Scaling Multi-network Security On the Road to MPEG DASH

Ironclad Protection for Premium TV Streamed to Any Device Sets Stage for Shift to Standard
By Steve Christian, VP of Marketing, Verimatrix
New developments in advanced content protection that track with the emerging MPEG DASH standard, have opened a way forward for all players seeking to capitalize on opportunities in multi-network, multi-screen premium TV services.
Network service providers, content suppliers and consumer electronics manufacturers all want to exploit new trends in consumer behavior sparked by the proliferation of smartphones, tablets, Web-connected game consoles and smart TVs, provided they can supply the ironclad protection required for premium content without incurring unacceptable operational costs. The question is whether this is possible, especially as the security vulnerabilities multiply with an outpouring of devices designed around incompatible formats that have been optimized to deliver HD-caliber video.

The short answer is, yes. Verimatrix, building on its leadership position in security systems designed for this environment, has continually enhanced its technology to keep pace with these new requirements. As a result, participants in the multi-screen services revolution can proceed with assurance that the content protection mechanisms they put in place today will maximize their monetization opportunities in the near term while positioning them to increase those opportunities as standardization takes hold and smart TVs become a more dominant factor in mainstream entertainment consumption.

The Rise of Adaptive Rate Streaming

Content distributors of every description face major challenges when it comes to ensuring their assets can be securely delivered to the widest possible array of devices. While each of the major adaptive rate streaming (ARS) approaches, including Microsoft’s Smooth Streaming, Adobe’s HTTP Dynamic Streaming (HDS) and Apple’s HTTP Live Streaming (HLS), have provided compelling means by which distributors can leverage the installed base of HTTP (Hypertext Transfer Protocol) servers to ensure uninterrupted delivery of content across the Internet, the incompatibilities among these three ARS protocols have fragmented the market, greatly adding to the costs of reaching every device with a given piece of content.

One of the most fundamental factors in these incompatibilities has to do with how these ARS modes format small “chunks” of streamed video for purposes of providing devices a range of bit rate options from which to choose to ensure consistent throughput over available bandwidth at each moment in time. An ARS-enabled device, by referencing the bitrate options or “adaptation sets” listed for a given piece of content in a manifest file sent from an HTTP server, continually pulls the chunks that will deliver the highest possible quality of experience to the end user through the course of the streaming session.

As part of a device-driven “stateless” technology, the ARS system used to stream the content must prepare content assets in a variety of compressed bit streams, each of which is synchronized with respect to chunk boundaries. The two major adaptive streaming formats in use today have a different approach to formatting these chunks and organizing the resulting sets of files.

Each mechanism has its benefits and its limitations. The HLS approach requires video and audio in multiplexed MPEG-2 transport stream (TS) stream format, with each segment represented by an individual file. The Smooth Streaming approach on the other hand uses a sophisticated form of the mp4 file organization where chunks or fragments are directly represented as such within a single composite media asset (fragmented mp4 or f-mp4).

Further complicating matters for commercial delivery, the Smooth Streaming and HSD client software are designed primarily to work in conjunction with the proprietary PlayReady and Adobe Access DRM systems, respectively, while the HLS client has a more open format that fully defines the encryption approach using a set of AES-128 16 bytes keys, but leaves unspecified the management of the delivery of these keys. This means that each media asset prepared by a transcoder must be of the right format and encrypted using a key supplied by the right type of DRM system.

But while there’s presently no ready way in today’s world of devices to avoid the multi-fragmenting format headaches of diverse ARS protocols, Verimatrix has developed the means by which all the content protection requirements vital to scaling a premium multiscreen service can be supplied from a single platform. As an early advocate of adaptive streaming for commercial Internet TV services, and a leader in the overall IP video services delivery market place, Verimatrix offers an architecture that not only bridges the gap between today’s alternative and competing standards, but also provides the foundation for an operator to take advantage of the move towards the new MPEG-DASH standard-based services that will help to unify delivery models in the coming year or two.

Streamlining Ironclad Protection for Premium Multiscreen Content

The functionalities enabling a single-platform approach to content protection in this fragmented ARS environment are embodied in the Verimatrix MultiRights framework as part of the third-generation Video Content Authority System (VCAS 3), which is the core Verimatrix architecture for proactive revenue security in all premium content environments, including IPTV, cable IPTV, DVB broadcast, hybrid and over-the-top (OTT) video. The MultiRights framework can operate in conjunction with IP content security tied to service delivery over any of the traditional pay TV modes or as a standalone protection regime in pure OTT applications.

In essence, the MultiRights framework mediates different DRM technologies on multiple networks and devices through a single set of VCAS subscriber entitlement interfaces and Web services APIs. This single content authority and entitlement process delivers licenses in whatever DRM format the requesting user device requires.

To date, within the ARS domain, MultiRights implementations provide support for Smooth PlayReady and HLS enhanced protection. In addition the framework has been extended with BD-Live streaming to Blu-ray players and Marlin Broadband DRM as adopted by Open IPTV Forum, the U.K. YouView and the Digital Entertainment Content Ecosystem (DECE) consortium’s UltraViolet.

In the case of HLS, which has actually become the most widely used ARS system owing to its open architecture and the popularity of Apple’s devices, the challenge of adding key management to the protocol architecture is front and center to the viability of premium service delivery. This is reflected in the increasingly stringent requirements applied by content owners to the security mechanisms on streaming plaforms. Verimatrix has addressed these and other requirements for pay TV security on HLS with a complete enhanced security solution known as VCAS for Internet TV, which is now widely integrated with live and on demand streaming platforms from Harmonic, Envivio, Elemental, Allegro, Anevia, Vidiator, Wowza and others.

For example, premium content suppliers want to be sure the devices accessing their content are authenticated, which Verimatrix enables in the HLS environment through its ViewRight client library that ties the client’s unique ID to the service and subscriber. On the server side, the VCAS system performs entitlement verification by checking each encrypted asset to make sure the subscriber and device are each authorized to receive the decryption key. Security is further enhanced by a mechanism by which VCAS verifies that the integrity of the device hasn’t been violated by hacking.

Another ever more important requirement for security validation concerns the setting of policies for access to assets from devices equipped with HDMI or VGA outputs. With the popularity of video and manufacturers’ enhancements of screen resolutions to HD quality on smartphones and tablets, content providers must guard against in-the-clear transfers from devices that were once viewed as posing no piracy threats to premium content. VCAS security verification and policy management mechanisms give distributors the leverage to determine whether a given piece of content can be accessed by a high-resolution device capable of distributing video to TV sets, recorders and other devices in the clear.

Of course, HLS is widely used with non-Apple devices as well, including all Android devices, PCs, connected TVs, hybrid set-tops, etc. The Verimatrix ViewRight Web plug-ins and security clients provide cross-platform support for a wide range of such device categories.

For instance, client code is available as a library for various iterations of the Android smartphone and tablet OS. In an environment like Android, where successive OS versions vary considerably, Verimatrix’s continued updating of its plug-in clients and close integration with the underlying player environment is vital to maximizing content distributors’ multiscreen reach over time.

Preparing for MPEG DASH

All the steps Verimatrix has taken with regard to creating a secure pay TV environment for HLS and Smooth Streaming connected devices naturally evolve into the mechanisms applied to security delivered through MPEG-DASH, the newly emergent standards-centric option for premium content distribution.. The options described within the DASH Media Presentation Description (MPD) manifest file not only allow a device to select whether it wants content delivered in MP4 or MPEG-TS-based segments; it also supports selection of many other functionalities as well, including support for live streaming, multiple languages, enhanced trick modes, dual streams for 3D and much else, And DASH inherits the open approach of a closely defined robust encryption mechanism that permits a variety of key management approaches to be implemented by DASH-compliant DRM vendors..

Mirroring the current process by which VCAS applies the encryption keys and inserts their identifiers into the manifest files as the streams exit the transcoder, the platform will use the same interfaces to extend the process into the MPEG DASH environment. DASH security from Verimatrix will also leverage the investment in the MultiRights entitlement mechanisms described above. As a result, service operators employing a VCAS base architecture and transcoders supplied by the Verimatrix ecosystem partners will be able to make the transition to the standardized platform seamlessly.

Over the past year the International Organization for Standards’ MPEG-DASH working group has made considerable progress in efforts to create a standard for ARS streaming with ever wider industry support for its efforts. Following draft ratification in November, the emerging standard has made impressive gains with participation of major CDN providers in early trials and the addition of Adobe to the long list of players who are backing the standard. Demonstrations of DASH in action were prevalent at major suppliers’ exhibits at the NAB Show in April, suggesting it’s only a matter of time before the platform goes into commercial use.

But the scale of usage, especially early on, remains in doubt. While Adobe is now on board, Apple has yet to signal whether it will support the standard or continue to focus on HLS as a way to draw content to its devices. Moreover, uncertainties about the extent to which MPEG DASH will be royalty free could impede its adoption. And there continue to be nuances in profile choices respecting some of the ancillary applications in the MPD that complicate matters.

Securing the Pay TV Future

Nonetheless, the industry as a whole is eager to see MPEG DASH succeed. Certainly wide scale embrace of the standard would go a long way toward making the content support capabilities of smart TVs far more compelling to end users, which in turn could provide a way to draw viewers to premium IP services delivered without set-top boxes and the use of traditional conditional access modes.

At this early stage in smart TV penetration when buyers are primarily pay TV subscribers, consumers have barely begun to use these connected models to view Web-based content. But that could change if, as predicted in a recent study by IMS Research, global shipments of connected TVs rise from 25 percent of the market last year to 70 percent by 2016. Already, 13 percent of U.S. adults are viewing Web video on the TV at least once a week by virtue of connections via digital multimedia devices, game consoles or the TVs themselves, according to the Leichtman Research Group.

Given the rapid rise projected for the shipment of connected TVs over the next four years, viewing online content from the TV set could become a mainstream phenomenon in that timeframe. Easy consumer access to protected content will be vital to content distributors’ ability to build subscription revenues from these connected TV viewers.

As things stand, smart TVs are purchased with streaming compatibilities tied to certain clusters of content, forcing the consumer who has an interested in viewing such content to make a choice of what can be seen based on which brand is purchased. MPEG DASH with its support for multiple streaming formats and DRMs as well as many advanced applications, promises to create a much more inclusive environment where the purchase of any TV will give the user access to any content streamed in the standardized mode.

Content distributors’ ability to leverage the VCAS 3 MultiRights framework in the MPEG DASH environment will allow them to offer premium content in expectation that their services will be available to the broadest possible audience of Smart TV users, once manufacturers embrace the standard. This will go a long way toward alleviating fears that connected TV viewing could become a threat to premium service providers.