SECURING 4K CONTENT
Christopher TaylorDirector of Content Protection
Sony Pictures Technologies
Review of Video Path
(1) Decryption / Decoding Threats
• Attacker extracts Device Key• Attacker extracts Content Key• Attacker captures decrypted
compressed content
Content encryption methods (1)Content delivery method
Global or unique?
How obtained by device
Issues Comments
Disc Global Complaint devices can derive from key block on disc
Compromise of a single device key set breaks the system
This is how BD is secured, and is vulnerable to single device failure
Disc Global Compliant devices are given key during online authentication at first play of a title. Key is then securely stored on device for <n> days
Need an online connection at first title signature. We think we can assume this.
Still vulnerable to single device failure, but once the device (type) identified, we can exclude vulnerable device types (but can we really?)
Online Unique, per device and per session
During online auth of the device
Online connection required
Some of the content is only delivered online. CP can decide if this content can be cached by device
Content encryption methods (2)Content delivery method
Global or unique?
How obtained by device
Issues Comments
Disc Hybrid Use m from n. Key is encrypted with a key derived via m from n method. Compliant device have m-1 parameters, and get the m’th online
Not really any more secure than delivery of the whole key at online authentication. But some mileage here?
Disc Global with diversity
Compliant devices are given key during online authentication at first play of a title. Key is then securely stored on device for <n> days
This content will be expensive – having different CEKs for different sku’s and maybe rev’ing the CEK every week or for every 1000 discs is not so expensive, comparatively. We should look into the cost of this.
(1) Decryption / Decoding Mitigations
• Actively monitor for DRM circumventions
• Watermark content to identify source of leaks
• Automatically revoke devices and/or device classes used for theft
• Unique obfuscation per Device/Title• Unique obfuscation per playback
session• Decode in Trusted Execution
Environment
(2) Framebuffer Threats
• Attacker captures raw frames from framebuffer
(2) Framebuffer Mitigations
• Encrypt frame data• Use protected framebuffer (e.g.
TrustZone)
(3) HDCP Source Threats
• Attacker captures raw frames from hacked driver
• Attacker captures raw frames from hacked video hardware
(3) HDCP Source Mitigations
• Require trusted drivers• Never send unencrypted frame data
to video drivers/hardware• Only send frame data to protected
video hardware on SoC (e.g. TrustZone)
• Require 3rd party verification of trusted hardware
(4) HDCP Sink Threats
• Attacker captures video from HDMI to analog interface
• Attacker creates HDCP stripper with stolen/generated Device Key
(4) HDCP Sink Mitigations
• Forensically watermark content to identify HDCP device
• Unique software obfuscation for HDCP sink session
• Automatic renewal of HDCP devices and/or device classes used for content theft
(5) Screen Threats
• Attacker captures video from screen using camera
(6) Screen Mitigations
• Forensically watermark content to identify user and playback devices
• Revoke devices that have been used for content theft