Downloadable DRM in TEE

Sanjeev Verma, PhD

Samsung R&D Institute America,

San Jose

10/31/13 1

Trends & Challenges in Content Distribution Eco-System

10/31/13 2

Trends & Challenges

• Content Distribution eco-system is becoming ubiquitous with the availability of mobile devices: – Mobile devices such as smartphones, tablets and

hybrids are increasingly becoming preferred entry point in the content distribution framework.

– Multimedia Traffic emerging as main driver for mobile traffic.

• Challenges: – Secure distribution of the content to a large number

of heterogeneous devices. – Meet the commercial motivation of all the

stakeholders in the Content distribution eco-system.

10/31/13 3

Trend: Emergence of Mobile Devices As Point of Entry and Primary Screen

Miracast: Wi-Fi wireless Display

Link protection

DRM

• Mobile devices becoming primary screen: • Driven by availability of devices

such as Chromecast and other solutions based on Miracast and MHL standards.

• Better User Experience for content sharing and discovery in Home.

10/31/13 4

Trend: Pre-dominant Share of Video Traffic

10/31/13 5

Challenge: Heterogeneity

Source: 2013 Streaming Media Survey of 758 Media Industry Executives on Over-The-Top (OTT)Video and Security Trends.

10/31/13 6

Challenge: Fragmentation

11,868 distinct Android devices in 2013 compared to 3,997 in 2012.

(Source: OpenSignal.com)

10/31/13 7

Challenge: Security Assurance

Source: 2013 Streaming Media Survey of 758 Media Industry Executives on Over-The-Top (OTT) Video and Security Trends.

10/31/13 8

Commercial Motivation of Various Stakeholders in Content Distribution Eco-System

Content Rights Holders

• Increase Media Content monetisation through:

• Licensing dependent on usage policy and better reach of audience.

Content Aggregators and Service providers

• Monetisation through better user experience:

• Recurring Subscription or Pay per View of content packages.

OEMs

• Product sales through differentiation in user experience or content services:

• Faster time to market, lower BOM costs.

10/31/13 9

Issues

• Common Issues before stakeholders:

– How to support various business models requiring different content protection solutions?

– How to support heterogeneous devices and platforms?

– Certification & Security Assurance.

• Goal: Any Device, Anywhere

10/31/13 10

Multiple DRM Management Issue: Any Device, Anywhere

10/31/13 11

Multiple DRM Management: OEM Perspective

• Current Implementation Scenario for an OEM :

– Multiple versions of the same device to meet specific content protection needs of different service providers and eco-systems:

• Complex to manage custom made solution for every service provider and market.

– Support multiple DRM solutions in the device at the manufacturing time :

• Costly option to support multiple DRM solutions in a single device.

10/31/13 12

OEM Motivations

• Motivations for an OEM: – Support content protection mechanisms to meet

business needs of various service providers/eco-systems at low cost.

– Minimize inventory management and cost of implementing content protection solution.

– Standardized certificate regime to ease content license acquisition.

• Goal: – Anywhere at low cost.

10/31/13 13

Significant Preference for a Solution Based on a Single Content Security Platform

Source: 2013 Streaming Media Survey of 758 Media Industry Executives on Over-The-Top (OTT)Video and Security Trends. 10/31/13 14

Multiple DRM Management: Architectural Approaches

• Popular Approaches: – Eco-system Centric Approach

• An eco-system (or a service provider) supports multi-DRM solutions that work across a large number of devices implementing one or more DRM mechanisms approved in the eco-system: – UV adopts this approach, where a device needs to support one of the

several DRM systems adopted by an eco-system. – Any Device—as long as all popular DRM solutions are supported in an

eco-system.

– Device Centric Approach • Alternative approach is device centric, where a device implements

a generic secure trusted platform. • Device can then download a DRM agent supported by the service

provider or eco-system. – Anywhere -work with any eco-system or service provider.

10/31/13 15

Downloadable DRM-Advantages

• Downloadable DRM:

– Advantages:

• Attractive for an end user, who could buy a device from a retailer and use it in an eco-system or service provider of his/her choice.

• Ability to support multiple markets in cost effective manner for an OEM.

• Ability to distribute content to multiple devices & platforms for Service Providers.

• Better reach of audience for Rights Holders.

10/31/13 16

Downloadable DRM Challenges

• Main challenge is the formulation of Comprehensive Security Framework specifications: – Download DRM mechanism needs specification of the

secure trusted platform in the device satisfying the C&R requirements of the various DRM vendors and Content Providers.

– Needs a Standardized certification regime: • Every instance of the trusted platform need to be certified as

conformant and compliant. • Rules need to be specified regarding the downloaded code

that specifies where it can run.

10/31/13 17

Multiple DRM Management through GlobalPlatform

10/31/13 18

GlobalPlatform Enabled Multiple DRM Management

• GP Premium Content TF intend to address following Issues:

– Comprehensive Set of Security Features to support both downloadable and pre-integrated DRM solutions.

– Standardized APIs for trusted Video Path Access by multimedia applications.

– Certification and Compliance Regime.

DRM TA Media Player Application

TEE Client API

Communications stack

TEE

Platform/ Hardware

Media Buffer View

Messages

Rich Execution Environment (REE)

Trusted Execution Environment (TEE)

Media Buffer

Media Playback

Link Control

10/31/13 19

Positioning of TEE

• TEE as a part of the Trusted Media Playback Platform provides

– Isolated Environment within SoC for secure execution of tasks.

– Set of security features for robust DRM installation.

– Interface with other secure peripherals and Elements to realize trusted video rendering path

10/31/13 20

10/31/13 21

Streaming App Browser

Watermark,Decrypt & Decode

Encrypt Decrypt

Global Platform APIs for the query and validation of End-to-End Trusted Video Rendering Path

Remote Security Validation of the End-To-End Video Rendering Path.

TEE Role in Trusted Media Playback Platform

• TEE role in providing secure end-to-end trusted video path: – Complements Trusted Media Playback platform by enabling robust

DRM implementation and protecting assets such as: • DRM App secrets and keys; • License Storage and management; • Usage Policy and • Account Info.

– Interfaces with other components of Multimedia Framework in secure and normal world • for media playback, scheduling and rendering. • for secure download of DRM module and integration with rest of the

multimedia framework.

– Provides static and dynamic attestation information for the various elements of video rendering path in the device.

– Integrates with higher level of application layers such as HTML5 and W3C extensions for user interface.

10/31/13 22

Advantages of TEE based Downloadable DRM and Final Remarks

10/31/13 23

Content Piracy Prevention through TEE

• Content Piracy Prevention – Risk management can provide effective deterrent and

prevent piracy from destroying the value of the content • Self-Protecting Digital Content-Tech. Report by Cryptographic

Research Institute: – http://www.cryptography.com/public/pdf/SelfProtectingContent.pdf.

• TEE for Piracy Prevention – Acts as a security plugin to the platform OS (Android,

Windows or Tizen) • TEE provides secure environment for sensitive tasks without

exposing cryptographic credentials.

– Provides a programmable security environment where updates can be provided in case of security breach.

10/31/13 24

10/31/13 25

Windows Platform

Android Platform

Trusted Execution Environment [System on Chip Module (SoC)]

Provides security plugin or services to platform OS

Summary

• TEE-based Downloadable DRM in Global Platform – Provides a standardized security plugin to platform OS that

enables the secure execution of tasks in the end-to-end trusted video rendering path: • Addresses Heterogeneity, Fragmentation and Security Assurance

Issues.

– Achieves the common goal of various stakeholders • Any Device, Anywhere.

• Challenge: – Formulation of Comprehensive Security Framework. – Standardized Certification & Compliance Regime.

10/31/13 26

10/31/13 27