and Verimatrix Screen OTT Solution - CSI Magazine - OTT... · 2.4 CONTENT WORKFLOW – VOD STREAMING ... over limited arcs of the underlying network and, exactly like the case of

Vidiator and Verimatrix

Multi‐Screen OTT Solution ______________________________________________________________

Secure Content Delivery for

HTTP Live Streaming

February 2010 2011 Vidiator Technology, Inc. and Verimatrix, Inc. Page 2

Table of Contents 1. MULTI‐SCREEN DELIVERY ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ 4 1.1 VIDEO SERVICE PROLIFERATION ............................................................................................... 4 1.2 THE CHALLENGE OF PAY‐TV DELIVERY OVER UNMANAGED OTT NETWORKS .................................. 4 1.3 OTT CONTENT DELIVERY REQUIREMENTS ................................................................................. 4 1.4 ADAPTIVE BIT RATE STREAMING TECHNOLOGY OVERVIEW .......................................................... 5 1.5 HLS SECURITY CONSIDERATIONS ............................................................................................. 7 1.6 VIDIATOR AND VERIMATRIX JOINT SOLUTION ............................................................................ 7

2. SOLUTION OVERVIEW ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ 8 2.1 ARCHITECTURE ..................................................................................................................... 8 2.2 HEAD‐END KEY COMPONENTS ................................................................................................ 9 2.3 CONTENT WORKFLOW – LIVE STREAMING .............................................................................. 10 2.4 CONTENT WORKFLOW – VOD STREAMING ............................................................................. 10 2.5 USER EXPERIENCE ............................................................................................................... 11 2.6 CLIENT DEVICE SUPPORT ...................................................................................................... 11 2.7 MULTI‐SCREEN DELIVERY ..................................................................................................... 11

3. SUMMARY ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ 12 3.1 BENEFITS ........................................................................................................................... 12 3.2 FURTHER INFORMATION ...................................................................................................... 12


About the Companies

Vidiator Technology Inc. was founded in 2002 to research and develop technology solutions for delivering digital media content and programs to mobile users world‐wide. Today, Vidiator is one of the leading providers of digital media delivery solutions to world’s top operators and service providers offering home‐like TV experience to their customers. We are a fast growing software technology company with a dynamic, multi‐cultural team working together around the world.

Verimatrix specializes in securing and enhancing revenue for multi‐screen digital TV services around the globe. The award‐winning and independently audited Verimatrix Video Content Authority System (VCAS™) and ViewRight® solutions offer an innovative approach for cable, satellite, terrestrial and IPTV operators to cost‐effectively extend their networks and enable new business models, including OTT services.

Vidiator Technology, Inc. Verimatrix, Inc. 7th Floor Ann Jay Tower, 6825 Flanders Drive 718‐2, Yeoksam‐Dong, San Diego, CA 92121 Kangnam‐Gu Seoul 135‐920, KOREA USA Tel: +82 70 7012 2512 Tel: +1‐858‐677‐7800

www.vidiator.com www.verimatrix.com

© 2011 Vidiator Technology, Inc. and Verimatrix, Inc. Patents pending. All rights reserved.

Xenon and the Vidiator logo are either trademarks or registered trademarks of Vidiator Technology, Inc.

Verimatrix, VCAS, VCAS 3, ViewRight, VideoMark, the Verimatrix logo and the VCAS 3 logo are trademarks or registered trademarks of Verimatrix, Inc.

All other trade names, trademarks, or registered trademarks are trade names, trademarks or registered trademarks of their respective companies.

Information in this document is subject to change without notice. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Vidiator Technology, Inc. or Verimatrix, Inc.


1. Multi‐Screen Delivery

1.1 Video Service Proliferation We live in an era characterized by proliferation of video services across all types of networks and devices. Users increasingly expect content anywhere, anytime supported by whole‐home and network digital video recorders, and on mobile devices. Pay‐TV operators must adapt business models to these irreversible subscriber expectations. The convergence of broadcasting, broadband and mobile communications represents an opportunity for innovative service providers to expand offerings and grow revenues. Optimizing content monetization in a multi‐network, multi‐screen environment becomes a genuine challenge.

1.2 The Challenge of Pay‐TV Delivery over Unmanaged OTT Networks Traditionally, pay‐TV content has been distributed on managed networks where the bandwidth is guaranteed and robust. This allowed operators to distribute video content to devices on their managed network, such as TVs and computers. In the past few years, there has been a large influx of device categories that have the ability to perform video playback. Laptops, mobile phones, smart phones, net books, and web pads are some of these devices. These devices are typically connected to un‐managed OTT networks such as 3G, home networks and Wi‐Fi hot spots. These un‐managed networks allow the user to have the ability to surf the web from virtually any location.

Coming from a completely different direction than traditional IPTV or DVB pay‐TV distribution via managed networks, OTT video delivery has always suffered from unmanaged, multi‐hop distribution that forms the backbone of the Web. Video is an exacting type of content, requiring relatively high data rates and very low rates of packet loss or delay. Unstable bandwidth availability results in long startup times, stuttering playback, degraded video quality and unpleasant audio effects.

These effects have only been partially offset by the use of high compression codecs, and non‐real time delivery techniques, such as progressive download. HTTP delivery solutions can only improve Quality of Service (QoS) over limited arcs of the underlying network and, exactly like the case of traditional video delivery systems, improved QoS over the network past the last mile does not guarantee subjectively acceptable performance for the consumer.

The basic challenge then is that the traditional guidelines for an acceptable quality, enjoyable video experience at a single bit rate can only be provided in the limited circumstances of fully controlled delivery pipes. Those pipes have to terminate at devices that are logically separated from the dynamics and unpredictability of a shared general purpose broadband service in the home. Subjective Quality of Experience management over multi‐hop OTT delivery has therefore previously seemed unrealistic. Yet consumers, unaware how these worlds have been independently constructed, demand that content flows freely whenever and wherever they want to consume it.

1.3 OTT Content Delivery Requirements Flexibility is essential to mobile and Internet TV/OTT, which requires solutions to these challenges:

Open standards‐based approach to foster innovation, interoperability, with choice and expansion of technology supplier options.

Adaptation to variable last mile throughput to ensure an optimized TV user experience.

Highly scalable, easy‐to‐deploy and operate products for rapid network deployment.

Multiple network support – broadband, 3G/4G wireless, Wi‐Fi, WiMax, etc.

OTT streaming using shared codecs and formats with IPTV, DVB and hybrid networks.


Additionally, various technologies are required to satisfy content protection and Digital Rights Management requirements for OTT delivery of premium content to enable revenue models for successful multi‐screen service delivery:

Device authentication: Prior to entitling a device to any services, it must be authenticated as a valid device, preferably based on Public Key Infrastructure (PKI) and X.509 certificate principles.

Entitlements checking: Before a decryption key can be issued, it is necessary to determine if the requesting user has the rights to consume the content.

Secure key distribution: Upon positive entitlements verification, a key needs to be provided to the user’s device(s) in a secure manner.

Secured content delivery: Content encryption, typically based on the proven and robust AES algorithm with a 128‐bit key.

1.4 Adaptive Bit Rate Streaming Technology Overview Fortunately, the technology behind video delivery services is evolving to keep pace with market dynamics. The emerging substitute for managed network delivery of video is the technology of adaptive bit rate (ABR) streaming. This technology originated on the PC platform, but is also an example of a delivery format that is particularly suited to mobile content delivery and is increasingly of interest to all connected devices, including STBs and TVs.

Adaptive rate streaming eliminates the concept of network managed QoS in favor of a client managed consumer experience. The delivery technology makes use of what the Web does best – efficient and massively scalable delivery of data using the HTTP protocol.

Figure 1: Adaptive Bit Rate Streaming in Action

Multiple HTTP‐based adaptive streaming formats are being promoted in proprietary ecosystems. Apple’s HTTP Live Streaming (HLS) format, submitted to the IETF (http://datatracker.ietf.org/doc/draft‐pantos‐http‐live‐streaming/), has been gaining support by a growing number of ecosystems of encoder and web server suppliers. VCAS for Internet TV enhances the basic security provided by the protocol by adding device authentication and entitlement verification, ensuring that only authorized users are supplied with content decryption keys.


From a server point of view, HLS media is offered through a single URL reference, in simultaneous parallel streams that are configured to offer a choice of several different bitrates and aspect ratios. The streams are each segmented into logical time segments, or “chunks” (typically 3‐10 seconds in duration) where these chunks have synchronized start and end times across the set of component streams. Each client device receiving the service dynamically detects its capabilities and current network conditions (from its local perspective all the way back to the content source).

The HLS server can host several different bit rate encodings of the same video content. Each bit rate encoding has a separate playlist, which is defined by a master playlist. These playlists are in M3U format and contain the complete list of chunks in order, or three segments at a time as a floating window in case of live streams. When the client detects conditions of either insufficient bandwidth, or of more available bandwidth, it can switch to either the lower or higher bit rate playlist and download the chunks in that list. Since each chunk is synchronized with those in other bit rate streams, there is a seamless transition between bit rates so that the video playback is not interrupted. This maintains a high quality user experience in the face of dynamically variable network conditions, or even when roaming from network to network.

Figure 2: HTTP Live Streaming ‐ Example

Consumers with high‐bandwidth connections and more capable hardware devices can experience HD quality streaming, while others with lower bandwidth or mobile devices receive a stream optimum to their conditions. Each type of audience can enjoy an uninterrupted experience with the highest quality possible, even as they roam from one network environment to another.

Therefore, adaptive rate streaming of video provides an optimum‐quality viewing experience that scales effectively on global and local networks, makes highly effective use of today’s improved wireless networks, and ensures that true HD media experiences over the Internet can become a reality.


1.5 HLS Security Considerations Another important aspect of OTT distribution, as with any delivery strategy, is a secured content transport and consumption model. HTTP adaptive streaming protocols typically implement a mechanism to encrypt the video chunks. In the case of the HLS protocol, the chunks can optionally be encrypted using the AES‐CBC‐128 block encryption algorithm.

During encryption, a randomized encryption key must be generated on a regular basis for each program stream. This key is a 16‐octet value, representing a 128‐bit key value. When the playlist is created, the reference to this 16‐octet value is built in via a “key file” reference at a distinct server URL. Each key file reference is followed by the URLs for the chunks encrypted with the key.

For additional security, since the video content is being encoded and sliced into time sequenced chunks, each individual chunk is assigned a 64‐bit sequence number, which is incremented with each time period. This sequence number is by default used as the initialization vector (IV) of the CBC mode encryption of each individual chunk. Each chunk is then 100% encrypted from beginning to end using this block cipher and the predetermined key. When a client device encounters a key file reference in the playlist, the key must be securely fetched from the server and then be used to decrypt each subsequent chunk until another key file reference is encountered.

1.6 Vidiator and Verimatrix Joint Solution The combined Vidiator and Verimatrix OTT solution outlined next embodies full support for the HLS protocol. The joint solution is further enhanced by the proven Verimatrix security techniques as applied to premium IPTV services, such as device authentication and entitlement management in addition to the HLS baseline security.

The solution provides a solid foundation for launching and operating premium Internet TV/OTT services successfully. It can be deployed by existing managed network operators, providing cable and satellite or IPTV service providers with new outlets, advertising dollars and subscriber revenue in parallel to their existing offer. It is also an ideal solution for “greenfield” OTT operators with no previous service legacy. The solution supports both linear and on‐demand services and Network PVR (NPVR) for programmed recording, catch‐up and go‐back TV.


2. Solution Overview

2.1 Architecture The solution architecture depicted below consists of the Vidiator Xenon™ Converged Delivery Solution in combination with the third generation Verimatrix Video Content Authority System, VCAS™ 3, for revenue security and usage rights management.

Figure 3: Vidiator and Verimatrix Integrated OTT Solution

The integrated head‐end provides a multi‐format solution supporting secure OTT services to multiple screens and across multiple transports. The combined HLS solution offers:

Support for MPEG‐TS or H.264 sources from satellite, terrestrial or baseband signals.

Encoding, encapsulation and packaging based on H.264 codecs, MPEG‐2 TS and AES encryption, thus enabling straightforward integration into existing pay‐TV head‐ends.

High availability thanks to N+M or 2N redundancy in the Xenon solution components.

Support for live, near‐live and file‐to‐file for VoD and NPVR services.

Native support (QuickTime player) by popular consumer devices, including Apple iPhone, iPad, iPod Touch, as well as the Mac.

Open standards allowing a tight integration of the technology into client‐side products.


For operational aspects and robustness of the ecosystem, a tight key provisioning interaction has been designed between the Vidiator Delivery Solution and the Verimatrix MultiCAS/Adaptive, which entails an automatic exchange of encryption information between the Xenon and VCAS components. Additionally, content providers require the interaction itself to be secured. This requirement is satisfied by a joint definition and development of a secure communication interface between Vidiator and Verimatrix.

2.2 Head‐end Key Components The joint head‐end is composed of the following elements:

Xenon™ Live Encoder is a professional software tool, which simplifies the encoding of live content from a variety of feeds, ready for streaming to multiple platforms. The encoder encodes the same video input in multiple resolution and multiple bit rates suitable for HLS.

Xenon™ Offline Encoder is a flexible offline encoding application that can create offline files on a wide variety of input formats. The offline encoder encrypts segmented files ready for delivery with AES‐128 encryption.

Xenon™ Streaming Mediator segments the continuous video stream received from Xenon Live Encoder on the fly. Subsequently, Xenon Streaming Mediator does encrypt the file segments, utilizing the key provided by the Verimatrix ACSM server. Furthermore; this component can fragment Adobe HTTP and Silverlight HTTP compliant streams on the same input from XLE.

Xenon Delivery Solution: Xenon™ Delivery Solution simplifies three‐screen video and audio delivery, either on‐demand or as a live stream. The delivery solution works with all current HTTP streaming formats, including iPhone, RTSP, HTTP, Silverlight, and Adobe, whilst only needing to be encoded once, making for a simple, seamless delivery for both the content provider and the viewers.

Operator interface: The HTTP delivery solution is efficiently managed by Xenon Administration Center (XAC). XAC is Vidiator’s one‐stop administration solution for configuring and controlling streaming and implementing high availability to ensure optimal user experience.

Redundancy implementation: Vidiator’s delivery solution encodes, segments streams, and delivers HTTP streams to clients. A conjunct of Xenon modules implement these functions. These components employ differing redundancy models to ensure high availability. Multiple instances of the Xenon Delivery Solution (XDS) share capacity. Xenon Live Encoder and the live segmenter module can offer the choice of two redundancy options. Under the 2n redundancy option, two active encoders provide a primary and secondary live content stream for the segmenter to choose from in case of failure of one them. The resource efficient n+m redundancy model provides active‐passive redundancy by using one redundant spare module which is activated, or deactivated through XAC intervention. Seamless session hand‐over in case of a primary component’s failure is supported.

Verimatrix Operator Management Interface (OMI) – The core administrative VCAS 3 component, OMI provides a single VCAS integration point for customer care, billing and middleware systems through a set of content, device and entitlement management interfaces. OMI enables VCAS domain‐based business models for multi‐screen digital TV services by providing homogenous subscriber and rights management for heterogeneous delivery networks and devices: DVB, IPTV, Internet TV/OTT, and hybrid combinations.

Verimatrix Adaptive Content Security Manager (ACSM) – ACSM contains the VCAS for Internet TV security components for networks implementing HLS. ACSM secures cross‐platform content delivery to a variety of device categories, including PC/Macs, mobile handsets, web pads, STBs, connected TVs, etc.


ACSM supports authentication, key distribution and user control and acts as the root Certificate Authority in a PKI hierarchy. It uses X.509 certificates to validate and authorize all content protection communication within the pay‐TV network, including messaging between VCAS sub‐system components as well as between VCAS and authenticated subscriber receivers.

Verimatrix MultiCAS™/Adaptive and VPP/Adaptive ‐ Encryption keys are generated by the ACSM and provided to XOE.XLE via the MultiCAS or VPP key provisioning interface. The Vidiator segmentation module then undertakes the actual AES encryption of the streaming chunks prior to downstream distribution.

2.3 Content Workflow – Live Streaming An important aspect of OTT delivery, as with any video service, is the secure transport of the content.

The management of the encryption process, and the control of secured delivery of these keys to clients, is at the heart of the Verimatrix enhanced security layer applied to the HLS standard. All HTTP based streaming protocols implement a mechanism to encrypt the individual video chunks. In the case of the HLS protocol, each chunk can optionally be encrypted using the AES‐CBC‐128 block encryption algorithm to provide the first level of delivery security.

The Vidiator encoder is responsible for receiving the video and encoding it into different bit‐rates. Once the different bit‐rate tracks are encoded, they are sliced into chunks which are synchronized and assigned sequence numbers. At this point, the chunks are ready for encryption.

The Vidiator encoder transmits the AV content stream to the segmentation module. The Vidiator segmentation module contacts the VCAS server via the key provisioning interface and requests a key. The segmentation module then takes this key to encrypt each chunk using the AES‐128 encryption algorithm. These encrypted chunks are placed in file storage to be used by the Xenon Delivery Solution along with a regularly updated live streaming playlist that includes the key references for instant streaming. The segmentation module can be configured to regularly remove the file chunks at appropriate times.

Verimatrix enabled client devices are able to read the playlist for any video stream and extract the key references. During the playing of the stream, the client requests a key from the VCAS server over a secure connection, and a device‐unique identifier is sent along with the request. The VCAS server uses its entitlement reference database to determine if this unique client identifier is authenticated and entitled to the video being played. If so, the VCAS server will return the 16‐byte key to the client. This key will be used to decrypt the video chunks so the device can proceed with playback of the video content.

Verimatrix VCAS for Internet TV is the key management solution for the OTT head‐end encoders and client devices. The tight integration with VCAS includes important extensions to the standard model that improve the capability to support subscription and transaction based pay‐TV services. In particular, VCAS for Internet TV ensures that decryption keys are managed and selectively distributed to authorized clients only. This solution provides secure OTT content delivery to authorized clients via entitlement checks and provides the foundation for premium OTT pay‐TV services.

2.4 Content Workflow – VOD Streaming Xenon Offline Encoder encodes segments and encrypts VOD files before they are to be streamed. These ready‐encrypted segment files are placed in file storage along with its corresponding streaming playlist that includes the key references. The Vidiator HTTP Downloader will access the segment files and when a VOD index file is requested and deliver the video to the viewing client.


2.5 User Experience The end‐to‐end solution is designed to optimize the user experience by giving operators precise control over key parameters of an HLS service to achieve the best results, including:

Range of bit rate choices – more bit rates give better ability to optimize quality on a given client

Server side playlist – Simplifying the process of creating TV‐loops and enable use cases with individual TV channels

Server side bookmarks – enables clients to pick up where they last stopped.

Chunk length – compression optimization to adjust for bandwidth variations

Key mutation rate – enable finer grain entitlement control and resilience against sharing attacks

Playlist length – enables clients to navigate forward and backwards over a substantial period of content.

Step‐up and step‐down heuristics – how frequently to change rates for smooth playback experience.

2.6 Client Device Support The Verimatrix ViewRight Web client is a robust package of portable code that implements VCAS device authentication functions in devices that can support HLS video services. ViewRight Web secures video delivery to a variety of devices, including:

PC/Macs

iPhone OS 3.0+ devices (iPhone, iPad, iPod Touch)

Android OS‐based devices

Connected TVs.

Set‐top boxes.

2.7 Multi‐Screen Delivery VCAS can support HLS in stand‐alone OTT service configurations or it can be utilized as part of a unified security head‐end supporting multi‐screen deployments pairing OTT delivery alongside IPTV or DVB services as depicted below.

Vidiator encoders support multi‐screen distribution models and can be configured to encode content for these other applications.

A single content authority, VCAS plays a vital role in the transition towards multi‐screen services. Operators benefit from a unified revenue security architecture, which not only brings significant cost and operational savings from managing just one platform, but also enables the deployment of a transparent security regime across all the network and device permutations that subscribers demand. A unified revenue security approach eliminates the potential impact of disparate usage rights policies, allowing consumers to simply enjoy what they have acquired.

Figure 4 – ViewRight Web for iPhone


3. Summary

3.1 Benefits This paper describes the ecosystem, dataflow and components required to deliver a high quality and secured Internet TV/OTT television experience to a variety of devices. This solution is pre‐integrated and thoroughly tested by Vidiator and Verimatrix.

Based on Vidiator Xenon platform, Verimatrix VCAS and ViewRight technologies, the integrated solution delivers the key functions for an optimal, premium Internet TV service:

Protected Delivery: Tightly integrated with secure VCAS key management, strong and standard AES‐128 encryption is applied in Xenon in order to protect the content delivery from its origin to the subscriber.

Digital Rights and Business Model Management: Based on rules established by the operator’s business and subscriber management system, and realized through the Verimatrix VCAS for Internet TV solution, devices are authenticated and the user is granted consumption rights, described in entitlements, based on the specific subscription properties. Encryption keys are generated by VCAS and provided to the Vidiator streamer via the key provisioning interface. VCAS ensures that decryption keys are managed and securely distributed to authenticated and authorized client devices only.

High‐Quality User Experience: The entire solution has been designed to provide an excellent quality of experience for consumers that will support the growth and retention of subscription services. Content security is transparent to viewers, ensuring easy access to the uninterrupted experience offered by the HLS adaptive bit rate streaming technology.

Available Now: The solution is ready for immediate field deployment and will benefit any service operator that plans to extend its service offerings beyond traditional managed networks by launching Internet TV to STBs, connected TVs, PCs/Macs and a variety of mobile devices.

3.2 Further Information For further details on adaptive rate streaming and corresponding video services opportunities, please download the white paper “Adaptive Rate Streaming: Pay‐TV at an Inflection Point”.

To find out more about the Vidiator XENON Converged Delivery Solution and the additional functionality it can provide, please visit www.vidiator.com.

Further information about the Verimatrix VCAS for Internet TV content and revenue security solution is available at www.verimatrix.com/solutions/vcasinternettv.

For specific information on Apple and HTTP Live Streaming, see the iPhone OS Reference Library.

Documents

and Verimatrix Screen OTT Solution - CSI Magazine - OTT... · 2.4 CONTENT WORKFLOW – VOD STREAMING ... over limited arcs of the underlying network and, exactly like the case of