optimized configurations for hospitality applicationsdeals/filmbank/vcas... · other guest services...

VCAS™ for Hospitality IPTV Optimized Configurations for

Hospitality Applications

Verimatrix, Inc. 6825 Flanders Drive

San Diego, CA 92121, USA Telephone: +1-858-677-7800

Fax: +1-858-677-7804 www.verimatrix.com

Copyright © 2008-2010 Verimatrix, Inc. All rights reserved.

Specifications and product availability are subject to change without notice.

June 2010 Copyright © 2008-2010 Verimatrix, Inc. 2

Table of Contents

1 Introduction .................................................................................................................................3

1.1 Verimatrix Video Content Authority System (VCAS™) .......................................................3

1.2 IPTV in Hospitality Deployments .........................................................................................3

2 VCAS for IPTV – Solution Overview ...........................................................................................4

2.1 Software-based Security for Hospitality IPTV .....................................................................4

2.2 System Architecture and Key Components.........................................................................5

2.3 Product Features.................................................................................................................6

2.4 Third-party Components and Resources ............................................................................6

3 VCAS for Hospitality IPTV - Configurations and Examples ........................................................7

3.1 Optimized VCAS for Hospitality IPTV Appliance.................................................................7

3.2 VOD Service Support ..........................................................................................................8

3.3 Wholesale IP Broadcast Support ........................................................................................9

3.4 DTH Broadcast Support ....................................................................................................10

3.5 Adding Local Broadcast and VOD Encryption...................................................................11

3.6 Expanding Capacity and Redundancy ..............................................................................11

4 Client Device Technologies.......................................................................................................12

4.1 ViewRight® STB ...............................................................................................................12

4.2 ViewRight® PC Player ......................................................................................................12

4.3 VideoMark™......................................................................................................................13

5 Verimatrix – Securing Content, Enhancing Entertainment........................................................14


1 Introduction

1.1 Verimatrix Video Content Authority System (VCAS™) Verimatrix specializes in securing and enhancing revenue on multi-device digital TV services around the globe. The award-winning and independently audited Verimatrix Video Content Authority System (VCAS™) and ViewRight® solutions offer an innovative approach for cable, satellite, terrestrial and IPTV operators to cost-effectively extend their networks and enable new business models. As the clear leader in software-based security solutions progressive service providers, Verimatrix has pioneered the 3-Dimensional Security approach that offers flexible layers of protection techniques to address evolving business needs and revenue threats. The Verimatrix 3-Dimensional strategy addresses key technology issues facing operators with a combination of:

Network dimension – Best of breed encryption and key management for the widest range of delivery networks, including broadcast satellite, cable and terrestrial, IPTV and hybrid, video-on-demand (VOD), mobile, Internet TV and over-the-top (OTT).

Device dimension – Beyond the living room to computers and on-the-go applications. The technology approach includes a hardened, downloadable Verimatrix ViewRight™ security core for STBs, PCs and Macs in IPTV and hybrid applications, as well as mobile/CE devices including iPhone/iPad and Android using adaptive rate streaming.

Threat dimension – Since not all threats to digital TV security look alike, VCAS offers a layered set of tools and techniques to enable a flexible system protection profile. Features such as hardening, fingerprinting, watermarking and clone detection help operators address revenue loss from theft of service and rapid renewability provides a fast countermeasure capability.

VCAS fully exploits the power and elegance of modern two-way IP infrastructure to provide a superior level of content and revenue security. Cryptographic and secure electronic transaction technologies proven in e-commerce, together with increasingly sophisticated features of client device chipsets, enable VCAS to offer a more renewable and flexible security implementation than legacy architectures.

Maintaining close relationships with major studios, broadcasters, industry organizations and its unmatched partner ecosystem enables Verimatrix to provide a unique perspective on complex business issues beyond content security as operators seek to deliver compelling new services.

1.2 IPTV in Hospitality Deployments IP video distribution in hospitality environments has become the most advanced and cost effective technology, with many advantages, including:

Flexibility in wiring infrastructure (CAT5/6, cable or telephone transmission) Fully digital quality distribution and display, including HD support Common components with in-room broadband access True interactive program guide and guest service utility displays State-of-the-art content security enables licensing of on-demand content incl. HD Broad choice of middleware, video-on-demand (VOD) and in-room client technologies.


2 VCAS for IPTV – Solution Overview

2.1 Software-based Security for Hospitality IPTV The heart of the hospitality content and revenue security solution is the VCAS for IPTV solution. Verimatrix has also cultivated a very broad partner ecosystem providing all required complementary components, installation and operational services for such applications. VCAS for IPTV is already operational in numerous hospitality deployments around the world.

In the software-based VCAS for IPTV solution, Verimatrix eliminates the vulnerabilities related to smart card based architectures through the leverage of mature, proven two-way Internet security protocols, a Public Key Infrastructure (PKI) public/private key pair system and X.509 digital certificates. A downloadable security system for IPTV clients is not only more secure; it also enables less expensive receiver hardware. The renewable security software can be updated as required to combat any attempts at piracy.

Verimatrix offers a layered security solution for hospitality pay-TV operators using a combination of:

Strong encryption, using robust encryption algorithms such as AES, together with key management tried and trusted in the school of Internet commerce applications.

User specific forensic watermarking of decompressed video streams with a unique, robust identifier that is traceable to the place and time of viewing.

Technologies that can detect and alert the operator to suspicion of cloning in the client population, in order to prevent theft of service.

This unique, multi-layered security is enabled for a wide variety of client types through a robust ViewRight client library implementation.

An optimized VCAS for IPTV configuration is available for hospitality deployments, further described in this document.


2.2 System Architecture and Key Components

Figure 1: VCAS for IPTV – End-to-End Architecture

Content Security Manager (CSM™) – Contains the VCAS security components to support authentication, key distribution and user control.

Real-Time Encryption System (RTES™) – Performs 128-bit AES or RC4 encryption of multicast streams of encapsulated video content. RTES offers intelligent MPEG-aware stream encryption, selectable from 1-100%.

MultiCAS™/IP – An alternative to RTES, MultiCAS™/IP generates ECMs in conjunction with third-party, high-performance IP streamers supporting DVB Simulcrypt.

Video Pre-Processor (VPP) – Performs offline 128-bit AES or RC4 encryption of on-demand content files before storage on dedicated VOD servers. The MPEG-aware encryption process preserves key header fields used by VOD servers for “trick play” support.

ViewRight® STB – A robust package of portable embedded code that implements VCAS security functions within each IP-STB without the need for smart cards. It offers best-of-breed, software-based content security for two-way networks in a hardened implementation, incorporating signing, multi-level integrity checking, key obfuscation and rapid renewability.

ViewRight® PC Player – A self-contained and highly secure player that turns any broadband-connected PC into a full-function IPTV client including video recording.

VideoMark™ – Patented technology for user-specific forensic tracking, it inserts an invisible yet very robust watermark in the video stream prior to content output from the STB. This identifier can be used to trace misappropriated content back to the last authorized recipient.

Third-party components (in blue) – Selection of receivers, middleware and VOD servers.


2.3 Product Features VCAS operates in a codec independent fashion to seamlessly support MPEG-2, H.264 and other video formats for both SD and HD content. In addition, the VCAS key management mechanisms are flexible enough to support various content scrambling algorithms. This flexibility enables VCAS to support a broad variety of deployment architectures and operator requirements, ranging from very small deployments to million-subscriber Tier 1 pay-TV operations.

Platform OS Red Hat Enterprise Linux

Database Oracle 10g

Digital certificates X.509 compliant, 1024-bit PKI signature hierarchy

GUI Flexible Java-based secure administrative functions

Monitoring and logging Comprehensive and secure

Video encoding MPEG-2, MPEG-4/H.264, VC1, DivX (format independent)

Video encapsulation MPEG-2 Transport Stream

Content encryption 128-bit AES or RC4. DVB-CSA by third-party scrambler

Network management SNMP v1, v2c, v3

VOD content ingestion Manual or automated with flexible workflow

Streamer/mux interface DVB Simulcrypt (ETSI TS 103 197 1.5.1, ECMG)

Head-end integration XML-RPC, SOAP

Hierarchical distribution Multi-level content delivery without intermediate re-encryption

Client flexibility Wide range of IP and hybrid STBs, plus PC and other devices

Watermarking Robust tracing of illegitimate content copies through patented VideoMark user specific watermarking implementations

2.4 Third-party Components and Resources The VCAS for IPTV security solution is deployed for hospitality applications in conjunction with a number of other key components. These include:

Middleware/SMS system – provides the presentation layer for the client devices in the system (the user interface may be created by a thick or thin client component at the STB, but the head-end system organizes and presents the data) and maintains information about guest and other user accounts. The middleware may also provide account management and other guest services through the STB user interface.

VOD server – holds all on-demand content assets for the system along with index files for trick play and meta-data to enable content browsing.

Upstream Internet connectivity for management and subscriber service provisioning.

Broadcast content sources: wholesale IPTV, satellite DTH services and local content.


3 VCAS for Hospitality IPTV - Configurations and Examples

3.1 Optimized VCAS for Hospitality IPTV Appliance Verimatrix offers an optimized Linux-based appliance that is delivered pre-installed with VCAS for Hospitality IPTV in conjunction with designated resellers. This “all-in-one” configuration represents a cost effective combination of licenses for all VCAS key components on a single server. The configuration is powerful enough to support most hospitality applications, while accommodating expansion to suit larger scale and/or high availability deployments. The “all-in-one” VCAS includes:

CSM configuration for up to 2500 client devices/users

Fully configured and embedded Oracle database

RTES configured for local multicast encryption of up to 10 SD or HD channels (and support for an unlimited number of wholesale encrypted IPTV services)

MultiCAS/IP for support of DTH turnaround equipment of up to 10 channel capacity

VPP ingest component for local file-based encryption and automated ingest of pre-encrypted content files

Remote Stream Manager (RSM) for remote (wholesale) broadcast key handling

VCAS Administrative GUI for secure local/remote control and update.

Figure 2: VCAS for IPTV - Hospitality Configuration

This solution can be used in conjunction with many brands of IP STBs, integrated hospitality TV sets and ViewRight PC Player. Applicable encryption and security standards are determined by the content licensing agreements in place.


3.2 VOD Service Support On-demand pay-TV services are a mainstay of the hospitality trade and a valued service for guests. VCAS for IPTV in a hospitality configuration can secure distribution of VOD assets and, in conjunction with appropriate presentation and billing middleware, log requests for, and delivery of, keys for these assets.

Operationally, the requirements revolve around maintaining a VOD library utilizing persistent content protection while providing facilities for that library to be refreshed periodically with new content in a secure fashion.

VCAS for IPTV provides excellent support for management and distribution of secure video assets through its wholesale/retail support mechanisms. Video files can be encrypted at a central facility using a dedicated installation of VCAS (as far up the distribution chain as necessary) and be delivered in protected form to the hospitality location via electronic means (e.g. FTP or SSH) or on physical disk media. The delivery of asset files is undertaken independently of the necessary decryption keys and at no point is decryption and re-encryption required. During ingest of these files to the local “retail” presentation and VOD server, a secure request is made from the VCAS server to the “wholesale” VCAS installation to receive the necessary keys and associated metadata.

The following diagram illustrates the support for hospitality VOD.

Figure 3: VCAS Hospitality VOD Support

Nothing about the wholesale/retail arrangement prevents a VCAS operator from encrypting and ingesting asset files at a retail location if required for local promotional purposes etc. After ingest, key requests from clients can be completely satisfied by the “retail” VCAS installation – no external connectivity to wholesale VCAS systems is required on a continuous basis.


3.3 Wholesale IP Broadcast Support Hospitality installations increasingly require multiple channels of HD broadcast. Such content is subject to much more stringent protection requirements than analog or SD broadcast material and must be delivered via a fully secure IPTV system.

A very useful capability of the VCAS Hospitality configuration is the support of Wholesale IPTV services, often transmitted over satellite backhaul as encrypted IP streams. Major providers of such services, such as SES and Falcon in the U.S., employ Verimatrix for encryption of the streams at the uplink, and content rights for a wide spectrum of channels can be obtained at reasonable rates. The use of wholesale IPTV services eliminates the need for large, costly installations of receivers and content encoders at each hospitality site. In addition, since end-to-end encryption is offered, there are a minimum of questions about local physical and content security arrangements.

Figure 4: VCAS-enabled Wholesale IP Broadcast

In an IPTV Wholesale/Retail configuration, access to the keys necessary to decrypt the wholesale services is granted through a local instance of the Remote Stream Manager (RSM) component. RSM periodically requests keys from the wholesale encryption VCAS over a low-bandwidth Internet link and caches these keys in the local VCAS database. All broadcast key requests from local clients can be completely satisfied by the local “retail” VCAS installation – no external connectivity to wholesale VCAS systems is required on a continuous basis.

For more information on Wholesale/Retail applications, please refer to the document “VCAS for IPTV - Wholesale-Retail” or contact a Verimatrix representative.


3.4 DTH Broadcast Support An alternative to the use of wholesale IPTV services for broadcast content is the local “turnaround” and re-sale of Direct-to-Home (DTH) satellite services.

A number of companies can offer satellite receiver equipment that interfaces directly to retail hospitality IPTV head-end systems. The DTH receiver equipment typically require a DVB Common Interface module (and an appropriate re-sale business arrangement) to enable decryption of the satellite service signals before the application VCAS for IPTV content security.

Two configurations are possible. The first involves software-based re-encryption of the IPTV broadcast channels using the RTES component of the VCAS server installation.

Figure 5: DTH Services Turnaround using Local VCAS

The second approach combines satellite decryption and IPTV re-encryption of broadcast channels in a single physical hardware unit (from e.g. AppearTV and Video Propulsion). Such equipment interfaces to VCAS using the DVB Simulcrypt standard, which is supported by the MultiCAS/IP component of the retail VCAS server installation.

Figure 6: Single-device Decryption and Re-encryption


3.5 Adding Local Broadcast and VOD Encryption Any of the described wholesale/retail installations can be supplemented with locally originated and encrypted content, providing complete flexibility in sourcing content.

3.6 Expanding Capacity and Redundancy Specific capacity limitations of a single server VCAS hospitality configuration can be addressed using various configuration options.

Expanding the total number of client devices: The initial limit of 2500 devices can be expanded (on suitable hardware configurations) up to a maximum of 10000 in 2500 “power-up” increments.

Expanded local broadcast channel lineups: The initial support of 10 locally encrypted channels (RTES or MultiCAS) can be expanded in increments of 10 channels. RTES encryption expansion may require the addition of specially configured servers and network switches.

Where redundant operational configurations are required to support the ultimate in system availability a simple and effective option is to mirror the VCAS installation and its associated Oracle database behind a load balancing network switch.

Figure 7: High-Availability VCAS Configuration


4 Client Device Technologies

4.1 ViewRight® STB The Verimatrix ViewRight STB client library is a system of security hardened real-time software that runs in authorized clients of a digital TV deployment. ViewRight is a robust package of portable embedded code that implements the VCAS security functions within each STB. The ViewRight code is designed to require only a minimum of resources from the STB hardware and run-time environment, and it offers a standardized set of interfaces to the middleware running in the STB.

As a software-based security solution, ViewRight STB operates without the need for smart card or other interface hardware. It offers best of breed content security and revenue protection functions in a hardened implementation that incorporates signing, multiple levels of integrity checking, debugger detection, key obfuscation, and intrinsic renewability.

ViewRight STB has been architected to be highly portable to different hardware architectures and run-time environments. It is also designed to be network updatable in a highly secure manner. ViewRight employs best of breed standards-based encryption such as 128-bit AES and 1024-bit (optionally 2048-bit and 4096-bit) PKI public/private key pairs to complement the head-end components of VCAS. For more information, please refer to “VCAS for IPTV – Overview.”

4.2 ViewRight® PC Player The Verimatrix ViewRight PC Player turns any broadband connected PC into a fully functional, interactive IPTV client. The PC player securely decrypts broadcast and VOD content within VCAS protected IPTV systems using a flexible, “lean forward” user interface style that includes program guide information for current broadcast channels and available VOD content.

The ViewRight PC Player application provides the same level of content security and revenue protection as dedicated STBs.

Figure 8: ViewRight PC Player User Interface

ViewRight PC player enables a hospitality operator to more fully leverage a broadband connected room to distribute entertainment and extends the competitive advantage of IPTV services over legacy alternatives.


4.3 VideoMark™ While the ViewRight STB and other components of the VCAS suite combine to provide best-of-breed content security and revenue protection, at some point video content must exit the compressed digital domain in order to be watched and enjoyed. When presented in decoded form, content is vulnerable in different ways, particularly through copying of the analog signal.

Sophisticated content pirates have been known to make illegal copies of movies by taking digital camcorders into movie theaters or capturing video from unprotected analog (e.g. S-Video) STB ports - even to check into hotel rooms to copy pay-per-view movies from hotel TV systems. This type of vulnerability is known as the “analog hole” and can defeat most attempts to preserve a digital format of watermark. The incentive for this type of attack increases as the quality and value of the source material increases – especially as HD video and earlier release windows are desired.

The patented Verimatrix VideoMark user-specific forensic watermarking technology is designed to counter this threat by marking decompressed video streams with a unique, robust identifier that is traceable to the place and time of viewing. VideoMark is applied using a very efficient algorithm running in the STB. The VCAS head-end generates the unique forensic payload used to identify individual client device sessions with time and hardware identifiers. The VideoMark algorithm then embeds these forensic tracking IDs into the video pixel information in a manner that is imperceptible and transparent to the viewer.

The VideoMark payload is extremely robust and secure. The embedded information will be recoverable following a wide variety of attacks and distortions. Using VideoMark, it becomes possible to accurately trace the source of content that has been recorded and distributed illegally.

VideoMark product features and benefits:

Robust image based insertion approach defeats tampering or “washing” attacks

Imperceptible mark insertion with no impact on enjoyment of the video services

Secure payload generation ensure accurate tracing of illegitimate copies without raising privacy concerns

Software-only architecture enables cost effective upgrade of existing STB deployments

The application of VideoMark extends the protection of VCAS beyond the analog hole and provides a more trusted secure distribution platform that is better suited to deter piracy than competing digital or analog techniques. Although completely transparent to the legitimate consumer of digital video content, the deterrent effect of the watermark will make piracy from VideoMark protected systems much less attractive.

VideoMark is an integrated component of Verimatrix ViewRight STB and ViewRight PC Player solutions, providing a unique layered security approach within the VCAS security architecture.

In the quest for licensing of premium content, the most secure and comprehensively protected systems are likely to be preferred by content owners. The interlocking solution set provided by the VCAS combination of digital content security and VideoMark is unique in the industry. This is also supported by independent auditor findings.

Verimatrix is a leading member of the Digital Watermarking Alliance.


5 Verimatrix – Securing Content, Enhancing Entertainment Software-based content security lowers deployment CAPEX and OPEX.

Common key management model across broadcast, streaming and file-based applications.

Unified head-end supports multiple delivery networks for multi-screen applications.

Layered security regimes with rapid response and renewability options.

User-specific VideoMark™ watermarking technology for forensic tracking.

Award-winning content security and independently audited with zero exposures.

Flexible deployment and component options enabled by an extensive partner ecosystem.

Most widely deployed system among tier 1 telecommunications operators globally.

Headquartered in San Diego, California, Verimatrix offers both local sales and customer care in major centers around the world including the Americas, Europe, Russia and Asia, plus 24/7/365 online and phone support.

To learn more about Verimatrix products and the VCAS approach to 3D content security and revenue protection, please see http://www.verimatrix.com/company/offices.php for offices worldwide. A Verimatrix representative will be pleased to assist.

Verimatrix, Inc 6825 Flanders Drive San Diego, CA 92121, USA Main: +1-858-677-7800 Fax: +1-858-677-7804

www.verimatrix.com

Copyright © 2008-2010 Verimatrix, Inc. All rights reserved.

Reproduction or redistribution of Verimatrix web site or collateral content is prohibited without prior written consent.

optimized configurations for hospitality applicationsdeals/filmbank/vcas... · other guest services...

Documents