7
368 IEEE Transactions on Consumer Electronics, Vol. 60, No. 3, August 2014 Contributed Paper Manuscript received 07/01/14 Current version published 09/23/14 Electronic version published 09/23/14. 0098 3063/14/$20.00 © 2014 IEEE SC-DVR: A Secure Cloud Computing Based Framework for DVR Service Junggab Son, Student Member, IEEE, Rasheed Hussain, Student Member, IEEE, Hunmin Kim, Student Member, IEEE, and Heekuck Oh, Member, IEEE Abstract Typical digital video recorders (DVRs) have limited storage capacity, and it is not easy for them to share content among user devices. However, if DVRs are extended to the cloud-based infrastructure, conversion of content and sharing it among multiple devices can be made possible through the computing power. To provide secure cloud computing service, appropriate measures are necessary to protect the computing processes performed on the content from inside and outside attackers. A content encryption scheme is a simple and effective way to protect content from attackers; however, if an encryption scheme is used, the user cannot use computing resources that can be used for media computation. This paper proposes a secure cloud DVR framework based on personal virtualization to securely provide various functions through cloud resources. The proposed scheme uses an input/output management unit (IOMMU), which serves as direct memory access (DMA) remapping for constructing secure personal virtualization. Using IOMMU, it is difficult for inside attackers to know which memory area is the actual memory of the target user. Therefore, secure computation in the cloud computing is possible through IOMMU. The proposed scheme uses an IOMMU based cloud computing to hide media computation from inside attacker, and a public cloud to increase efficiency. 1 Index Terms Digital Video Recorder (DVR), Cloud-DVR (C-DVR), Network-DVR (N-DVR), Security Framework 1 This work was supported by the National Research Foundation of Korea (NRF) grant funded by the Ministry of Education, Science and Technology (No. 2012-R1A2A2A01046986); This work was supported by the National Research Foundation of Korea (NRF) grant funded by the Korea government (MEST) (No. 2012-R1A1A2009152); This research was supported by the MSIP (Ministry of Science, ICT & Future Planning, Korea, under the ITRC (Information Technology Research Center) support program (NIPA-2013- H0301-13-1002) supervised by the NIPA (National IT Industry Promotion Agency); This research was supported by the MSIP (Ministry of Science, ICT & Future Planning, Korea, under the ITRC (Information Technology Research Center) support program (NIPA-2014-H0301-14-1044) supervised by the NIPA (National IT Industry Promotion Agency). Junggab Son is with the Department of Computer Science and Engineering, Hanyang University, Ansan, Korea (e-mail: [email protected]). Rasheed Hussain is with the Department of Computer Science and Engineering, Hanyang University, Ansan, Korea (e-mail: [email protected]). Hunmin Kim is with the Department of Computer Science and Engineering, Hanyang University, Ansan, Korea (e-mail: [email protected]). Heekuck Oh is with the Department of Computer Science and Engineering, Hanyang University, Ansan, Korea (e-mail: [email protected]). I. INTRODUCTION Digital video recorders (DVRs) are devices used by consumers to store video content by employing home appliances or a software. A DVR is typically embedded in a set-top box (STB) or television (TV). Because it stores on an hourly basis video content received via a conditional access system (CAS) of an internet protocol TV (IPTV) or digital TV (DTV) in a built-in Hard disk drive (HDD), it enables a time- shift and supports trick-play modes, such as fast search, slow motion, navigation, and so on [2], [3]. Recent advances in cloud computing technology have drastically changed the shape of the current computing industry. By exploiting innovative technology, companies and consumers can purchase computing resources from a cloud service provider rather than establishing and maintaining their own computing environment, which is usually much more expensive than paying corresponding cloud services per use [4]. On account of such benefits, the cloud computing paradigm has been adopted by a wide range of businesses and organizations. It is also constantly developing because of the proliferation of mobile devices and the need for the extension of limited mobile device resources. Because cloud computing makes it possible to store and process large amounts of digital media, media services with cloud computing are the most outstanding aspects of applications [5]. One recent trend is that a user has several smart devices through which he/she would like to view the media content [6]. However, mobile devices do not have sufficient power to run the computing-intensive operations, such as encoding and decoding procedures of media content [7]. Using cloud computing a media service can outsource the encoding, delivering, and managing processes of the media content. Mobile devices in a media service can be used as terminals that receive streaming content from a cloud server. A cloud DVR (C-DVR) is a cloud-integrated media service [8]. The C-DVR stores content in a cloud via networks unlike typical DVRs, which store data in an HDD. Because C-DVR incurs a charge for only the amount used, it involves a low maintenance cost; moreover, because it is comfortable to have devices that share information, it can flexibly manage content. Additionally, by using cloud computing resources, devices with more computing power do not need to be used, and functions such as authentication/key management, storing, en/decrypting, en/decoding, and streaming can be provided. To this end, integration of cloud and DVR technology can

SC-DVR: a secure cloud computing based framework for DVR service

  • Upload
    heekuck

  • View
    213

  • Download
    1

Embed Size (px)

Citation preview

Page 1: SC-DVR: a secure cloud computing based framework for DVR service

368 IEEE Transactions on Consumer Electronics, Vol. 60, No. 3, August 2014

Contributed PaperManuscript received 07/01/14Current version published 09/23/14 Electronic version published 09/23/14. 0098 3063/14/$20.00 © 2014 IEEE

SC-DVR: A Secure Cloud Computing Based Framework for DVR Service

Junggab Son, Student Member, IEEE, Rasheed Hussain, Student Member, IEEE,Hunmin Kim, Student Member, IEEE, and Heekuck Oh, Member, IEEE

Abstract Typical digital video recorders (DVRs) have limited storage capacity, and it is not easy for them to share content among user devices. However, if DVRs are extended to the cloud-based infrastructure, conversion of content and sharing it among multiple devices can be made possiblethrough the computing power. To provide secure cloud computing service, appropriate measures are necessary to protect the computing processes performed on the content from inside and outside attackers. A content encryption scheme is a simple and effective way to protect content from attackers; however, if an encryption scheme is used, the user cannot use computing resources that can be used for media computation. This paper proposes a secure cloud DVR framework based on personal virtualization to securely provide various functions through cloud resources. The proposed scheme uses an input/output management unit(IOMMU), which serves as direct memory access (DMA) remapping for constructing secure personal virtualization. Using IOMMU, it is difficult for inside attackers to know which memory area is the actual memory of the target user. Therefore, secure computation in the cloud computing is possible through IOMMU. The proposed scheme uses anIOMMU based cloud computing to hide media computation from inside attacker, and a public cloud to increase efficiency.1

Index Terms Digital Video Recorder (DVR), Cloud-DVR (C-DVR), Network-DVR (N-DVR), Security Framework

1 This work was supported by the National Research Foundation of Korea (NRF) grant funded by the Ministry of Education, Science and Technology (No. 2012-R1A2A2A01046986); This work was supported by the National Research Foundation of Korea (NRF) grant funded by the Korea government (MEST) (No. 2012-R1A1A2009152); This research was supported by the MSIP (Ministry of Science, ICT & Future Planning, Korea, under the ITRC (Information Technology Research Center) support program (NIPA-2013-H0301-13-1002) supervised by the NIPA (National IT Industry Promotion Agency); This research was supported by the MSIP (Ministry of Science, ICT & Future Planning, Korea, under the ITRC (Information Technology Research Center) support program (NIPA-2014-H0301-14-1044) supervised by the NIPA (National IT Industry Promotion Agency).

Junggab Son is with the Department of Computer Science and Engineering, Hanyang University, Ansan, Korea (e-mail: [email protected]).

Rasheed Hussain is with the Department of Computer Science and Engineering, Hanyang University, Ansan, Korea (e-mail: [email protected]).

Hunmin Kim is with the Department of Computer Science and Engineering, Hanyang University, Ansan, Korea (e-mail: [email protected]).

Heekuck Oh is with the Department of Computer Science and Engineering, Hanyang University, Ansan, Korea (e-mail: [email protected]).

I. INTRODUCTION

Digital video recorders (DVRs) are devices used by consumers to store video content by employing home appliances or a software. A DVR is typically embedded in aset-top box (STB) or television (TV). Because it stores on an hourly basis video content received via a conditional access system (CAS) of an internet protocol TV (IPTV) or digital TV (DTV) in a built-in Hard disk drive (HDD), it enables a time-shift and supports trick-play modes, such as fast search, slowmotion, navigation, and so on [2], [3].

Recent advances in cloud computing technology have drastically changed the shape of the current computing industry. By exploiting innovative technology, companies and consumers can purchase computing resources from a cloud service provider rather than establishing and maintaining their own computing environment, which is usually much more expensive than paying corresponding cloud services per use[4]. On account of such benefits, the cloud computing paradigm has been adopted by a wide range of businesses and organizations. It is also constantly developing because of theproliferation of mobile devices and the need for the extension of limited mobile device resources.

Because cloud computing makes it possible to store and process large amounts of digital media, media services with cloud computing are the most outstanding aspects of applications [5]. One recent trend is that a user has several smart devices through which he/she would like to view the media content [6]. However, mobile devices do not have sufficient power to run the computing-intensive operations,such as encoding and decoding procedures of media content [7]. Using cloud computing a media service can outsource the encoding, delivering, and managing processes of the media content. Mobile devices in a media service can be used asterminals that receive streaming content from a cloud server.

A cloud DVR (C-DVR) is a cloud-integrated media service[8]. The C-DVR stores content in a cloud via networks unlike typical DVRs, which store data in an HDD. Because C-DVRincurs a charge for only the amount used, it involves a lowmaintenance cost; moreover, because it is comfortable to have devices that share information, it can flexibly manage content. Additionally, by using cloud computing resources, devices with more computing power do not need to be used, and functions such as authentication/key management, storing, en/decrypting, en/decoding, and streaming can be provided. To this end, integration of cloud and DVR technology can

Page 2: SC-DVR: a secure cloud computing based framework for DVR service

J. Son et al.: SC-DVR: A Secure Cloud Computing Based Framework for DVR Service 369

effectively support a user s multiple mobile devices. Recently, several cable companies released the Network-DVR (N-DVR)cloud DVR [9], [10]. Figure 1 represents the service scenarioof the C-DVR.

Despite these capabilities, there are two security issues in C-DVR. One is from the point of view of a broadcasting service provider (BSP); the other is from the point of view of auser. BSP may have concerns about content leakage during content recoding and storing through the cloud server. When the C-DVR uses general cloud storage, a malicious user can obtain recoded content from the cloud storage and share itwith other users. A malicious cloud service provider (an inside attacker) can likewise obtain recoded content from a client sstorage area. This security problem causes commercial damage to the BSP. A user who employs the C-DVR may beconcerned about the privacy breach. Content recorded through the C-DVR can be leaked when content is transmitted from the user devices to the cloud storage. In addition, an attacker can obtain recoded content from vulnerable cloud storage. In the case of recorded content leakage, an attacker can determine the preference of the user by analyzing a list of thecontent. Moreover, this information can be used for personal advertisement or a personal attack. Therefore, a security mechanism for the C-DVR must be resolved.

To securely construct a C-DVR, the first priority should be to securely construct the cloud server. One possible solution is to encrypt all recorded content before storing it [11]. However,this approach is difficult to adopt for image processingbecause encrypted content must be decrypted to en/decode in acloud server. Further, a homomorphic encryption scheme can be considered as a solution for the secure cloud. Homomorphic encryption is an encryption scheme that allows specific types of computations to be carried out on ciphertext;it then obtains an encrypted match from the result of the operations performed on the plaintext [12]. However, homomorphic encryption is difficult to use for large media content because it requires a high computation overhead in encryption and decryption processes.

To address this security problem, this paper proposes a secure C-DVR (SC-DVR) framework based on IOMMU. The SC-DVR uses hybrid cloud that consists of two types of cloud computing: (1) a secure cloud based on IOMMU, and (2) a general cloud. Since IOMMU based cloud is difficult for inside attackers to know which memory area is the actual memory of the target user, it is called as secure cloud in this paper. SC-DVR performs sensitive functions, device authentication/key management, storage, en/decryption, and en/decoding within the secure cloud to prevent attacks from insiders. More precisely, it can strengthen the merits of the SC-DVR and simultaneously protect video content and individual privacy. In addition, a general cloud is used for economic reasons. It stores encrypted contents and performs streaming functions which do not need to protect. On the basis of Kim et al. s C-DVR scheme [1], this paper added an implementation result to evaluate the proposed scheme.

The structure of the rest of this paper is organized as follows. Section II introduces the conditional access system (CAS) and downloadable CAS (DCAS). Section III discusses cloud computing as a media cloud and the main contributionsof this paper. SC-DVR is presented in Section IV. The implementation is outlined in Section V. Finally, this paper isconcluded in Section VI.

II. CAS AND DCAS OVERVIEWThe CAS is used to manage subscribers using live

streaming services. A system that limits access depending on the conditions of users, CAS is a content security solution that allows only users who are authorized by a TV system to access a certain program. CAS mainly performs two functions.First, it scrambles/descrambles the content [13] using the common scrambling algorithm (CSA) [14]. Second, it manages various keys needed for hierarchically scrambling/descrambling the content. Figure 2 shows the CAS configuration. The subscriber management system (SMS)generates control words (CW). The broadcast content is scrambled using generated CW and is then transmitted. The generated CW is encrypted by an authorization key (AK),

, and is transmitted through an entitlement control message (ECM). Then, the AK is encrypted by a master

Fig. 1. C-DVR service scenario

Fig. 2. DCAS Overview

Page 3: SC-DVR: a secure cloud computing based framework for DVR service

370 IEEE Transactions on Consumer Electronics, Vol. 60, No. 3, August 2014

private key (MPK), , which is stored in each user s smart card; it is then transmitted through an entitlement management message (EMM). The receiving end performs the opposite process of the sending end. By decrypting of EMM, a user renews AK stored in the smart card. After decrypting of ECM, users descramble content using the CW and view it.

Recently, DCAS, which is used to download a CA client on the STB, has been introduced. Its overall process is similar to that of CAS, but it can update CAS without changing or replacing hardware because it downloads CA client instead of hardware-based security modules [15].

III. CLOUD COMPUTING AS MEDIA CLOUD The cloud computing concept can be viewed as an evolution

of grid computing whereby resources are no longer limited to processing power and storage but are limitless [16]. Cloud computing can access resources through the Internet. It is a new paradigm for providing scalability, reliability, and availability. Nowadays, cloud computing s advantages, such as rapid accessibility of resources, computing power, and infinite storage capacity, have caused the emergence of various services combined with a cloud.

A. Media cloud Media cloud computing is generally related to media

computing over grids, content delivery networks, server-based computing, and peer-to-peer (P2P) media computing [17], [18]. Fig. 3 shows the media service using cloud computing that is considered in this paper. With cloud computing, media service can support resources for media processing and streaming, such as storage, authentication, en/decryption, en/decoding, and streaming. Storage function provides a space to store recoded content as a role of HDD in STB. The authentication function provides authentication and access control of user devices to allow only valid devices to use the media services. The media services can use an en/decryption function to protect content from an attacker during transmission and storage. The en/decoding function is used to provide proper types of content depending on the user s devices. The streaming function transfers processed content to the user s

devices. Generally, mobile devices do not have the power to process computing-intensive calculations; therefore, the media cloud can support media processing for resource-constrained mobile devices through these functions [19].

B. Security concerns and virtualization To securely construct a media cloud, a secure cloud is of

paramount importance and the first consideration. Security concerns include various attacks such as eavesdropping, malicious code, breaking into cloud storage, and so on. Through these attacks, attackers can obtain recorded content and abuse privacy.

Security concerns additionally include outside attackers and inside attackers. An outside attacker can obtain user information and recorded content by breaking into cloud storage through communication channels. This kind of attacker can cause commercial damage to the service provider by disseminating the obtained content. In addition, the attacker can invade the user privacy by obtaining user information or a list of stored content. By analyzing the content list, the attacker can determine the preferences of the target user. In addition, an outside attacker can transfer malicious code to a user or a cloud server. This malicious code can be the beginning of other serious attacks, such as distributed denial-of-service (DDoS) attacks.

Recently, inside attackers pose the most challenging threat to the cloud computing environment [24]. Because an inside attacker is a hypervisor of cloud computing, it is easy for an inside attacker to obtain the target user s personal data and recorded contents. This kind of attacker can abuse user privacy and cause commercial damage to the broadcasting service provider. Therefore, to protect the user and service provider, a solution for a secure media cloud is needed.

One simple solution is encryption. If the recorded content is sent in encrypted form, it can prevent most attacks except insider attacks. Because encrypted data must be decrypted for media processing by using cloud computing resources, a malicious server can obtain recorded contents. Homomorphic encryption is another possible solution. Homomorphic encryption can calculate the result of two ciphertexts, which is the same as the calculation result of two plaintexts. For instance, there may be two data, , and corresponding ciphertexts, . If , then

. Using this method, a user can hide all data from the hypervisor even though it is computed in the cloud server. This method can protect the media cloud system from both inside and outside attackers. However, it has the disadvantage of high computation overhead. Additionally, it can support only simple operations, such as the four fundamental arithmetic operations or bit operations, while media encoding requires more complex operations such as the histogram, quantization, and so on. Therefore, it is not a suitable solution for a secure media cloud.

To address the aforementioned problem, the proposed scheme considers secure virtualization. Virtualization is typically used to efficiently manage cloud resources [20]. If a cloud can securely construct virtualization, it can perform a

Fig. 3. Media cloud and available functions

Page 4: SC-DVR: a secure cloud computing based framework for DVR service

J. Son et al.: SC-DVR: A Secure Cloud Computing Based Framework for DVR Service 371

computation with hiding data from the hypervisor. In general, cloud virtualization is prone to cold-boot attack [21] and memory dump [5]. The malicious media cloud service provider (MSP), an inside attacker, can obtain a client’s data using these two kinds of attacks. The cold-boot attack is performed by an MSP who has physical access to actual memory. Initially, data in memory will disappear after a power-off. However, in the case of low temperatures, it takes more time to disappear. Using this property, the MSP can remove the memory and quickly freeze it. Then, the MSP can extract the data from memory.

A more realistic attack is a memory dump. An inside attacker can obtain memory content as an image file by a simple “domain save” command in administrator mode [5]. Most cloud virtualization programs provide a memory dump function for maintenance. An insider attacker can abuse this function to obtain a user’s important data, which can include encryption keys or actual data. The SC-DVR aims to show how to securely construct cloud virtualization to address these security concerns.

IV. SC-DVR FRAMEWORK

Although a method to store video content on networks has been previously introduced, it cannot be broadly used because it does not address certain security issues and smooth sharing among devices [22]. However, if a method to virtualize the interior of the cloud is applied, then device authentication, en/decoding, and en/decrypting can be performed within the cloud because the computing power of the cloud can be safely employed.

To defend against attacks from insiders through virtualization, a secure cloud should be formed. This form of virtualization would use a fixed size of resources at all times. Users should additionally join the cloud service for virtualization, which is costly. The proposed technique builds up virtualization to allocate resources with varying sizes. It resolves the problems mentioned above by virtualizing borrowed resources and periodically controlling their sizes.

Figure 4 shows the SC-DVR framework. It consists of STB and cloud sections. The STB section takes charge of receiving content, encrypting them, and transmitting them to the cloud. The cloud section is in charge of content storing, converting, and streaming, and it protects these functions through an isolated form of virtualization. The proposed scheme uses an input/output management unit (IOMMU) to construct secure, isolated cloud virtualization.

A. STB Interface The headend within DCAS handles third-party STB

authentications and sharing of the session key (SK),specifically transmitting the CA client encrypted by SK to the STB when installations and updates of CAS are needed. The CA client installed within the STB engages in the decryption process within the smart card. The CAS server transmits encrypted video content (MPEG-TS), EMM, and ECM to the STB. MPEG-TS is encrypted by a control word (CW), and it can be decrypted on a descrambler. CW is encrypted by an authorization key (AK), and the AK is again encrypted by the master private key (MPK) embedded in the STB. Both CWand MPK can be decrypted on the smart card [15]. Decrypted

Fig. 4. Proposed C-DVR Framework

Page 5: SC-DVR: a secure cloud computing based framework for DVR service

372 IEEE Transactions on Consumer Electronics, Vol. 60, No. 3, August 2014

video content can be viewed on a TV and transmitted in a safe way via the crypto engine.

B. Physical Resource Layer The physical resource layer consists of virtualized hardware

and virtualized storage. Descriptions of each component are outlined below.

Virtualized Hardware: Provides efficiency through managing the schedules of the physical hardware, such as the CPU, memory, and so no, that are required for data computing.

Virtualized Storage: It can reduce the costs by raising the use rate of storage resources, while providing scalability and availability.

C. Hypervisor Based on IOMMU This hypervisor is used to prevent an insider attack by using

the IOMMU. The IOMMU connects the main memory and input/output (I/O) buses of the physical hardware devices through DMA remapping [23]. This scheme transfers/manages the memory address for the guest operating system (OS) a client that uses virtualized resources of the cloud that can directly access the unique memory address [5].

In a virtualization environment before IOMMU, the guest OS must go through the physical driver of the administrator to access virtualized resources. However, using IOMMU, the guest OS can access virtualized resources without going through the administrator. Therefore, for an MSP, it is difficult to know which devices are being used by the guest OS; therefore, the IOMMU makes an inside attack more challenging.

D. Cloud Interface: Personal Virtualization Cloud resources are virtualized as a unit per user and

support device authentication, en/decoding, en/decrypting, and streaming services suited to user devices.

The cloud interface is designed based on a hybrid cloud, which consists of two types of clouds: personal and general. The personal cloud is a secure cloud based on IOMMU; the proposed scheme uses it for secure computation. Personal virtualization performs en/decryption and en/decoding, which require high performance media processing. Because these functions are required to perform secure computations, the proposed scheme design includes personal virtualization with

these functions to prevent an inside attack. Descriptions of each function listed below.

Crypto Engine: This is responsible for sharing the key from the STB crypto engine and handling content en/decryption.

Content En/decoding: This manages en/decoding of the video that is separated by units of hours. This function re-encodes recorded content that is suitable for the device.

Device Authentication and Management (DAM): DAM is responsible for general security, such as device authentication, key establishment, and so on. DAM only permits access to authenticated user devices.

E. Cloud Interface: Service Layer Although personal virtualization can securely process and

store a client s data, it cannot store large volumes of contents because of the related high cost. In contrast to general cloud computing, MSP cannot apply multi-tenants to IOMMU-based personal virtualization. Because MSP allocates an exact amount of user-requested resources at all times, the cost for virtualized resources with IOMMU is high. Therefore, the proposed scheme uses personal virtualization for media processing and for storing processed content that is expected to be temporarily used. Other processed content is stored in a service layer, which is the same as in a general cloud computing environment. All content outside the personal virtualization layer are encrypted to prevent various attacks. Descriptions of each function are outlined below.

Content Storing: It is used to store transmitted content on a user-by-user or content-by-contents basis.

Content Streaming: It is used to provide streaming services of processed content in a cloud. Using this function, the client can use C-DVR services with resource-constrained mobile devices.

F. Encryption Algorithms and Key Establishment To protect recorded content during transferring and storing

phases, the C-DVR needs an encryption algorithm and key establishment among devices. The C-DVR uses third-party authentication and a session-key sharing scheme. In the initial step, the DAM establishes a session key to protect recorded content during the transfer between the STB and the personal virtualization layer. The other session is used for content streaming among user devices and the DAM. To encrypt content and the key in the C-DVR, the proposed scheme uses the same algorithm as DCAS. Additionally, the proposed scheme uses a simple scrambling algorithm to protect content in the streaming phase by encrypting the recorded content. After the scrambling algorithm is applied, the C-DVR stores it in the service layer. The content streaming function of the service layer streams it to the client s devices by request. The DAM uses the DCAS scheme to securely stream the DVR contents to the user devices.

V. IMPLEMENTATION The implementation set-up consists of a test bed with a STB,

a desktop PC, and a mobile device. The STB has a reduced instruction set computing (RISC) processor, 256 MB of RAM,

Fig. 5. Implementation results

Page 6: SC-DVR: a secure cloud computing based framework for DVR service

J. Son et al.: SC-DVR: A Secure Cloud Computing Based Framework for DVR Service 373

a gigabit Ethernet network interface, and a Linux operating system. The desktop PC has a quad core CPU, 8 GB of RAM, SSD, and a mainboard with IOMMU. The mobile device has 2 GB of RAM, a Wi-Fi interface, and a Linux-based mobile operating system. The test media for the experimental result was 30 sec of playtime with 480 272 resolutions and 24 frame/sec content. All experimental results represent an average of 10 trials.

For the proposed scheme, a SC-DVR is implemented using a two-stage strategy. The first strategy involves constructing both a personal virtualization layer and a service layer on the PC. Two GB of RAM and 10 GB of SSD are allocated, and a personal virtualization layer is installed using the IOMMU technique. A typical PC environment was used for the service layer.

The second strategy involves constructing a personal virtualization layer and a service layer on the PC, as was done in the first strategy, while the service layer is set on a commercial cloud storage service. To date, there are no IOMMU-based cloud services; therefore, the implementation replaced these with an IOMMU-based PC.

Figure 5 shows the implementation results for the mobile device. Figure 5(a) shows the main menu, (b) shows the recorded content on the service layer, and (c) shows the actual playing screen.

Table 1 represents the overall overhead incurred by the secure PVR [2] as well as the two strategies. For the implementation results, delay time was measured in two ways. The recording delay means the overall recording delay from the STB to the storage using the secure PVR and the proposed scheme. The playing delay refers to the time from the user s playing request to the actual screen appearance. Because the recoding delay included communication overhead, the proposed scheme required more time to record the media than the previous DVR scheme. In particular, the second strategy requires more than 10 sec to record.

Although the proposed scheme requires more time to store and play content, it nevertheless demonstrates advantage in supporting media functions. Using the proposed scheme, the service provider can support almost unlimited storage and computing resources to manage and encode the content. Moreover, the ease with which DVR content can be shared among users multiple mobile devices is a significant advantage of the SC-DVR.

TABLE I

DELAY OF SECURE C-DVR

Secure PVR [2]

First Strategy

Second Strategy

Recording Delay (sec) 0.85 2.44 16.38

Playing Delay (sec) 0.32 1.25 5.67

VI. CONCLUSION

SC-DVR protects media computing through virtualization with IOMMU. Because it uses independent authentication systems and access authority, it can prevent access to the MSP. This feature enables DVR to provide various functions by leveraging the computing power of the cloud.

To resolve the problem in which cost rises as users make virtualization with the IOMMU, a new mechanism was introduced that consists of two cloud types. The personal virtualization layer secures physical computing resources and controls their sizes depending on the circumstances. The service layer stores processed media content and streams it to the client s devices. Because all of content outside the personal virtualization layer is encrypted with proper types of keys, the content is secure from various attacks.

In addition, the proposed scheme has the advantage of being capable of being applied without changing the hardware of the typical STB or DCAS. Because the cloud can perform most of the computing required for the DVR, it does not require additional functions of the STB.

REFERENCES [1] H. Kim, J. Son, R. Hussain, and H. Oh, C-DVR: secure cloud based

DVR framework based on personal virtualization, in Proc. IEEE International Conference on Consumer Electronics, Las Vegas, USA, Jan. 2014.

[2] J. Son, H. Lee, H. Oh, PVR: a novel PVR scheme for content protection, IEEE Trans. on Consumer Electronics, vol. 57, no. 1, pp. 173-177, Feb. 2011.

[3] S. Jung, E. Kim, and D. implementation of an enhanced personal video r IEEE Consumer Electronics, vol. 47, no.4, pp. 915-920, Nov. 2001.

[4] K. L. Liu and cloud data storage technology and its architecture implementation International Workshop on Information and Electronics Engineering, vol. 29, pp. 133-137, 2012.

[5] C. Li, A. Raghunathan, and N.K. Jha, A trusted virtual machine in an untrusted management environment, IEEE Trans. on service computing, vol. 5, no. 4, pp. 472-483, Oct. 2012.

[6] V. Gulisano, R.J. Peris, M.P. Martinez, C. Soriente, and P. Valduriez, StreamCloud: an elastic and scalable data streaming system, IEEE

Trans. on parallel and distributed systems, vol. 23, no. 12, pp. 2351-2365, Dec. 2012.

[7] G. Lawton, Cloud streaming brings video to mobile devices, Computer, vol. 45, no. 2, pp. 14-16, Feb. 2012.

[8] ACG Research, Business case for cloud TV, May 2012. [9] Engadget, Comcast s new X2 platform moves your DVR recordings

from the box to the cloud, June 2011. [10] Multichannel, Cable show 2013: Comcast rolls DVR into the cloud,

July 2013. [11] B. Wang, M. Li, S. Chow, and H. Li, Computing encrypted cloud data

efficiently under multiple keys, in Proc. IEEE Conference on Communications and Network Security, pp. 504-513, Oct. 2013.

[12] C. Gentry, Fully homomorphic encryption using ideal lattices, in Proc. ACM symposium on Theory of Computing, pp. 169-178, 2009.

[13] Pazarci, M., Dipcin, V., A MPEG2-transparent scrambling technique, IEEE Trans. Consumer Electronics, Vol. 48, Issue. 2, pp. 345-455, May, 2002.

[14] ETSI Technical Report 289: Support for use of scrambling and conditional access within digital broadcasting system, 1996.

[15] Implementation of DCAS user term IEEE International Symposium on Broadband Multimedia Systems and Broadcasting, pp.1-5, June 2011.

[16] H. Erdogmus, Cloud computing: does nirvana hide behind the nebula?, IEEE Software, vol. 26, no. 2, pp. 4-5, Mar. 2009.

[17] W. Zhu, C. Luo, J. Wang, and S. Li, Multimedia cloud computing, IEEE Signal Processing Magazine, vol. 28, no. 3, May 2011.

[18] D.D. Sanchez, F. Almenarez, A.Marin, D. Proserpio, and P.A. Cabaros, Media cloud: an open cloud computing middleware for content

management, IEEE Ttrans. on Consumer Electronics, vol. 57, no. 2, May, 2011.

[19] F. Wang, J. Liu, and M. Chen, CALMS: cloud-assisted live media streaming for globalized demands with time/region diversities, In proc. IEEE INFOCOM, pp.25-30, Mar. 2012.

Page 7: SC-DVR: a secure cloud computing based framework for DVR service

374 IEEE Transactions on Consumer Electronics, Vol. 60, No. 3, August 2014

[20] V. Aggarwal, X. Chen, V. Gopalakeishnan, R. Jana, K.K. Ramakrishnan, and V.A. Vaishampayan, Exploiting virtualization for delivering cloud-based IPTV services, in Proc. IEEE Conference on Computer Communications Workshops , pp. 637-641, Apr. 2011.

[21] J. Halderman, S. Schoen, N. Heninger, W. Clarkson, W. Paul, J. Calandrino, A. Feldman, J. Appelbaum, E. Felten, and E.

in USENIX Security Symposium, P.C. van Oorschot, Ed., pp. 45 60, July 2008.

[22] chitecture support for guest-transparent VM protection from untrusted hypervisor and physical a IEEE 19th International Symposium on High Performance Computer Architecture, pp. 246-257, Feb. 2013.

[23] R. Sailer, T. Jaeger, E. Valdez, R. Caceres, R. Perez, S. Berger, J.L. Griffin, and L. Doorn, Building a MAC-based security architecture for the xen open-soruce hypervisor, in Proc. The 21st Annual Computer Security Applications Conference, pp. 276-285, Dec. 2005.

[24] S.N. Brohi, M.A. Bamiah, M.N. Brohi, R. Kamran, Identifying and analyzing security threats to virtualized cloud computing infrastructures, International Conference on Cloud Computing Technologies, Applications and Management , pp. 151-155, 2012

BIOGRAPHIES

Junggab Son (S 10) received B.S. and M.S. degrees in Computer Science and Engineering from Hanyang University, Korea, in 2009 and 2011, respectively. He is currently working toward for the Ph.D. degree in Computer Science and Engineering, Hanyang University, Korea. His current research interests include IPTV/DTV security, personal video recorders, cloud computing security, and applied cryptography.

Rasheed Hussain (S 12) Received a B.S. degree in Computer Software Engineering from N-W.F.P University of Engineering and Technology, Peshawar, Pakistan, in 2007, and an M.S. degree in Computer Engineering from Hanyang University, South Korea, in 2010. He is currently working toward a Ph.D. degree in Computer Engineering from Hanyang University, South Korea. His main research interests include information security and privacy issues in vehicular ad hoc networks (VANET), information

dissemination in VANET, VANET applications, cloud computing, and VANET-based clouds. He is currently working on emergent VANET-based clouds. He has published several papers on VANET-based clouds and has been actively involved in framework design, mitigating security challenges in VANET-based clouds, and introducing new services in VANET-based clouds.

Hunmin Kim (S 13) received a B.S. degree in Computer Science and Engineering from Hanyang University, Korea, in 2013. He is currently working toward for anM.S. degree in Computer Science and Engineering, Hanyang University, Korea. His current research interests include cloud computing security, virtualization, and applied cryptography.

Heekuck Oh (M 13) received a B.S. degree in Electronics Engineering from Hanyang University, Korea, in 1983. He received M.S. and Ph.D. degrees in Computer Science from Iowa State University, USA, in 1989 and 1992, respectively. In 1994, he joined the faculty of the Department of Computer Science and Engineering, Hanyang University, ERICA campus, where he is currently a professor. His current research

interests include network security and cryptography. Prof. Oh is the president of the Korea Institute of Information Security & Cryptology, and he is a member of the Advisory Committee of Digital Investigation in the Supreme Prosecutor Office of the Republic of Korea.