Download Report

S36: Specialist Group on
ATSC 3.0 Security
Adam Goldberg,
S36 Chairman
Nagravision
Presenter: Seton R. Droppers
Director, Enterprise Security &
Networking
PBS
In the Past…
• ATSC 1.0 Conditional Access (CA)
– “ATSC A/70-1” standard for use of DVB
Simulcrypt in ATSC
• MPEG-2 Transport Stream
– Enabled encrypted services
• No provision for broadband connectivity
In the Future…
• Support for…
– Subscription, PPV, VOD
– Security for Broadband Communication
– Security for Applications
– Security between Main & Second Screens
Note Carefully!
The S36 work is in an early stage. Technology
and choices described in the following slides are
mostly working ideas, S36 is still discussing and
evaluating a number of alternatives and
directions.
Conditional Access / DRM
Broadcaster,
Internet
Servers
Broadcast
and
Broadband
Networks
Conditional
Access
(CA)
ATSC 3.0
Receiver
Home
Network
Digital Rights
Management
(DRM)
Conditional Access (CA)
• ATSC 1.0 (A/70-1) Specified:
– Common scrambling
– “Envelopes” for carriage of keys and
entitlements
– Interface to Security Hardware
– Did not specify a conditional access system
• ATSC 3.0 likely to take mostly similar approach
Conditional Access (CA)
• Subscriptions, PPV, VOD
– Content delivered via ISO Base Media File
Format (BMFF)
• Common Encryption (“CENC”), ISO/IEC 23001-7
– (Unspecified) Conditional Access System Tasks
• Key security, distribution
• Entitlement
• Billing, Customer Relationship
Digital Rights Management (DRM)
• Limits use of content post-reception
• Secures content in the home network
– Including primary receiver/second screen communication
• Likely unspecified by ATSC standard
– … but likely limited by CA system
• Not likely to define a DRM framework
– point to existing framework(s)
• Some groups suggesting that properly implemented DRM
could provide CA in select environments
Thoughts on Broadband Security
– Certificate Management
• Certificate validation, revocation checks
– Online Certificate Status Protocol (OCSP) and
others
• Root Certificate requirements
• Secure Certificate Storage
• Certificate Update Process
More Thoughts on Broadband Security
– TLS (Transport Layer Security)
• Mostly Green Field Implementation
• Disallow (or discourage) old, insecure versions
– e.g., require TLS 1.2 or later
– e.g., specific cipher suites
– DNSSEC (Domain Name System Security
Extensions)
• Not details on requirements at this time
Thoughts on Application Security
• Unsigned Applications
– Only allow limited functionality
• Cryptographically Signed Applications
– Trusted application authors/vendors
– Allow expanded functionality
srdroppers@pbs.org
Thanks. Questions?
ATSC 3.0
The “Grandest
Alliance” – over 370
people from 110
companies,
spanning the globe.
Thanks to our Sponsors