Enhanced HTTP Live Streaming Security for OTT Pay-TV Services
The Verimatrix Video Content Authority System (VCAS™) for Internet TV offers a complete system for authenticated and protected video service delivery over un-managed networks that implement HTTP Live Streaming (HLS), an adaptive bitrate streaming protocol. This enables secure over-the-top (OTT) video service delivery, alongside established pay-TV methods and technologies, to connected TVs and STBs, PCs/Macs, and a variety of Apple and Android mobile device classes, supported by the unified VCAS security authority.
The HLS protocol is increasingly adopted by OTT service providers for live, catch-up and on-demand services. The core protocol provides automatic bitrate adaptation to allow a common video stream URL to be shared between devices that have different screen resolutions, processing power and last-mile network bandwidth. This ensures the best possible viewing experience for any given combination of these parameters, even when devices roam between networks. This also enables operators to reach outside traditional service areas, and to extend pay-media services to mobile users through Wi-Fi, WiMax and 3G/4G networks.
HLS is an ideal technology for inclusion in a VCAS multi-screen security deployment, and it incorporates a baseline security model for service delivery. The tight integration with VCAS includes important extensions to the baseline HLS protocol, which improve the capability to secure premium subscription and transaction based pay-TV services.
Verimatrix Adaptive Content Security Manager
The Verimatrix Adaptive Content Security Manager (ACSM) is the core component of the Verimatrix Video Content Authority System (VCAS™) for Internet TV.
ACSM supports authentication, key distribution and user control and acts as the root Certificate Authority in a PKI hierarchy. It uses X.509 certificates to validate and authorize all content protection communication within the pay-TV network, including messaging between VCAS sub-system components as well as between the head-end system and authenticated subscriber receivers. The receivers are equipped with Verimatrix ViewRight™ Web software-based clients.
Specifically, ACSM is the target of HTTPS requests for key files associated with each live program stream and on-demand asset, and it ensures that decryption keys are managed and selectively distributed to authorized clients only, in conjunction with the Verimatrix MultiCAS/Adaptive and VPP/Adaptive servers.
MultiCAS/Adaptive VPP/Adaptive Servers
The Verimatrix MultiCAS/Adaptive and VPP/Adaptive servers integrate high-performance third-party HLS encoder/scramblers with proven Verimatrix software-based content security. Content encryption keys are generated either by ACSM or the encoder/scrambler and exchanged via the MultiCAS/VPP interface for live streaming services and on-demand content preparation, respectively. The encoder then undertakes the AES encryption of the streaming chunks prior to downstream distribution or on-demand server storage. This key exchange interface supports:
- Authenticated connections
- Program stream identification
- Key file URL generation for playlist references
- Programmable key change interval
- Performance scaling to any size of encoder array
- Optional workflow management for on-demand asset encoding and encryption through VPP/Adaptive, depending on the operational characteristics of the encoder/scramblers.
To learn more about adaptive streaming technology and its benefits, please download the Verimatrix white paper "Adaptive Rate Streaming: Pay-TV at an Inflection Point"
- Platform OS: Red Hat Enterprise Linux 6.5
- Database: Oracle 11g Enterprise Edition
- Sub-system interfaces: Authenticated via PKI and X.509 digital certificates.
- GUI: Flexible Java-based secure administrative functions through OMI component.
- Event logging: Comprehensive and secure.
- Implementation: Single machine or distributed load balanced cluster.
- Encryption: AES-CBC, by streamers/scrambler from e.g. Ateme, Cisco, Elemental, Envivio, Harmonic, Juniper Networks, RGB Networks, Vidiator, Wowza and others.
- Device Authentication: Flexible auto-configuration and one-time field provisioning.
- Media Entitlement: Efficient asset by asset entitlement validation via reference to subscriber/device database.
- Keyfile Delivery: Via device authenticated SSL/TLS.
- Network management: SNMP v1, v2c, v3