SECURING 4K CONTENT

Christopher TaylorDirector of Content Protection

Sony Pictures Technologies

Review of Video Path

(1) Decryption / Decoding Threats

• Attacker extracts Device Key• Attacker extracts Content Key• Attacker captures decrypted

compressed content

Content encryption methods (1)Content delivery method

Global or unique?

How obtained by device

Issues Comments

Disc Global Complaint devices can derive from key block on disc

Compromise of a single device key set breaks the system

This is how BD is secured, and is vulnerable to single device failure

Disc Global Compliant devices are given key during online authentication at first play of a title. Key is then securely stored on device for <n> days

Need an online connection at first title signature. We think we can assume this.

Still vulnerable to single device failure, but once the device (type) identified, we can exclude vulnerable device types (but can we really?)

Online Unique, per device and per session

During online auth of the device

Online connection required

Some of the content is only delivered online. CP can decide if this content can be cached by device

Content encryption methods (2)Content delivery method

Global or unique?

How obtained by device

Issues Comments

Disc Hybrid Use m from n. Key is encrypted with a key derived via m from n method. Compliant device have m-1 parameters, and get the m’th online

Not really any more secure than delivery of the whole key at online authentication. But some mileage here?

Disc Global with diversity

Compliant devices are given key during online authentication at first play of a title. Key is then securely stored on device for <n> days

This content will be expensive – having different CEKs for different sku’s and maybe rev’ing the CEK every week or for every 1000 discs is not so expensive, comparatively. We should look into the cost of this.

(1) Decryption / Decoding Mitigations

• Actively monitor for DRM circumventions

• Watermark content to identify source of leaks

• Automatically revoke devices and/or device classes used for theft

• Unique obfuscation per Device/Title• Unique obfuscation per playback

session• Decode in Trusted Execution

Environment

(2) Framebuffer Threats

• Attacker captures raw frames from framebuffer

(2) Framebuffer Mitigations

• Encrypt frame data• Use protected framebuffer (e.g.

TrustZone)

(3) HDCP Source Threats

• Attacker captures raw frames from hacked driver

• Attacker captures raw frames from hacked video hardware

(3) HDCP Source Mitigations

• Require trusted drivers• Never send unencrypted frame data

to video drivers/hardware• Only send frame data to protected

video hardware on SoC (e.g. TrustZone)

• Require 3rd party verification of trusted hardware

(4) HDCP Sink Threats

• Attacker captures video from HDMI to analog interface

• Attacker creates HDCP stripper with stolen/generated Device Key

(4) HDCP Sink Mitigations

• Forensically watermark content to identify HDCP device

• Unique software obfuscation for HDCP sink session

• Automatic renewal of HDCP devices and/or device classes used for content theft

(5) Screen Threats

• Attacker captures video from screen using camera

(6) Screen Mitigations

• Forensically watermark content to identify user and playback devices

• Revoke devices that have been used for content theft