NAGRA MEDIA PRM A SOLUTION FOR THE DELIVERY AND PERSISTENT STORAGE OF PROTECTED CONTENT

Transcription

1 NAGRA MEDIA PRM A SOLUTION FOR THE DELIVERY AND PERSISTENT STORAGE OF PROTECTED CONTENT PREPARED FOR DTLA FOR USE IN REVIEW OF PRM AS AN APPROVED RECORDING PROTECTION TECHNOLOGY FOR DTCP DECEMBER 2010 Copyright 2010 Nagravision SA. All Rights Reserved. CH-1033 Cheseaux, Switzerland

2 Table of Contents 1 Introduction 3 2 Nagra Media PRM Overview Digital Video Recorder (DVR) Video On Demand Authorized Domain 7 3 DTCP TO Nagra Media PRM Use Cases 8 4 Nagravision Security Architecture Compliance and Robustness Nagra On-Chip Security (NOCS) Nagra Advance Security Certification (NASC) Software Boot and Download Protection Port Protections Software API Testing and Validation Hardware Access Protection Networking Communication NASC Certification Centers 13 5 Nagravision Legal Framework 14 6 DTLA Objective Criteria DTLA Review Policy Review Legal Review Technical Compliance Content Owner and Implementer Support 17 Appendix A. DTCP Copy Information mapping to PRM 18 Appendix B. Usage rules 20 Page 2 of 22

3 1 INTRODUCTION Nagravision is proposing that Nagra Media (PRM) be approved by Digital Transmission Licensing Administrator (DTLA) as a Recording Protection Technology for Digital Transmission Content Protection (DTCP) 1. Nagravision has developed and deployed PRM to enable cable, satellite and IPTV service providers to securely propagate and store content and its associated rights across a variety of media devices. PRM is comparable to a Digital Rights Management (DRM) system. PRM has three major use cases: 1. Digital Video Recorder (DVR) security for stored content, 2. Video on Demand (VoD) security for pushed, pulled and streaming content, and 3. Content distribution in an Authorized Domain, for home networking and device refurbishment. In various applications of PRM, DTCP is already an approved output, e.g., from a PayTV set-top box. In other words, PRM can be a source for DTCP content. This document provides information to support Nagravision s request that PRM be approved to serve as a DTCP Sink for the persistent storage of DT Data. Enabling PRM for DTCP sink protection will enhance interoperability of protected content among consumer devices, including those typically associated with PayTV and others. PRM s specification and license are similar to other DRM compliance and robustness rules. As with most other systems, the specification must be followed by the application or middleware using PRM. PRM allows both hardware and software implementations, but these are managed separately in the market. The hardware PRM is available for device manufacturers to implement in their devices, while Software PRM is currently provided by Nagravision as part of a bundled solution call Nagra Media Player. Software PRM is cryptographically segmented from Hardware PRM so that entitlements from one system cannot be interpreted by the other. This document describes Hardware PRM and how it meets the requirements for use as a persistent storage technology for DTCP. Hardware PRM uses cryptographic tools to secure the content and leverages hardware security features in silicon. For Hardware PRM, Nagravision has very specific requirements because the device must comply with the Nagravision Advanced Security Certification (NASC), which is a device manufacturer certification program. Traditionally for set-top box (STB) manufacturers, NASC specifies the platform security requirements for the device. NASC ensures robustness of not only PRM, but Conditional Access (CA) systems, 3 rd party DRMs, boot loaders, software download mechanisms and other software stacks. NASC requires the use of a chipset which includes Nagravision On-Chip Security (NOCS), which a certification program for embedded hardware security features implemented by chipset manufacturers. NASC highlights include: Requirement to follow specification and to include NOCS hardware security Four (4) centers around the world to certify that the devices meet all requirements All major device manufacturers are customers 2 Over 120 certifications per year Specification for leveraging chipset security for secure boot and download authentication Robust hardware design specification to prevent hardware attacks Network connection guidelines to avoid network attacks (e.g. cross scripting, denial of service attacks) NOCS hardware security is available in a range of high-end and low-end chipsets, and does not require the complexity and expense of a special security processor. NOCS highlights include: 1 Pursuant to Appendix B, Part 1, Section of the Adopter Agreement 2 E.g., ADB, Arion, Changhong, Cisco, Coship, Echostar, Huawei, Humax, Kaon, LG, Novabase, Netgem, Pace, Prime, Sagem, Samsung, Skardin, Technicolor, Telsey, and Zinwell Page 3 of 22

4 All major PayTV chipset vendors implement NOCS 3 NOCS requires adherence to specification and security requirements Over 30 chipset models certified to meet all requirements Over 40 million chipsets deployed Unique ID, unique device secrets, code signing, anti-debug protections Cross-chipset software API provides portability across devices Secure key generation, insertion and management infrastructure PRM benefits from Nagravision s culture of content protection: Over 20-year track record in content protection and device security Experience, independence and processes that ensure customers receive the best in breed of platform security Industry leading certification and best practices in device security Experience in multi-vendor security environments and horizontal device markets 4 In addition, Nagravision has legal agreements with all device manufacturers that implement PRM to ensure that devices manufactured and distributed by such entities: Meet the NASC security specification and pass certification tests Are able to securely update through software downloads to support revocation and renewal requirements Do not use Open Source Software in such a way to taint the PRM software The legal agreements also ensure that such manufacturers: Allow audit and sampling of locations and devices to ensure devices comply with the original certified device. Penalties are US$250,000 per model or actual damages for non-compliance. Do not participate directly or indirectly in hacking activities and does not include any defeating functions to assist in such hacking, with penalties of US$ 5 million or more per violation. As summarized above and further described herein, PRM equals or exceeds the requirements outlined in the document Statement of DTLA Objective Criteria for Reviewing Recording and Retransmission Protection Technologies. Major service providers are already using PRM with new devices anticipated to combine both DTCP and PRM. Accordingly, Nagravision has prepared this white paper to accompany its formal request to DTLA for approval of the use of PRM for the persistent protected storage of content that has been delivered using DTCP. 3 E.g., ST, Broadcom, Intel, NXP, NEC (Renasys), Sigma and Conexant 4 NASC is already the certification standard for horizontal device and multi-ca/drm environments in a number of countries Page 4 of 22

5 2 NAGRA MEDIA PRM OVERVIEW PRM is a security solution providing content protection for: 1. Digital Video Recorder (DVR) security 2. Video on Demand (VoD) security for pushed, pulled and streaming content, and 3. Content distribution in an Authorized Domain, for home networking and device refurbishment These different cases are summarized in Figure 1. Figure 1 Nagra Media PRM: Persistent Right Management The common aspects of each of these use cases are as follows: Content Protection Any piece of content recorded or received on the device is encrypted. Recorded content protection is done as soon as CAS, DTCP or other link protection is removed. PRM uses one scrambling key per asset. Credentials Protection and Authentication Access to protected content requires a valid credential, PRM cryptography is based on the presence of a unique secret in the device hardware. This secret allows PRM to create a specific entitlement that can only be decrypted by a specific device. In addition, in VOD use cases, entitlements are signed to ensure both the integrity and that they were created in the Nagra head-end. Cryptography The protection of content and credentials is performed using state of the art cryptography: PRM supports the AES cipher, in several modes applied either on the MPEG-2 TS payload or on the full file. The CBC or ECB encryption modes are used. 128-bit keys ensure proper protection of content. PRM ensures both confidentially (by encryption) and authenticity and integrity (by signing) of all credentials. The signing is based on a 1024-bit long RSA key pair. Page 5 of 22

6 2.1 DIGITAL VIDEO RECORDER (DVR) PRM enables secure recording of content with usage rules (see Appendix B). These usage rules enable a variety of use cases to be securely managed, for example, some content may be only available for live watching, while other content may be stored on the device s hard disk drive (HDD) for later viewing. The system secures local content by individually scrambling each asset with a unique content key: Unique to the device the same asset recorded by two different devices at the same time will be scrambled with a different content key. Unique to the content each asset recorded by the same device is scrambled with a different content key. This protection mechanism has two main advantages: An asset recorded by a device can only be viewed by that device. If the content key of one asset is compromised, it cannot be used to descramble any other content on the device. When a device records content, it produces an entitlement that is then associated to that particular asset on the storage unit. The entitlement contains both the content key and the usage rules for that asset. The entitlement is encrypted by a hardware secret that is unique to that device. Whenever CAS, DRM or link protection such as DTCP is used to protect content received by the device, PRM evaluates and enforces usage rules received in conjunction with the CAS, DRM or link protection for controlling the recording on a storage unit. These usage rules can be Copy Control Information (CCI), digital and analog outputs management, etc. These usage rules are then assessed again at playback and when transfering to another device. Local Recording of Broadcast Content When content is received protected by a CA System, PRM can control how linear or broadcast content is recorded by the device. PRM usage rules are retrieved from CAS information embedded in the ECMs, which are securely delivered to the device. Local Recording of Content received using DTCP PRM securely handles, in the device, content that has been delivered protected by DTCP. The mapping of DTCP CCI and other DTCP fields to PRM is given in Appendix A. 2.2 VIDEO ON DEMAND PRM protects Video on Demand (VoD) content, including adaptively streamed content whether VoD or Live. VoD encompasses both Push-VoD (content is pushed to the device storage unit before the end-user may purchase it), Pull-VoD (content is loaded to the device storage unit upon end-user request only) and streamed content (content is rendered immediately and not stored permanently). The system encrypts content at the head-end and generates entitlements uniquely associated with the target device 5. PRM works with a wide range of mechanisms to transport the content from the headend to the device, and does not place specific limitations on such delivery. Access to content is granted through the delivery to the device of the unique PRM entitlement. This entitlement is generated by the PRM head-end components upon request for a specific content item by a specific device. Usage rules for controlling the consumption of content are securely conveyed in the entitlements associated with the content. A portal handling the viewer s VoD purchase typically performs the delivery of this entitlement to the device, which can be through a range of delivery mechanisms. 5 The head-end has the means to securely encrypt licenses uniquely for a device Page 6 of 22

7 Content Revocation Content may reside on the device storage unit at the time content is intended to be removed from the VoD catalogue or after rights expire. PRM enforces the expiration of authorized usage through content revocation. Content that is globally revoked (i.e., revocation which applies globally to all users) is no longer playable, regardless of whether or not entitlements have been previously delivered. VoD Entitlement Revocation For various reasons (e.g. an entitlement contains an erroneous expiration date), an entitlement might need to be revoked. This is a unique revocation, where only the end-user of that particular entitlement is affected by the revocation. 2.3 AUTHORIZED DOMAIN Each locally recorded live content is protected in such a way that only the device that performed the recording is able to retrieve the content key to play it back. The principle of the Authorized Domain is to allow several authorized devices to share the same set of recorded contents, while preventing non-authorized devices to have access to it. When DT Data is input into PRM, the usage rules are set to preclude output of content from one PRM device to another, effectively disabling the Authorized Domain functionality for DT Data. The Authorized Domain is under complete control of the head-end: Two devices need to get a common secret provided by the head-end upon authorization, before being able to share content. Content Refurbishment The Content Refurbishment is a feature that allows a device to access all contents recorded by a former device, despite that content is uniquely protected. It is a particular use case of Authorized Domain. This is especially useful in case a device crashes and must be replaced by a new hardware, keeping the same storage unit. It allows the end-user to preserve access to all its recorded contents. Page 7 of 22

8 3 DTCP TO NAGRA MEDIA PRM USE CASES The DVR-VoD Library (DVL) is the PRM component on the device. The DVL software relies on a Driver Abstraction Layer (DAL) that gives access to the OS, hardware cryptography functions and other chipset resources of the device. The DVL is in charge of decrypting and evaluating the credentials passed by the device application and of setting the content key into the chipset for recording or playback. The DVL has no access to received content and the associated metadata regardless of the manner in which received content was protected, using DTCP or a CA System (e.g. live stream). For PRM features, this means that the DVL has to cohabitate with a DTCP stack or CAS kernel on the device. Transfer of the protection of content between these different components relies on compliance with the PRM Specifications, which the device has to follow. The device application and all these components are signed and integrity is checked at boot time, so that only authorized applications can manipulate content following the defined usage rules. More details on compliance and robustness are given in Section 4. The DTCP Sink function handles protected content descrambling. When recording, the CCI are retrieved by the device Application and provided to the PRM DVL. Figure 2 Device with the PRM DVL, DTCP stack, and CAS kernel The following description applies to the typical DTCP Sink function use case. Persistent storage control is based on the value of the CCI bits carried in the stream. The recording workflow is illustrated in Figure 3: 1. Content is made available from the DTCP Sink and the CCI evaluated to define if recording is allowed or not; 2. The device application triggers the start of a recording session and provides the credentials to the DVL; 3. The DVL generates a content key for scrambling of the content; 4. The DVL returns a entitlement to the device application; and 5. The device application stores the entitlements alongside content. Page 8 of 22

9 Figure 3 DVR Recording Within this flow, the enforcement of the CCI/usage rules is under the responsibility of the full device. The correct behavior of the device is ensured by compliance with the PRM Specification plus the NASC certification as described in Section 4.3. DTCP maps to the PRM as defined in the metadata of the PRM entitlement as described in Appendix A. Playback is illustrated in Figure 4: 1. The device application retrieves the entitlement stored alongside content; 2. The device application provides it to the DVL; 3. The DVL checks the entitlement validity and, if valid, sets the content key in the descrambler; 4. The DVL returns an updated entitlement to the device application (e.g. updating usage rules); and 5. The device application stores the entitlements alongside the content. Note that should content be later exported or moved using DTCP (DTCP Source Function), CCI and usage rules are asserted by the DTCP Source and, if entitled, content is encrypted and exported by the DTCP stack. Figure 4 DVR Playback Page 9 of 22

10 4 NAGRAVISION SECURITY ARCHITECTURE 4.1 COMPLIANCE AND ROBUSTNESS When Nagravision considers device security we look at it in three steps (Figure 5): Security into the device, including both scrambled content and its usage rules; Security on the device, including access to clear content and persistent storage of content on a storage unit; and Security out of the device, including both uncompressed (e.g. HDCP on HDMI) and compressed outputs (e.g. DTCP on IP). DTCP can provide security into a device (DTCP Sink), and security out of the device (DTCP Source). Figure 5 Nagravision perspective on content protection and device security Since in most cases the security system is independent of the middleware or media player that must implement the usage rules, the concept of compliance has been developed to ensure the device as a whole both the PRM and the application complies with the usage rules and rights associated with content. Some rights can be enforced by the DRM or CA system itself, for example access to the content and time-based rights. However, some rights and usage must be determined in conjunction with the application such as output controls (e.g. turn on analog protections, or image constraint on unprotected digital outputs), play counts, persistent storage, bridging of rights to other DRM or protected digital outputs. In short, compliance requires that the whole device must correctly perform what is communicated via the PRM usage rules. Generally, compliance is testable. Robustness specifies the precautions necessary to avoid compromise of the software and content on the device. Most DRM systems specify the different asset types (e.g. device secrets vs. content keys vs. personal data) and the level of resistance to attack required for different assets on the device based on different types of attack tool categories (e.g. Professional Tools vs. Specialized Tools vs. Widely Available Tools). Nagravision has taken a different approach to robustness, because robustness is much harder to actually test. Rather than leave this up to each device manufacturer and risk weak implementations in the market, Nagravision developed a certification program called Nagravision Advanced Security Certification (NASC). This includes specifications, visual analysis, security design reviews and functional tests to ensure the proper security precautions have been under taken. To help visualize compliance and robustness rules, Figure 6 shows how robustness and compliance rules are met on the typical device. Page 10 of 22

11 Device Security Into the Device On the Device Out of Device Compliance DRM or CA System Middleware + DVR Software Middleware + STB Drivers Robustness Device Secret Anti-tamper Anti-debug Figure 6 Device security relationship to compliance and robustness rules 4.2 NAGRA ON-CHIP SECURITY (NOCS) In fact, Nagravision has two levels of certification. One for chipset vendors called Nagra On-Chip Security (NOCS), and a certification for device manufacturers called NASC, that requires the NOCS chipset features. NOCS was first specified to chipset manufacturers in Nagravision has implemented and evolved this security since and NOCS 1.2 was recently released in All major Pay-TV chipset providers have NOCS certified chipsets including, ST, Broadcom, Intel, NXP, NEC (Renasys), Sigma and Conexant. Over 30 different chips have been certified and over 30 million NOCS chipsets have been deployed. NOCS is a secure, cross-chipset security certification and key management system that ensures a consistent quality of implementation for chipset security features. The significant value is the common API and infrastructure, which provide a scalable chipset security solution for Nagra products, device manufacturers and our service providers. NOCS includes many security features, and the following key elements: 1. Nagra Unique ID (NUID) ensures uniquely identified chipsets; 2. Unique device secrets ensures device secrets are not accessible in memory for secure decryption of secrets, entitlements, content keys and control words; 3. Software authentication provides software tamper-resistance and secure boot loading via an embedded RSA key; 4. Debug port protections prevents observation and modification of software and data in memory during execution; and 5. Persistent Values & Configuration defines specific secure chipset configurations and values that must set and locked. NOCS is more than just chipset features, but a complete infrastructure including: Specification and implementation guidelines used by chipset vendor design teams Nagra certification team and processes to certify chipset implementations A common cross chipset API to access the NOCS hardware elements Nagra Black Boxes that are installed in chipset manufacturers around the world for key insertion into the chipsets. Page 11 of 22

12 Nagra Production Services, which performs a number of important services: Key generation, reporting and delivery to Black Boxes Key generation, reporting and delivery to device manufacturers Delivery of device specific key files to operator head-ends NOCS security is an important element in all Nagra products, including: Nagra Media Access CLK product (card-based CAS for Linear TV and VoD) Nagra Media Access ELK product (cardless CAS for two-way connected networks) Nagra Media PRM (DVR, VoD and Authorized Domains solutions 4.3 NAGRA ADVANCE SECURITY CERTIFICATION (NASC) Nagra Advanced Security Certification (NASC) is a specification and certification process for device manufacturers to ensure their devices properly leverage the NOCS security features in the chipset in order to provide the security needed for Nagra CA and DRM products and content protection. Most major device vendors have produced NASC-certified devices, including ADB, Arion, Changhong, Cisco, Coship, Echostar, Huawei, Humax, Kaon, LG, Novabase, Netgem, Pace, Prime, Sagem, Samsung, Skardin, Technicolor, Telsey and Zinwell. The advantage of a certification process is that it ensures a minimum standard and prevents weak implementations from entering the market. Device manufacturers are not all created equal and without a standard, they are not motivated to improve the security. Often weaker devices that facilitate piracy will sell better than secure devices. While in theory a heavily pirated class of devices could be revoked, this is at the risk of annoying many legitimate customers. The NASC specification is highly technical and only available under NDA. The next sections highlight some key aspects of the specifications and certification process Software Boot and Download Protection An important certification step centers around the software booting and software download authentication processes. These must correctly leverage signature checking features in the NOCS chipset. NASC includes: Preventing modifications on the boot loader code and validating the code during boot by using the signature process. Preventing download of non-authorized code in flash memory and validating the update software using the signature process Port Protections JTAG access must be either locked with a password/key or permanently disabled. Nagravision provides JTAG passwords as part of the NOCS features. These passwords are unique per device and are individually tracked. Devices whose passwords have been released (e.g. for pre-production or debugging purposes) are typically removed from the field and/or blacklisted on the operator head-end Software API Testing and Validation NASC certification checks that NOCS unique identifiers, keys, key ladders and other security features can be accessed correctly by the software This testing is performed using specific generated test streams and keys following a well established and defined process to ensure a consistent response across a wide variety of customer platforms. This certification step ensures a cross-chipset solution. Page 12 of 22

13 4.3.4 Hardware Access Protection NASC ensures that the physical hardware implementation secures device memory (e.g. flash, RAM, mass storage), sensitive communication buses (e.g. flash bus), as well as internal components or connectors on these buses. The most basic requirement is to remove all unnecessary connectors or solder pads. There are requirements for certain components and parts on the PCB that need to be protected: Flash: shall contain a permanently locked sector (PLS) and shall be protected against unauthorized replacement. Alternatively employ flash where some sectors could be transformed in read only sectors by burning a fuse or use flash where some sectors could be protected by a password. Flash bus: must protect against unauthorized access to the flash bus (e.g. BGA packaging). RAM: must limit access to the bus (e.g. BGA packaging). Connectors: must disable non-required or unused sensitive connectors. This minimum hardware protection is defined as a level where reprogramming of the code and data in the flash device shall be restricted to professional tools in authorized premises Networking Communication NASC also has requirements that apply to network communication between the device and other hosts. Network communication is any communication through a network interface such as: Ethernet interface WiFi interface USB interface with an Ethernet dongle Bluetooth interface, etc The NASC networking concept is closely linked to the definition of host and trusted host. The device shall authenticate the hosts it communicates with, not the opposite. More formally, a trusted host is one of the following device types: A device compliant with NASC security requirements. In this case, the device can authenticate such device relying on either asymmetric or symmetric keys algorithm. A device that owns a certificate issued by a trusted authority. The certificate validates that the host is what it claims to be NASC Certification Centers Nagravision has NASC certification centers in Switzerland (Cheseaux), the USA (Atlanta) and China (Shanghai & Beijing). These centers certify over 120 different devices each year. In addition Nagravision provides device testing via an independent subsidiary called TESC. TESC can test that the user interface follows specific guidelines and/or that compliance rules are properly met. Page 13 of 22

14 5 NAGRAVISION LEGAL FRAMEWORK PRM is also governed by a standard legal contract between Nagravision and the device manufacturer. This section describes the key points covered under this agreement. The document can be made available for review under a Non-Disclosure Agreement (NDA). The device manufacturer: Shall have no rights to reverse engineer, or decompile the PRM Software. Must meet the requirements of the PRM Specification and the NASC Specification. Must implement any updates to the NASC Specification on new devices according to the timeframes and process outlined in the license agreement. Shall allow a security audit of their location to ensure procedures and precautions are in place to guarantee the confidentiality of the elements furnished or made available, as well as to verify that the use of the PRM Software is in accordance with the rules. Shall allow for sampling of devices for compliance with the NASC specification. Must represent and warrant that it has not incorporated and will not incorporate any Open Source Software in whole or in part into any part of the software, and has not used and will not use any Open Source Software in whole or in part in the development of any part of the software in a manner that may subject the PRM implementation, in whole or in part, to all or part of the license obligations of any Open Source Software. Shall provide the right to perform software updates free of charge to the device and must provide support for such updates, if needed, under a time and expenses agreement. Must warrant that there is no Conflict of Interest, such that the device manufacturer has no contractual or other relationship with any entity or individual involved in piracy or hacking, and that is not and shall not be directly or indirectly involved in piracy or hacking, including by using in the STB defeating functions (by defeating functions it is meant switches, buttons, jumpers and software equivalent, service menus or remote control functions which can be used to defeat conditional access or content protection technologies, output restrictions or protections, recording restrictions or protections or by which data in the STB can be exposed to output, interception, retransmission or copying other than as permitted). Financial Penalties for the device manufacturer are as follows: Liability associated with breach of Open Source warranties is uncapped. Liability for the lack of compliance with the certified devices, if discrepancies found, or information withheld, is US$250,000 per model, or more for actual financial damages. Liability associated with the breach of Conflict of Interest is US$ 5 million per violation. Page 14 of 22

15 6 DTLA OBJECTIVE CRITERIA This section is based on the document Statement of DTLA Objective Criteria for Reviewing Recording and Retransmission Protection Technologies. Answers are provided to help assessment of the evaluation criteria. 6.1 DTLA REVIEW Policy Review The proposed technology does not impair interoperability with respect to the exchange of DT Data among licensed products. Approval of PRM will not impair, but will instead enable, interoperability. The exchange of DT Data is carried out by Nagravision or other 3 rd party DTCP stack implementations in compliance with this requirement. This ensures that the complete product associating DTCP and PRM is interoperable with other licensed products Legal Review The license agreement implements requirements that are no less stringent than the requirements of Exhibit B Part 1: Compliance Rules for Sink Functions, as set forth in the most current version of the DTLA Adopter Agreement, including with respect to maintaining the protection of DT Data through authorized digital, analog and high definition analog outputs, and prohibiting unauthorized retransmission of DT Data over wide area networks and the Internet. The PRM specification and associated NASC and NOCS licenses are, at least as stringent as the DTLA Compliance rules. NASC compliance and robustness has been designed for PayTV Conditional Access Systemswi technologies that are widely trusted. PRM provides selectable output controls and, under those controls, can only enable output to protected digital outputs that prohibit retransmission of DT Data over wide area networks and the Internet. If the technology so permits, the license agreement provides for a right of revocation or for renewability where the security elements of a particular device have been cloned. The PRM license and architecture fully support revocation and renewability. PRM is taking advantage of a unique hardware secret on a device. When receiving or exchanging content, devices need to acquire from a head-end credentials and entitlements to allow this. This required connection to the head-end allows monitoring of the activity and cloned devices or any other suspicious device can then be detected. A device will be black-listed and not allowed to get content. PRM also allows revocation of entitlements already delivered, hence disabling a device from accessing content. All devices are required to support secure software updates to enable renewability. The license agreement provides protections against the device interfering with a consensus watermark, in a manner no less stringent than the obligations set forth in Section 6 of Exhibit B, Part 1: Compliance Rules for Sink Functions in the most current version of the DTLA Adopter Agreement. Clear content is not modified by the PRM solution. So Nagra Media PRM does not interfere with any known Watermark technology. The license agreement imposes robustness requirements that are no less stringent than the applicable Robustness Rules as set forth in the most current version of the DTLA Adopter Agreement. PRM is built upon NOCS (see Sections 4.2) NASC (see Section 4.3). The robustness requirements are more stringent than DTCP and must be certified prior to distribution of the device. A DTCP software stack (whether provided by Nagravision or a 3 rd party) will also benefit from robustness provided by NASC as the requirements are the same or more stringent. Page 15 of 22

16 Nagravision has established license agreements with chipsets manufacturers for NOCS and license agreements with device manufactures for PRM and NASC. Agreements are available only under NDA. The PRM and NASC license agreements include clauses allowing Nagravision to perform security audits. In case of piracy, the licensee is liable for a certain indemnity. The NOCS license agreement includes clauses allowing Nagravision to suspend the product validation in case of security issues. In addition, chipset architectures are validated by Nagravision. Lastly, in case of piracy, the licensee is liable for a certain indemnity. Legal recourse potentially is available in case of circumvention of the technology by persons other than licensees. The Kudelski Group has a history of tracking companies or individuals that circumvent Nagravision technologies. The Kudelski Group has dedicated monitoring and countermeasures team including both legal and technical personnel for this matter. In the last years, the Group was able to win several trials in this field. Please refer to the following press releases for further details: The Kudelski Group continues its fight against piracy initiatives, available at Verdict against pirating of television programs, available at Pirating of television programs: A further verdict on illegal decoder cards, available at The license provides, or the licensor commits, that future amendments to the license that would affect the license terms and conditions that were disclosed to DTLA will not diminish the protections afforded to DT Data, as described above. Nagravision has the reputation as the provider of the highest-level of security technology and services in the PayTV market. Our commercial interests are completely aligned with the DTLA and the Content Participants to continue to provide best in breed security. Evolution of NOCS security and NASC robustness will be at least if not more restrictive compared to existing versions. As a consequence, the offered protection with PRM and in the device will not diminish and therefore the protection offered to DT Data will not diminish Technical Compliance The proponent of the technology should provide to the DTLA sufficient technical information to demonstrate that: The recording technology provides for detection and correct response to copy control information, as defined by the DTLA Specification (in EMI, Embedded CCI or both). CCI carried through DTCP link is handled by the device application and maintained within the entitlement by the DVL. In case of an export of the content, CCI are provided for carriage over output protection link. When recording is requested, the device application correctly enforces the CCI. NASC ensures that the device application is not modified and hence ensures that CCI enforcement is performed. The recording technology provides for a means of security for the making of permissible copies, as set forth in Section 2 of Exhibit B, Part 1: Compliance Rules for Sink Functions of the most current version of the DTLA Adopter Agreement. The handling of CCI is managed by the combination of the PRM DVL component, the DTCP stack provided by Nagravision or a 3 rd party and the device application. This is described in detail in sections 2 and 3. The recording technology provides that removable recorded media will maintain the required level of protection when played back on a device other than the device upon which the recording was made. Content recorded on removable media can only be played back on a trusted device for which dedicated credentials has been generated. These credentials can only be obtained from the head-end. Page 16 of 22

17 6.2 CONTENT OWNER AND IMPLEMENTER SUPPORT In addition to meeting the above criteria, the proponent may provide to DTLA evidence of support for the technology and licensing terms and conditions from Content Participants and DTCP Adopters. In addition, the proponent also may provide to DTLA evidence of support for the technology and licensing terms and conditions from: a. Motion picture companies that are members of the MPAA, in the case of technology used to protect audiovisual works, PRM is already used to protect premium VOD and DVR recording at Canal+, Mediaset and other major service providers. b. Major sound recording labels, in the case of technology used to protect only sound recordings, and Not applicable. c. Manufacturers interested in implementing both the proposed technology and DTCP. Samsung In the event that the proposed technology and licensing terms and conditions do not meet one or more of the requirements set forth in subsections B and C of Section I above, the proponent should provide DTLA with evidence of support for the technology from a substantial number of major motion picture or recording companies, as applicable. Not applicable. Page 17 of 22

18 APPENDIX A. DTCP COPY INFORMATION MAPPING TO PRM DTCP defines the following fields controlling content display and further export when received on a Sink device: Retention_Move_mode Retention_State EPN DTCP_CCI Analog_Sunset_Token Image_Constraint_Token APS If the Sink device implements Nagra Media PRM, then the following rules apply: All fields take their default values as shown in Appendix B, except as expressed below. The Authorized Domain functionality of PRM is disabled for DT Data. PRM_ token = 0 Analog_Sunset_Token asserted digital_only_token = 1. DTCP_CCI = 11 (Copy-Never) and Retention_Move_mode = 0 This is the case where the Sink device receives content that is streamed. It can not be stored permanently and it can be displayed. The Retention_State_value defines the duration that can be temporary stored for replay buffer functionalities, Received content is protected by the PRM and a PRM entitlement is created with the following values: recording_flag = 0, cci = 11, retention_state = Retention_State_value, image_constraint = Image_Constraint_Token_value, digital_only_token = 1. DTCP_CCI = 11 (Copy-Never) and Retention_Move_mode = 1 This is the case where the Sink device receives content that is streamed. It can not be stored permanently or in a review buffer and it can be displayed. DTCP_CCI = 01 (No-more-copies) In this case, the Sink device will treat the content as Copy-Never and not allow permanent storage of the content. Received content is protected by the PRM and a PRM entitlement is created with the following values: recording_flag = 0, cci = 01, image_constraint = Image_Constraint_Token_value, digital_only_token = 1, concurrent_viewing = 000 DTCP_CCI = 10 (Copy-one-generation) and Retention_Move_mode = 0 This is the case where the Sink device is allowed to permanently store the content and to make an additional copy. Received content is protected by the PRM and a PRM entitlement is created with the following values: Page 18 of 22

19 recording_flag = 1, cci = 01, image_constraint = Image_Constraint_Token_value, digital_only_token = 1. DTCP_CCI = 10 (Copy-one-generation) and Retention_Move_mode = 1 Treated as Copy Never content with Retention_Move_mode = 1. DTCP_CCI = 00 (Copy-Free) and EPN asserted This is the case where the Sink device is allowed to permanently store the content. Received content is protected by the PRM and a PRM entitlement is created with the following values: recording_flag = 1, cci = 00, image_constraint = Image_Constraint_Token_value, digital_only_token = 1. DTCP_CCI = 00 (Copy-free) and EPN not asserted This is the case where the Sink device is allowed to permanently store the content and to make an unlimited number of copies. Received content is protected by the PRM and a PRM entitlement is created with the following values: recording_flag = 1, cci = 00, image_constraint = Image_Constraint_Token_value, digital_only_token = 1. Page 19 of 22

20 APPENDIX B. USAGE RULES The following usage rules are supported by PRM. recording_flag: This is a 1-bit field. Possible values are: 0 Recording is not allowed. 1 Protected recording is allowed. The default value is 1. This flag does not apply to the review buffer which is governed by other fields. This applies to whether a persistent copy is allowed (e.g. after the device is shut-down). original_sub_required: This is a 1-bit field. Possible values are: 0 At playback time, no valid subscription on the channel content has been recorded is needed. 1 At playback time, a valid subscription on the channel content has been recorded is needed. The default value is 0. dvr_sub_required: This is a 1-bit field. Possible values are: 0 At recording time, no valid DVR subscription is needed. 1 At recording time, a valid DVR subscription is needed. The default value is 0. trans_coding_control: This is a 1-bit field. Possible values are: 0 Trans-coding or re-encoding of content is not allowed. 1 Trans-coding or re-encoding of content is allowed. The default value is 1. image_constraint: This is a 1-bit field. Possible values are: 0 Downscaled from HD analog video to SD analog video on the component video interface is not required. 1 Downscaled from HD analog video to SD analog video on the component video interface is required. The default value is 1. trick_mode_control: This is a 4-bit field. Possible values are: 0000 No restrictions No skipping, fast forward and fast backward limited to Speed No skipping, fast forward and fast backward limited to Speed No skipping, fast forward and fast backward limited to Speed No skipping, fast forward and fast backward limited to Speed n No skipping/jumping/fast forward/fast backward. Other values are reserved for future use. Page 20 of 22

21 Speeds 1 to n are those supported by the application on the device. The default value is playcount: This is a 4-bit field. This is the maximum number of time playback of content is allowed. If set to 0, then the number of playback is not limited. Actual playcount value is stored separately. The default value is 0. concurrent_viewing: This is a 3-bit field. This is the maximum number of clients a gateway is allowed to concurrently stream to. Possible values are: 000 Local viewing only 001 Concurrent streaming to a maximum of 1 client is allowed 010 Concurrent streaming to a maximum of 2 clients is allowed 011 Concurrent streaming to a maximum of 3 clients is allowed 100 Concurrent streaming to a maximum of 4 clients is allowed 101 Concurrent streaming to a maximum of 8 clients is allowed 110 Concurrent streaming to a maximum of 12 clients is allowed 111 Concurrent streaming to an unlimited number of clients is allowed The default value is 110. digital_only_token: This is a 1-bit field. Possible values are: 0 Output of decrypted content is allowed on Analog Outputs. 1 Output of decrypted content is not allowed on Analog outputs. The default value is 0. unprotected_digital_output_token: This is a 1-bit field. Possible values are: 0 Output of decrypted content on Unprotected Digital Outputs is not allowed. 1 Output of decrypted content on Unprotected Digital outputs is allowed. The default value is 0. hdcp_token: This is a 1-bit field. Possible values are: 0 Output of content on HDCP is not allowed 1 Output of content on HDCP is allowed. The default value is 1. dtcp_token: This is a 1-bit field. Possible values are: 0 Output of content on DTCP is not allowed. 1 Output of content on DTCP is allowed. The default value is 1. WMDRM_token: This is a 1-bit field. Possible values are: 0 Output of content on WMDRM is not allowed. Page 21 of 22

22 1 Output of content on WMDRM is allowed. The default value is 0. PRM_token: This is a 1-bit field. Possible values are: 0 Output of content on PRM is not allowed. 1 Output of content on PRM is allowed. The default value is 1. others_token: This is a 1-bit field. Possible values are: 0 Output of content on any other protection systems is not allowed. 1 Output of content on all other protection systems is allowed. This token constitutes the output control for any and all other content protection systems other than HDCP, DTCP, PRM and WMDRM. The default value is 0. cci: This is a 2-bit filed. Possible values are those defined in DTCP for the same field and are: 00 Copy-control_not_asserted 01 No-more-copies 10 Copy-one-generation 11 Copy-Never retention_state: This is a 3-bit field. Possible values are those defined in DTCP for the same field and are: 000 Forever week days day hours hours hours minutes The default value is 111. Page 22 of 22