthisrequirementcouldbetointroduceaconcept oftemporaldiversityintothesystem forexampleifanewkdrmmasterkeywereabletobesecurely provisionedinthefieldonascheduledbasis,andthiskeysecuredcontentkeysuntilthenextmasterkeyperiod (atableofmasterkeyswouldhavetobemaintainedintheclient,suchthatexistingdownloadscouldstillbe playedback).seesection4.1.1forourexistingconcernsregardingkeydiversity Revocation"&"Renewal" a) The%system%shall%have%the%ability%to%revoke%and%renew%versions%of%its%client%Component. % b) The%system%shall%have%the%ability%to%revoke%and%renew%code%signatures%if%these%are%used%as%part%of% the%system s%root%of%trust. % c) The%system%shall%have%the%ability%to%revoke%individual%devices%or%classes%of%devices. % d) In%the%above%cases%of%revocation,%the%system%shall%support%an%alternative%to%that%(sic)%allows%access% to%alternate%content%or%only%to%existing%purchases. % TheKaleidescapesystemcanbeinagoodpositionregardingrevocation,butONLYifallpartsoftheCustomer s ecosystemaretrusted.ifweassumethataminimalnetworkconnectionisrequiredforanyrevocationmethod, thenkaleidescapehavefullcontrolfromtheheadiendoverexactlywhichlicensesareavailableforwhich Customer ssystems;nullificationoflicensesintheheadiendeffectivelyresultsinarevokedsystem.kaleidescape couldalsochoosetoenforcemorerestrictiveboundsonnetworkpresence forexampleachallenge/response withtheheadiendbeforecommencing4kplayback,inordertoconfirmtrustintheclientdevice. Regardingpoint(d)KaleidescapemayalsochoosetolimitsomeCustomerstocertaintypes/profilesofcontent, althoughitisnotclearwhatthecircumstanceswouldbethatwouldpromptthisdecision. e) The%system%shall%proactively%renew%the%protection%and%diversity%of%its%software%components. % f) % The%security%provider%shall%actively%monitor%for%breaches. % Items(e)and(f)areissuesofgovernance,processandcapability,andwebelievethatKaleidescapeiswell positionedhere theyhaveanextremelycomprehensivewebstorepurchaseandcustomerdevicelog monitoringactivityinplace,aswellastheirownnetworkinfrastructuremonitoring.softwareupdatesare downloadedinwhole,andpurchasescanbewithheldonthebasisofsoftwareversion. DISCLAIMER:Thisdocumentisconfidentialandmaybeprivilegedorotherwiseprotectedfromdisclosureandmayinclude proprietaryinformation.unauthorisedreproductionordisclosureofthisinformationinwholeorinpartisprohibited. 25

26 CONFIDENTIAL Wewouldhoweversuggestthat,givenKaleidescapehasa static DRMthatinthecaseofveryhighvaluecontent, again,achallenge/responsewiththeheadiendshouldcommencebeforeplayback Outputs"&"Link"Protection" a) The%system%shall%allow%HDCP%2.2%or%better%to%be%required%by%content. % b) The%system%shall%allow%other%outputs%to%be%selectable%by%content. % HDCP2.2willbeobligatoryon4KIcapableSoCs,andKaleidescapehaveremovedanalogueoutputsontheirlatest product,thecinemaone.thereforewedonotseeanyissuewithmeetingtheserequirements. DISCLAIMER:Thisdocumentisconfidentialandmaybeprivilegedorotherwiseprotectedfromdisclosureandmayinclude proprietaryinformation.unauthorisedreproductionordisclosureofthisinformationinwholeorinpartisprohibited. 26

27 11 Appendix(<List%of%Reviewed%Documents" CONFIDENTIAL Kaleidescapemadeavailablethefollowingdocumentsforreview: 1. KeystotheMegalonCastle(printoutofConfluenceIrepositorydocument,viewedonIsite) 2. KCFIBProcess(printoutofConfluenceIrepositorydocument,viewedonIsite) 3. SecurityReport(ofWebStore),SektionEnsGmbH,2012 Otherdocumentsreferenced: 4. InformationtechnologyIIMPEGsystemstechnologiesIIPart7:CommonencryptioninISObasemedia fileformatfiles,iso/iec23001i7: EnhancedContentProtection(ECP)Specificationv1.0,Movielabs,2012 % % DISCLAIMER:Thisdocumentisconfidentialandmaybeprivilegedorotherwiseprotectedfromdisclosureandmayinclude proprietaryinformation.unauthorisedreproductionordisclosureofthisinformationinwholeorinpartisprohibited. 27