docS36_ATSC_Bootcamp_Presentation-2015_Security 276.00KB
download 
Report Transcription
S36_ATSC_Bootcamp_Presentation-2015_Security 276.00KB
S36: Specialist Group on ATSC 3.0 Security Adam Goldberg, S36 Chairman Nagravision Presenter: Seton R. Droppers Director, Enterprise Security & Networking PBS In the Past… • ATSC 1.0 Conditional Access (CA) – “ATSC A/70-1” standard for use of DVB Simulcrypt in ATSC • MPEG-2 Transport Stream – Enabled encrypted services • No provision for broadband connectivity In the Future… • Support for… – Subscription, PPV, VOD – Security for Broadband Communication – Security for Applications – Security between Main & Second Screens Note Carefully! The S36 work is in an early stage. Technology and choices described in the following slides are mostly working ideas, S36 is still discussing and evaluating a number of alternatives and directions. Conditional Access / DRM Broadcaster, Internet Servers Broadcast and Broadband Networks Conditional Access (CA) ATSC 3.0 Receiver Home Network Digital Rights Management (DRM) Conditional Access (CA) • ATSC 1.0 (A/70-1) Specified: – Common scrambling – “Envelopes” for carriage of keys and entitlements – Interface to Security Hardware – Did not specify a conditional access system • ATSC 3.0 likely to take mostly similar approach Conditional Access (CA) • Subscriptions, PPV, VOD – Content delivered via ISO Base Media File Format (BMFF) • Common Encryption (“CENC”), ISO/IEC 23001-7 – (Unspecified) Conditional Access System Tasks • Key security, distribution • Entitlement • Billing, Customer Relationship Digital Rights Management (DRM) • Limits use of content post-reception • Secures content in the home network – Including primary receiver/second screen communication • Likely unspecified by ATSC standard – … but likely limited by CA system • Not likely to define a DRM framework – point to existing framework(s) • Some groups suggesting that properly implemented DRM could provide CA in select environments Thoughts on Broadband Security – Certificate Management • Certificate validation, revocation checks – Online Certificate Status Protocol (OCSP) and others • Root Certificate requirements • Secure Certificate Storage • Certificate Update Process More Thoughts on Broadband Security – TLS (Transport Layer Security) • Mostly Green Field Implementation • Disallow (or discourage) old, insecure versions – e.g., require TLS 1.2 or later – e.g., specific cipher suites – DNSSEC (Domain Name System Security Extensions) • Not details on requirements at this time Thoughts on Application Security • Unsigned Applications – Only allow limited functionality • Cryptographically Signed Applications – Trusted application authors/vendors – Allow expanded functionality [email protected] Thanks. Questions? ATSC 3.0 The “Grandest Alliance” – over 370 people from 110 companies, spanning the globe. Thanks to our Sponsors
