Advanced Security System Opens Door on Live Streaming for TVE

Nigel Smith, VP & CMO, NDS

Nigel Smith, VP & CMO, NDS

October 3, 2011 – Two major DBS players are counting on driving over-the-top extensions of their pay TV channels into the marketplace by employing a new content protection platform designed by NDS to satisfy the advanced security and multi-device compatibility requirements of premium service suppliers.
Both BSkyB with its Sky Go service targeting Apple iOS devices in the U.K. and DirecTV with multi-platform OTT and home networking services in the U.S. are aggressively pursuing live broadcasts to IP devices through broadband and mobile connections at a time when it’s been difficult for service providers generally to win license approval for streaming live subscription programming over broadband. BSkyB has already launched Sky Go with reportedly strong consumer response, especially when it comes to catching sports events or news developments while on the go away from their TV sets.

DirecTV, trailing arch rival DISH Network as well as cable TV operators in the pursuit of TV Everywhere service, says it is preparing for a broad-based TVE initiative. In early August DirecTV CEO Michael White made known the company was looking at a possible acquisition of Hulu as a way to “accelerate our TV Everywhere,” which has been slowly coming together over the past year or so.

No such deal materialized, and, so far, DirecTV’s primary play in the space has been the “NFL Sunday Ticket To Go,” which for an extra fee allows subscribers to watch Sunday NFL games on mobile devices and computers. With the expanded initiative using the NDS VideoGuard Connect security system, Directv will target PCs, MACs and devices running iOS and Android, says an executive close to the provider’s plans. Speaking on background, he says, “Whether or they’re going to put all their programming or some subset out for TVE availability remains to be seen, but there will be plenty of live programming in the mix.”

NDS has designed the VideoGuard Connect multi-platform digital rights management system to address the many challenges all service providers face as they expand TVE from limited offerings of content in on-demand mode to distribution of live and on-demand IP content to devices of every description, says Nigel Smith, vice president and CMO at NDS. “VideoGuard Connect allows TV operators to incorporate OTT into a more compelling and complete suite of TV services without compromising the security or reliability of the platform,” Smith says, noting the new digital rights management system has been approved by all the major U.S. studios.

The value of offering live content to subscribers’ tablets and mobile devices has been vividly on display in the U.K. since BSkyB launched Sky Go in July. The new service, offered free to subscribers, allows them to register up to two Apple devices to gain access to all five Sky Sports channels, ESPN, Sky News, Sky Movies, Sky News and many other programming networks. Non-subscribers can sign up for a monthly fee of £15-£40.

By mid-September one million of BSkyB’s ten million subscribers had downloaded the Sky Go service app, including the security client software associated with the NDS VideoGuard Connect DRM system, notes Holly Knill, head of Sky Player and Mobile TV. Writing in a recent blog, she says, “In August our customers watched over 40 million pieces of content on Sky Go, 85 per cent of which was live channels and 15 per cent on-demand.”

Along with the robust protection, a key facet of the NDS platform is its ability to simplify management of security requirements for different types of devices and business models, Smith notes. By providing the headend tools to support integrated management and workflow functions that are needed to provide full operator control over content distribution and consumption, the platform enables such usage models as download rentals, expanded subscription packages and content bundling to give subscribers access to content they own as well as the basic subscription fare, he says. Content purchased on the broadcast platform can be made immediately available on the broadband platform – and vice-versa – owing to the integration of VideoGuard Connect with the operator’s existing broadcast platform.

Development of the platform was a major undertaking on the part of NDS, says Leonid Sandler, CTO for DRM at NDS. One part of the challenge had to do with the fact that in the multi-screen premium service environment a multitude of functionalities are required beyond providing robust security, he notes.

“Basically, in delivering a full end-to-end DRM solution you have to provide additional services to make it usable,” Sandler says. “You have to have the bit rate solutions and all the necessary servers supporting packaging, ingesting, capturing if necessary, transferring content. This is very different from many known DRMs designed for specific device platforms. If you take [Microsoft’s] PlayReady, for example, you’d have to implement authentication and, in some cases, the license mechanisms on your own, whereas in our case authentication and content licensing delivery are all cryptographically interconnected. Much less custom work has to be done to deploy our system.”

But, notwithstanding all the additional complexities entailed in creating a DRM systems for the premium multi-device service environment, the biggest challenge and focus of NDS’s efforts was security. “The way we take the security aspects is significantly more serious and more important for us in the long run,” Sandler says.

A key security innovation is the concept of “moving target” protection where the security elements of every client and every instance of implementation of those elements on each client will be different, Sandler explains. “The moving target elements are cryptographically bound to the application and client software we install on the client device,” he says. “Reverse engineering of one instance will teach a hacker almost nothing about the next instance.”

And, as time goes by, all those elements will be periodically updated. “We don’t wait until the system has been compromised to go find out how to solve a problem,” he says. “We’ll update elements proactively and reduce the motivation of anyone to attempt to break the system.”

The NDS system also does away with the common practice of using the same keys to protect content traversing the network that are used at the device end. “In our case we get rid of the global key that protects content on transition across the CDN and replace it with a key for playback on the device,” Sandler says. “So the life of the key you use to deliver the content to the end user is much shorter than it is in other systems.”

Great flexibility in setting and changing usage policies is another fundamental aspect of the protection system, he adds. “If you want to switch on HDCP (High-bandwidth Digital Content Protection) to provide higher security over an HDMI (High-Definition Multimedia Interface) you can do that,” he says. “Or, to take another example, if you don’t want something that’s authorized to play on an iPad screen to play on some external screen, you can prevent that. Or you can dictate whether a certain piece of content downloaded to a PC can be shared with other devices.” Policies can be set for applying the same DRM system across all operational modes, including live and on-demand streaming and electronic sell-through and other download modes.

From the client software perspective, another big challenge has to do with managing a universal DRM across devices the typically come with their own client DRM software. The NDS DRM client doesn’t override those native clients, Sandler notes. Instead, the VideoGuard client is pre-loaded into the device with the subscriber’s download of the service provider app that enables the service.

“Everything we need for DRM purposes is pre-loaded in the app,” Sandler says. “Besides the DRM client the app has components that are responsible for your unique client ID and management of licenses. When you go to BSkyB using your user name and password you will be given some information that will create your unique cryptographic ID.

“We have a technique to do this on iOS, PC and Android, where the rules on each platform are significantly different,” he continues. “On PC, we basically download an additional piece of executable code that will be unique to every client. On iOS and Android you can’t do a straight download, so you have to preload things and open them uniquely with the device registration. The preloading takes place at the time of the creation of the app itself.”

With the moving target approach, each instance uniquely ties together all the crucial elements cryptographically so that the preloading process does not have points of common vulnerability across multiple users, he notes. “We use special mechanisms that allow us to put many different elements into the application as required for each device without compromising security,” he adds.