SECURING 4K CONTENT
Christopher Taylor
Director of Content Protection
Sony Pictures Technologies
Review of Video Path
(1) Decryption / Decoding Threats
• Attacker extracts Device Key
• Attacker extracts Content Key
• Attacker captures decrypted compressed
content
Content encryption methods (1)
Content
delivery
method
Global
or
unique?
How obtained by
device
Issues
Comments
Disc
Global
Complaint devices can
derive from key block
on disc
Compromise of
a single device
key set breaks
the system
This is how BD is
secured, and is
vulnerable to single
device failure
Disc
Global
Compliant devices are
given key during
online authentication
at first play of a title.
Key is then securely
stored on device for
<n> days
Need an online
connection at
first title
signature. We
think we can
assume this.
Still vulnerable to
single device failure,
but once the device
(type) identified, we
can exclude vulnerable
device types (but can
we really?)
Online
Unique,
per
device
and per
session
During online auth of
the device
Online
connection
required
Some of the content is
only delivered online.
CP can decide if this
content can be cached
by device
Content encryption methods (2)
Content
delivery
method
Global
or
unique?
How obtained by device Issues
Comments
Disc
Hybrid
Use m from n. Key is
encrypted with a key
derived via m from n
method. Compliant
device have m-1
parameters, and get the
m’th online
Not really any more
secure than delivery of
the whole key at online
authentication. But some
mileage here?
Disc
Global
with
diversity
Compliant devices are
given key during online
authentication at first
play of a title. Key is
then securely stored on
device for <n> days
This content will be
expensive – having
different CEKs for
different sku’s and
maybe rev’ing the CEK
every week or for every
1000 discs is not so
expensive,
comparatively. We
should look into the cost
of this.
(1) Decryption / Decoding Mitigations
• Actively monitor for DRM circumventions
• Watermark content to identify source of
leaks
• Automatically revoke devices and/or
device classes used for theft
• Unique obfuscation per Device/Title
• Unique obfuscation per playback session
• Decode in Trusted Execution Environment
(2) Framebuffer Threats
• Attacker captures raw frames from
framebuffer
(2) Framebuffer Mitigations
• Encrypt frame data
• Use protected framebuffer (e.g.
TrustZone)
(3) HDCP Source Threats
• Attacker captures raw frames from hacked
driver
• Attacker captures raw frames from hacked
video hardware
(3) HDCP Source Mitigations
• Require trusted drivers
• Never send unencrypted frame data to
video drivers/hardware
• Only send frame data to protected video
hardware on SoC (e.g. TrustZone)
• Require 3rd party verification of trusted
hardware
(4) HDCP Sink Threats
• Attacker captures video from HDMI to
analog interface
• Attacker creates HDCP stripper with
stolen/generated Device Key
(4) HDCP Sink Mitigations
• Forensically watermark content to identify
HDCP device
• Unique software obfuscation for HDCP sink
session
• Automatic renewal of HDCP devices
and/or device classes used for content
theft
(5) Screen Threats
• Attacker captures video from screen using
camera
(6) Screen Mitigations
• Forensically watermark content to identify
user and playback devices
• Revoke devices that have been used for
content theft