Oregan TV Browser Software Architecture



Onyx Digital Stream (DPS 1000)

High Definition IPTV Player

Enabling Delivery of Blinkbox VOD Service

Device Security and Robustness

WHITE PAPER

Version 1.1

Author: Oregan Networks Ltd , The White Building, 52-54 Glentham Road, London, SW13 9JJ, UK

Revision History

|Date |Version |Description |Author |

|27/10/2010 |0.1 |Initial draft |Milya Timergaleyeva |

|28/10/10 |1.0 |Internal comments |Milya Timergaleyeva |

| | |incorporated | |

|04/11/2010 |1.1 |Blinkbox comments re. |Milya Timergaleyeva |

| | |device auth. | |

| | | | |

| | | | |

| | | | |

| | | | |

Table of Contents

Revision History 2

Table of Contents 3

Purpose 4

References 4

1.0 Company Introduction 5

2.0 Service Overview 5

3.0 Onyx Digital Stream STB Hardware Overview 6

3.1 STB Robustness 6

3.1.1 Summary of policies 6

3.1.2 Standard device robustness policies 6

3.1.3 Media Player Software Design 7

3.1.4 Production process and Device Unique information 7

3.1.5 TV Video Output Disabled / Audio Control 8

4.0 Network Security 9

5.0 Software Updates 9

5.1 Upgrade process 10

6.0 Contact information 10

Purpose

This document briefly describes the key security measures implemented by device manufacturers deploying the Onyx platform and associated premium Hollywood content services.

This paper covers both hardware and software / firmware security enhancements which work in close relation to facilitate

• device integrity

• user credentials integrity.

References

- Widevine Robustness requirements (available from Widevine via NDA).

- WidevineCypherTheoryOfOperationv1

- Widevine Playback API v1.6

- Compliance rules for WMDRM 10 for Portable Devices Applications – v 28 April 2010

1.0 Company Introduction

Oregan Networks is a UK-based software company catering for retail consumer electronics and carrier grade IPTV appliances, enabling delivery of Internet video, music and photos. Since incorporation in 1997, over 4 million units of Oregan's software have been licensed to leading global brands, including Sony, Philips and Telefónica. The company's headquarters and R&D center are located in London UK, with branch offices in Korea and Taiwan.

2.0 Service Overview

Include in here the delivery method of the content and explain whether the content is stored anywhere on the STB and BD player and with what security.

 

Oregan Networks provides a turnkey solution to Digital Stream Technology – the manufacturing company, in terms of middleware and software for the IP connectivity functionality of their STBs, as well as a fully managed service for remote management of the IP platform including management of content and applications.

Oregan’s implementations of services use Widevine and Windows Media DRM 10.1 PD for AV stream protection, ensuring that it satisfies the mandatory Compliance and Robustness Rules as specified in Widevine’s and Microsoft’s Windows Media DRM license agreements. Oregan applies best industry practices and policies for its software copy and tamper- protection.

The Blinkbox Internet VOD service is delivered to the Onyx Digital Stream STBs utilising the Microsoft WMDRM 10.1PD - by means of direct license acquisition, for AV stream protection.

3.0 Onyx Digital Stream STB Hardware Overview

[pic]

The Blinkbox AV stream, protected by WMDRM 10.1 PD is delivered via an IP network (wireless or wired) to the Set-Top-Box (STB), powered by Broadcom’s digital media processor SOC. The service uses a device license pre-delivery mechanism.

The stream is decrypted by the WMDRM library running on Broadcom’s secure processor and passed directly into the Broadcom chipset video decoder. The output of the video decoder is passed to the TV display digitally via HDMI (protected with HDCP) or via analogue SCART connectivity (protected via Macrovision and CGMS-A)

The equivalent of 5 seconds of the video stream is buffered in DRAM in its WMDRM encrypted form, which is dynamically discarded as soon as that portion of the stream has been decoded. The video is not stored on a HDD (no HDD is available on the device) or captured / recorded on the DVD.

1 3.1 STB Robustness

Descriptions of how robust the STBs are with respect to measures (software & hardware) implemented in the STB to prevent unauthorised copying of the content.

1 3.1.1 Summary of policies

In summary, the following security measures have been implemented:

• Secure CPU / boot, with encrypted flash, CFE, kernel and scrambled DRAM

• Digital copy protection: HDCP output on HDMI

• Analogue copy protection: SCART (Macrovision / CGMS-A)

• No HDD / recording capability

• No serial / Telnet/ JTAG output

2 3.1.2 Standard device robustness policies

All code loaded by the boot-loader is first authenticated by the Secure Boot-loader.

• The bootloader (CFE) is signed with a 1024 bit RSA/SHA1 key, this is

specific to Onyx STB, and managed by Oregan Networks. The public key is

encrypted/signed using (Broadcom) proprietary algorithm/key supplied to

Oregan by Broadcom.

CFE checks signatures of all flash partitions containing executable

code, normally this is the kernel and application partition.

These are signed with a 2048bit RSA/SHA512 key, specific to Onyx Digital Stream STB, managed by Oregan Networks. The public portion of this key is compiled in to

CFE.

All Oregan Managed keys are generated using openssl using standard linux

random number generation.

Internal keys and decrypted content are protected from any external access. This also includes access via data interfaces like Ethernet ports, serial links and USB ports. The receiving device protects against any attempt to discover and reveal the methods and algorithms of generating keys.

The receiving device disables the decryption process of content after the detection of any unauthorized modification of any of the software functions involved in the security implementation.

Any failures in authentication during the boot process results in permanent failure to boot.

All sensitive data stored on the internal flash chip is encrypted and any modifications to the application code on the internal flash chip would be identified by the secure boot authentication.

Non-encrypted content is not present on any user accessible busses. User accessible buses refer to buses like PCI busses and serial links. User accessible buses exclude memory buses, CPU buses and portions of the receiving device's internal architecture.

The flow of non-encrypted content and keys between both software and hardware distributed components in the receiving device is protected from interception and copying.

Output protections such as HDCP, Macrovision and CGMS-A are supported and trigger APIs are exposed to the WMDRM implementation.

3 3.1.3 Media Player Software Design 

The WMDRM library is linked into the existing Oregan File Player and Video Decoder Task Architecture as shown on the diagram

3.1.4 Production process and Device Unique information

Each device contains several pieces of information that need to be unique. These are:

• Oregan 'Secure' information

Depending on the configuration of the build this block of data can contain the STB's licence number, encrypted DRM keys and any other Oregan related information that needs to be unique to a device.

• MAC Address

The MAC Address of the STB. OMB expects this to be of the same format as that generated by the 'macprog2'. If this value is incorrect then the CFE will output a 'MAC ADDRESS CHECKSUM FAILURE' at boot up.

• HDCP key

The HDCP key in a format that can be used by the device (In the case of Broadcom devices this would be the encrypted HDCP key generated by the Bcrypt tool).

[pic]

5 3.1.5 TV Video Output Disabled / Audio Control

Descriptions of how the content is prevented from being sent to any video output connection on the TV, and only sent to the TV screen. Sending the audio to any audio output which could be connected to external audio amplifiers?

If so, please describe how this is done, and which audio formats will be passed through, and on which connections are requested.

 

In digital format, the device only outputs via HDMI in a 2 channel PCM / 5.1 channel AC3 format. This means that there is no facilitation of connectivity to an amplifier.

BD Payers Output Copy Protection Technology - N/A

Describe the output copy protection technology activated for BD players for this service.

4.0 Network Security

Description of the authentication processes from the server side and also from the device side.  This should be a “mutual authentication” process whereby both the server and the STB both authenticate.

Describe how you authorise the service / device application that will be downloaded onto the STB, and how this is isolated from other applications on the STB.

 

For the purposes of Blinkbox service delivery, the device is utilising WMDRM 10.1 PD and associated authentication mechanisms implemented by Blinkbox and Microsoft.

The communication between the application on a client device and the Blinkbox server is protected by a mutually authenticated SSL protocol.

WMRM Server utilizes the Windows Media Rights Manager Software to issue WMDRM Licenses over a network connection. The communications between the Blinkbox MS DRM server and a client device are protected by mutual authentication over https.

Blinkbox application is not downloaded to the device. Rather, it is a web based application that is hosted and accessed by device in real-time from Blinkbox’ servers.

5.0 Software Updates

Description of how you can update the software and keys in the STBs should they become compromised.

 

In Microsoft DRM implementation - the DRM keys are stored in the secure partition of Flash (in a factory provisioning scenario) and are protected whilst in RAM memory by DRAM scrambling.

Software functions perform self checking functions to detect unauthorized modification. Every step of the boot process is authenticated, checking the bootloader and binaries for any modifications.

The receiver disables the decryption process of content after the detection of any unauthorized modification of any of the software functions involved in the security implementation.

Any failures in authentication during the boot process results in permanent failure to boot.

1

2 5.1 Upgrade process

It is envisaged that the Blinkbox service may be enabled as a field upgrade to the existing stock of devices and be shipped as part of default feature set in the newly manufactured hardware. The upgrade entails a mere change in the UI which would enable an icon graphic as an entry point to the Blinkbox service.

The client device will regularly poll for new middleware and software upgrades from Oregan’s dedicated upgrade server whenever such upgrades are made available by Oregan’s administrator.

All functions and improvements in the software can be enforced (for mandatory upgrades) or user-authorised (for optional upgrades), as determined by Oregan.

6.0 Contact information

|For technical management queries, contact Adrian Gartland: |For programme & partner management queries, please contact Milya Timergaleyeva:|

|adrian.gartland@ |milya@ |

|Phone: 020 8846 0990 | |

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download