D. Díaz-Sánchez et al.: DLNA, DVB-CA and DVB-CPCM Integration for Commercial Content Management 79 DLNA, DVB-CA and DVB-CPCM Integration for Commercial Content Management Daniel Díaz-Sánchez, Member, IEEE, Fabio Sanvido, Davide Proserpio, and Andrés Marín, Member, IEEE Abstract — DLNA can be considered as a good candidate devices. Our service uses DLNA discovery, setup, and for sharing user-generated contents among household transport services to distribute protected DVB-CA messages networked consumer electronics. However, commercial to authorized display devices. content sharing requires a high degree of device protection Due to its penetration, DLNA would be a good candidate to that DLNA does not provides. We propose a solution distribute not only user-generated contents and CA messages, supporting acquisition and post acquisition content protection as proposed, but also commercial contents. Unfortunately, by the integration of DLNA with DVB Conditional Access and DLNA does not support DRM. DLNA only supports link 1 DVB Content Protection & Copy Management . This article protection with DTCP-IP, which has some security problems shows the design and implementation of a solution to improve [3]. It protects contents in transit from a source to a display commercial content management over DLNA. device. Hence, contents might be accessed using software implementations of DLNA once acquired. Index Terms — Conditional access system, content protection, copy management, home network. After acquisition, commercial contents must be handled by DRM and copy protection systems to prevent unauthorized I. INTRODUCTION distribution; thus, decrypted contents must not leave DVB-CA tamper proof hardware unless consumed through a secure Networked electronics have dramatically increased their interface as HDCP [4] or exported to any DRM system. DVB presence in home environments. Content distribution, a Content Protection & Copy Management (DVB-CPCM) [5] driving force in the market, besides connectivity it requires supports usage rules defining: where contents can be copied or interoperability in several planes: media formats, media moved; what hardware is required; how contents must be transmission, and content protection. locally scrambled during transmission. Unlike other DRM Digital Living Network Alliance (DLNA) deals with systems, DVB-CPCM has more flexibility to interoperate interoperability between networked consumer electronics. In between devices with different DRM systems. 2009, market penetration was more than 5.000 certified In this article we also present a DLNA extension to use DLNA. DLNA adopts UPnP AV [1] for service/content DVB-CPCM strong protection. This extension requires discovery and service configuration. Besides, it defines media devices to implement both DLNA and CPCM. In our solution, formats and media transfer protocols, both missing in UPnP. DLNA discovers CPCM devices, sets up the service, and That leads to an appealing scenario, where user-generated presents content information to the user, but leaves content contents are shared among household devices. protection to DVB-CPCM. Content protection relies on Conditional Access (CA) The remaining of the article is organized as follows. Section Systems and Digital Right Management (DRM) to govern II describes content protection basis. Sections III, IV and V content lifecycle. DVB-CA [2] systems protect contents from chart out DVB-CA, DVB-CPCM and DLNA specifications. unauthorized access during acquisition (from provider’s head- Our proposal is presented in sections VI and VII, and the end to subscriber's equipment) until it is finally descrambled implementation details in Section VIII. Finally, section IX using key material from a subscriber module. The strong summarizes the conclusions. device protection in DVB-CA limits device flexibility, requiring the subscriber module plugged in the desired display II. CONTENT PROTECTION BASIS device, so each device requires its own subscriber module. To overcome this limitation, we present a DLNA service that In content distribution, services are collections of securely distributes DVB-CA key material to other display video/audio contents bundle together in a package. Service protection ensures that subscribers are only able to gain access to services part of their subscription (acquisition). Content 1 This work has been partially supported by "Jose Castillejo" mobility grant protection techniques avoid unauthorized copy, distribution, that was given to Daniel Díaz-Sánchez and the ITACA project. Both of them are financed by Spanish Ministry of Education or manipulation of contents once acquired. Daniel Díaz-Sánchez is with the Telematic Eng. Department, Carlos III User equipment is part of the security infrastructure University, 28911, Leganés, Madrid, SPAIN (e-mail: [email protected]). protecting contents. Device protection aims on avoiding Fabio Sanvido is with the Telematic Eng. Department, Carlos III attempts to hack devices and Denial of Service attacks. Device University, 28911, Leganés, Madrid, SPAIN (e-mail: [email protected]). Davide Proserpio is with the Telematic Engineering Department, Carlos III protection relies on cryptographic material stored in a tamper University, 28911, Leganés, Madrid, SPAIN (e-mail: [email protected]). proof hardware to perform security tasks. In fact, DVB Andrés Marín is with the Telematic Eng. Department, Carlos III requires handling security functions in tamper proof hardware. University, 28911, Leganés, Madrid, SPAIN (e-mail: [email protected]). Manuscript received January 15, 2010 0098 3063/10/$20.00 © 2010 IEEE 80 IEEE Transactions on Consumer Electronics, Vol. 56, No. 1, FEBRUARY 2010 Devices must also be able to export contents securely to other must be collocated with the descrambler so, in order to use a devices. different visualization device, it is necessary to move the The aforementioned security topics are grouped together in CAM from one device to another. Fortunately, some works, three major functional groups with some overlap among them: which are complemented in this article, propose a protocol to Conditional Access Systems, Digital Rights Management, and share the CAM with several descramblers through IP [13]. Copy Protection. However, the practical realization of those DVB uses MPEG-2 Transport Stream (MPEG-2 TS) for security functions leads to two different scenarios known as media format. MPEG-2 TS contains, besides audio and video, acquisition and post-acquisition. some data tables called Program Specific Information (PSI). DVB-CA Systems [2], Marlin IPTV [6], and OMA BCAST These tables transport conditional access information as [7] are security technologies governing acquisition. DVB-CA Entitlement Management Messages (EMMs) and Entitlement requires a descrambler, a Conditional Access Module (CAM), Control Messages (ECMs). and a smart card in every display device. OMA BCAST requires a smart card in some profiles. Others, as Marlin, do DVB Receiver Descrambled not make any assumption about the hardware. Content After contents are acquired (post-acquisition), they must User Interface HDCP,HDMI, GVIF Export remain within the bounds of the contract until the content Module Device lifecycle ends. Contracts are enforced employing DRM and Application Copy Protection techniques as Advanced Access Content Descrambled Built-in System (BluRay). These specifications dictate how to edit, Electronic Service Guide Content Contetn Selection Display convert to other format, redistribute, and store legally acquired Protected Content Descrambled contents. The foundations for any copy protection system are MPEG-2 TS Content DVB-CA MPEG-2 TS Scrambled Descrambler rights expression languages. These languages have evolved MUX Content from the simplest expression of copy control indicator (CCI) fields, to the complexity of MPEG21 Rights Expression Language (REL) [8], Usage State Information (USI) described in DVB-CPCM [9], Octopus DRM [10] used in Marlin (Open ECM/EMM CAM Module Secure Words Control Control IPTV forum) or OMA DRM. Authenticated Channel III. DVB CONDITIONAL ACCESS DVB-CA defines a holistic approach to service protection CAM and Subscriber Module involving content providers, distribution networks, and consumer electronics manufacturers. It standardizes content . format, metadata, and protection procedures for acquisition. Fig. 1. DVB-CA device. The Secure Authenticated Channel (SaC) DVB-CA specifications have been widely adopted during the communicates the CAM and the descrambler to securely deliver Control Words. The content, once decrypted, is transferred to a built-in display last decades. Moreover, IPTV could reuse DVB-CA seizing (part of the device) or protected with a link protection protocol. already deployed head-ends and consumer's hardware. DVB-CA systems are defined across several specifications B. Content Acquisition as Conditional Access, Common Scrambling Algorithm [2], End user's hardware manages content acquisition. DVB Common Interface, and Common Interface Plus (CI+) relies on DVB SimultCrypt, which separates content [11][12]. In this section, we describe the architecture, encryption, content delivery and key distribution. interfaces and content acquisition process. The provider's head-end scrambles audio and video with a hardware-generated unpredictable key called Control Word A. Devices architecture and interfaces (CW) that changes frequently. DVB traditionally used DVB-CA compliant devices need a MPEG-2 demultiplexer, Common Scrambling Algorithm (CSA)