4K Network Security Proposal. UXTC - Technical Planning Group Sony Electronics 8/5/2014



Similar documents
4K Network Security Proposal Discussion with Studios. UXTC - Technical Planning Group Sony Electronics 8/10/2014

Digital Transmission Content Protection (DTCP) Technical and Licensing Overview

DIRECTV Set Top Box and Content Protection Description

MovieLabs Specification for Enhanced Content Protection Version 1.0

Delivering Pay TV Content throughout the Connected Home Amol Bhagwat

Fighting product clones through digital signatures

CI Plus Overview. 6th July CI Plus Limited Liability Partnership (LLP)

User Guide Supplement. S/MIME Support Package for BlackBerry Smartphones BlackBerry Pearl 8100 Series

Cisco Trust Anchor Technologies

solutions Biometrics integration

DLNA Guidelines March 2014

HMRC Secure Electronic Transfer (SET)

Chapter 1 Configuring Basic Connectivity

Server based signature service. Overview

Click Main on the left hand side then click on Password at the top of the page.

White Paper. The risks of authenticating with digital certificates exposed

VoIP Telephone system benefits:

Wireless LAN Security Mechanisms

Key Management Interoperability Protocol (KMIP)

Chapter 1 Configuring Internet Connectivity

Recommended Wireless Local Area Network Architecture

Matrix Technical Support Mailer 88

Securing EtherNet/IP Using DPI Firewall Technology

How to setup PPTP VPN connection with DI-804HV or DI-808HV using Windows PPTP client

How To Secure Wireless Networks

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

CERTIFICATION POLICY OF KIR for TRUSTED NON-QUALIFIED CERTIFICATES

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Certification Practice Statement

Hong Kong Information Security Outlook 2015 香 港 資 訊 保 安 展 望

Applying Cryptography as a Service to Mobile Applications

Smart LNB. White Paper. May 2014

Alexander installation and configuration guide.

HKUST CA. Certification Practice Statement

Web Security: Encryption & Authentication

Business Issues in the implementation of Digital signatures

Compliance Guide: PCI DSS

Configuring Secure Wireless (SFUNET-SECURE) for iphone/ipod Touch 2.0

OBM (Out of Band Management) Overview

Patterns for Secure Boot and Secure Storage in Computer Systems

Managing CA-Signed Certificates

Network Access Security. Lesson 10

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

Meeting CJIS Advanced Authentication

Web Security Considerations

Keeping SCADA Networks Open and Secure DNP3 Security

Agilent MicroLab Software with Spectroscopy Configuration Manager and Spectroscopy Database Administrator (SCM/SDA)

Class 3 Registration Authority Charter

IPTV Primer. August Media Content Team IRT Workgroup

Cisco Secure ACS. By Igor Koudashev, Systems Engineer, Cisco Systems Australia 2006 Cisco Systems, Inc. All rights reserved.

The Secure Sockets Layer (SSL)

Exploring the Remote Access Configuration Utility

Public Key Infrastructure (PKI)

Lecture VII : Public Key Infrastructure (PKI)

About the VM-Series Firewall

How To Use Adobe Software For A Business

Wakefield Council Secure and file transfer User guide for customers, partners and agencies

MN-700 Base Station Configuration Guide

Smartwatch Security Research

Wireless Robust Security Networks: Keeping the Bad Guys Out with i (WPA2)

State of Wisconsin DET File Transfer Protocol Service Offering Definition (FTP & SFTP)

Device-based Secure Data Management Scheme in a Smart Home

Attestation and Authentication Protocols Using the TPM

Instructions on TLS/SSL Certificates on Yealink Phones

About the VM-Series Firewall

CUSTOMER INFORMATION COMMZOOM, LLC PRIVACY POLICY. For additional and updated information, please visit our website at

QUANTIFY INSTALLATION GUIDE

The following chart provides the breakdown of exam as to the weight of each section of the exam.

Roomie Remote Version 3

Grid Computing - X.509

OPENID AUTHENTICATION SECURITY

SAS Mobile BI Security and the Mobile Device

Assessment of Vaisala Veriteq vlog Validation System Compliance to 21 CFR Part 11 Requirements

Minimizing the use of sa in Microsoft Dynamics GP. Copyright Fastpath, Inc. 2011

Message authentication and. digital signatures

CRYPTOGRAPHY AS A SERVICE

Securing IP Networks with Implementation of IPv6

Information Security Policies. Version 6.1

Information Security Basic Concepts

Building Robust Security Solutions Using Layering And Independence

ADMINISTRATIVE POLICY # (2014) Remote Access. Policy Number: ADMINISTRATIVE POLICY # (2014) Remote Access

On-boarding and Provisioning with Cisco Identity Services Engine

HTTP Reverse Proxy Scenarios

How To Understand And Understand The Ssl Protocol ( And Its Security Features (Protocol)

CS 356 Lecture 28 Internet Authentication. Spring 2013

Securing Administrator Access to Internal Windows Servers

WIRELESS LAN SECURITY FUNDAMENTALS

ASE STUDY. Performance Testing & Security Testing for Web Applications.

Hanlong Technology Co., Ltd

Transcription:

4K Network Security Proposal UXTC - Technical Planning Group Sony Electronics 8/5/2014

Key Points: Overview Our proposed security approach uses existing, ordinary DTCP certificates that are already present for link protection. Unique/common DTCP Device ID (from client certificates) are received by the set-top box server from the TV, and checked against a white list (securely delivered by the service provider). In order to address security concerns, the white list will also list the software version number which the client should be at or greater. Manufacturers supply the certificate IDs (and minimum software version number) of conforming 4K TVs to the service provider for inclusion in the list. Inclusion in the white list can be based on objective [I understand the intent but the criteria we use may include factors difficult to quantify. Our hope is that 3rd party certification may be used] criteria at the discretion of the service provider. In addition, white list checking can be on a programmer-by-programmer [do you mean content provider by content provider?] and even content-by-content basis. White list approach can be used until a new type of DTCP certificate is created new version of DTCP is available that meets content providers Enhanced Content Protection requirements that confirms greater robustness, perhaps based on HDCP 2.X. At that time, The white list will not be needed for devices implementing this new version of DTCP will not that conform to that higher level of robustness could be updated to use this new DTCP certificate and the white list discontinued. Authentication Protocol: We propose using a modified version of the DLNA CVP-2 authentication (TLS with Supplemental Data). We modify the existing protocol, that currently just verifies the client and server certificates, to securely deliver additional information, such as including model # and the TV s current software version, in a secure TLS encrypted tunnel. Later, when link protection is established, the server can check to see if the Device ID (sent in the DTCP certificate) is the same.

Manufacturers supply service provider with list of conforming Device IDs (from DTCP certificates). Service provider must integrated them into a sequential list. DirecTV White List (e.g. SRM Format) 0102030405, SW Version 1122334455, SW Version 2122232425, SW Version Conditional Access 0102030405, SW version 1122334455, SW version 2122232425, SW version Authentication Proposal Step Step 1 2 DTCP Authenticate Key Exchange (AKE) (Cert Device ID: 0102030405) DTCP-IP (Copy Never) 1) (Step 1) Device ID is obtained from TLS with Supplemental Data Auth as part of DTCP client certificate that is exchanged. Other information will be securely exchanged (Make/Model #/Serial #/MAC/UUID/SW Version, etc.) 2) Set-top box checks for Device ID in the service operator s white list, and performs other verifications: SW version, etc. 3) Set-top box and TV perform AKE 4) (Step 2) During, DTCP AKE, Set-top box checks for Device ID in the revocation List (service Renewability Message) 5) Device ID from Authentication must be the same as in AKE TLS with Supp Data Authentication (Cert Device ID: 0102030405) + Make/Model #/Serial #/MAC Ethernet or Wi-Fi This is a new protocol a version is being standardized for the DLNA CVP2 Project DTCP Revocation List (SRM Format) SEL-UXTC DirecTV DTCP Revocation List (SRM Format) Set-top Box Proprietary and Sony 4K TV (STB) Confidential 3

Security Approach A general advantage of using DTCP certificates is that the service provider can confirm that the device that was authenticated is the same one in link protection. Studios may not be very comfortable with common DTCP Certificates. There is a belief that it may be difficult to differentiate an imposter from real devices. Cloning into a non-compliant devices is a real threat. The reporting of the same unique Device ID by different devices, e.g. different locations at the same time, probably means that something is amiss. But the same common Device ID will be reported in many locations making clone detection difficult. Studios would ideally like to enforce MovieLabs ECP specifications require a forward movement of software releases that fix compliance security breaches problems. There is a concern that older software that is properly signed, but out-of-date, could be manually reflashed into devices and boot properly. Unmodified Software should The device must securely report its software version number so that it can be checked against the white list data and if necessary denied service. We propose to have the TV share its current software version number with the set-top box during the authentication phase (Step 1). And the set-top box can check this against the minimum software version number in the white list. Devices using common certificates must be able to receive updated key material every year. It should be possible to also upgrade unique DTCP certificates as needed - possibly not only to update key information, but other information contained in the certificate.

Scenario 1: White List current (unique cert + SW Version) + next (unique cert + SW Version) {Make/Model #/Serial #} Scenario 2: current (common cert + SW Version) + next (common Cert + SW Version) {Make/All Model #s} Scenario 3: current (common cert + SW Version) + next (common Cert + SW Version) {Make/Model#} current (common cert + SW Version) + next (common Cert + SW Version) {Make/Model#} All scenarios can exist at the same time unique with common certificates in the white list. There are two sets of common certificates ones currently being used and ones being phased-in. When most units have upgraded, the old certificate/version # pair can be phased out, e.g. deleted from the white list while the new pair is phased-in. The previously certificate/software version # is now the new pair. Software versions could also know which is the latest DTCP certificate in use. The firmware can check the DTCP certificate device ID to see if it is the correct one. However, operationally it might be nice to de-link these upgrading each out of sequence from each other. [Not sure I understand]

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information