EBU extends BISS protection to IP, adds watermarking

The EBU (European Broadcasting Union) has revamped its longstanding BISS protocol used for protecting satellite contribution to support live content transmission with Conditional Access (CA) across both broadcast and IP networks. It is aimed at sports federations and other rights holders seeking an interoperable way of distributing live content to business partners over either IP or broadcast infrastructures, but with special focus on Software Defined Networks (SDNs).

The EBU first developed BISS (Basic Interoperable Scrambling Standard) in 2002 to secure contributions over satellite networks, with help from several security hardware vendors. But as a sign of the times it is two French firms noted for software skills, neither security specialists, to which the EBU turned for help this time. These were codec vendor Ateme and Nevion, which was recruited for its skills managing SDNs controlled via the Openflow protocol, separating control and forwarding of data through commodity virtualized devices.

Ateme’s role was to ensure interoperability between the CA controller in the network and compliant encoders or decoders from any vendor. Success of the extended BISS-CA protocol therefore relies on support from at least the principal encoder vendors, with Ateme naturally being the first to implement it in its Titan and Kyrion products.

The protocol addresses the challenge of establishing secure communication over any network (in principle) and particularly unmanaged IP infrastructures. Now security would be easy if the sender and receiver could meet up constantly to exchange the private keys used to encrypt the data they then send to each other, because the bar could then be raised so high that compromise is effectively impossible. But in practice this is impossible, so mechanisms have been devised to exchange such credentials as securely as possible. The problem is to maximize the challenge required to intercept such keys, while renewing them frequently to reduce risk of subsequent discovery of the credentials.

The EBU has made no innovation on this front, continuing to use both asymmetric RSA public key cryptography and symmetric AES in combination, but has added some extra protection to cope with unmanaged networks. It has also incorporated support for forensic watermarking to enable identification and potential immediate revocation of pirated live streams. It is therefore worth considering what the EBU has done differently here from traditional implementations of public and symmetric key cryptography.

Normally RSA public key cryptography is used to distribute session keys subsequently used to encrypt key words for scrambling the content itself. The sender uses a public key associated with a given receiver but available to anyone to perform this encryption. The receiver has to be registered with the associated private key, uniquely placed to decrypt the encrypted session key. This enables acceptably secure transmission of the credentials needed for subsequent encryption of the payload content. The process could be compared crudely to publishing a dictionary from say English to French so that people can look up keywords to translate but withholding the corresponding French to English dictionary required for the reverse look up. Only authorized recipients hold that reverse dictionary – the private key. Then the more powerful, but less computationally intensive scrambling is applied to the payload.

The first point to note is that the EBU’s scrambler has four modes of operation, of which only the last two embody the new innovations and are therefore of relevance. These operate in a hierarchy of increased protection so that any system that supports a given mode must also implement all the lower modes.

Mode 0 involves no scrambling at all while Mode 1 scrambles content with a session word (SW) but transmitted out of band in the clear to offer some protection. Then under Mode E content is scrambled via a SW in turn encrypted with a fixed session key (SK), which is then transmitted out of band to the receiver. Finally, under Mode CA content is scrambled with a SW which is encrypted via a SK and then transmitted within the stream along with the key information. In all cases the scrambling is applied at the transport stream level.

Under BISS-CA, the highest mode, a SW is used as an input to the transport stream scrambling algorithm to scramble individual service components. The SW is then encrypted with a symmetric cipher (AES-128) using a SK. The SK that is required to decrypt the encrypted SW is then encrypted individually with an asymmetric cipher via RSA-2048 using the public key of each given entitled receiver. Only the receiver possessing the corresponding private key can decrypt that encrypted SK.

The set of individual encrypted SKs are then transmitted to receivers’ in-band in the transport stream via Entitlement Management Messages (EMMs), which effectively provide the authorization to access the content. An Entitlement Control Message contains access criteria and a scrambled key called a control word. The scrambled transport stream, the EMM and also the Entitlement Control Message containing access criteria are then multiplexed in the given transport stream.

This may sound like traditional CA, but there are a few enhancements in BISS-CA. Firstly to improve security of each BISS-CA session, SWs and SKs are generated automatically using a cryptographically secure random number generated by the sender/scrambler and continually renewed. Neither the SW nor SK are ever available in clear text via control APIs or other scrambler management interfaces.

Just as importantly, the EBU has addressed the potential vulnerabilities of any system relying ultimately on public key cryptography, relating to the security of storage of the crucial secret private keys and identity of receiving devices. Here the system has to address the two distinct use cases of managed and unmanaged networks.

The fundamental idea here is the insertion of public/private key pairs in devices either during manufacture or operation to provide some level of hardware security. In the case of managed networks, key pairs are generated by a management center and injected into the receivers before dispatch. The keys database is then managed by that management center.

Then for unmanaged networks, keys would be injected by the manufacturer and are referred to as buried keys. Again, these would be unique public/private key pairs, which could be combined with serial numbers, other buried IDs and unique identifiers such as license numbers in the case of a software implementation to uniquely identify a receiver.

In this second case the private key would remain buried and inaccessible even to the operator. Therefore, the operator would need a mechanism that authenticates the origin of the device, which could be achieved via a self-generated key certified by a trusted central authority.

With all these pieces in place, the EBU’s BISS-CA is a serious contender for interoperable B2B CA across IP networks, but it is too early to tell if it will gain the same take-up as the original BISS for satellite contribution.