The proliferation of VOD and digital content delivery
has ushered in a new set of weapons and technologies,
forged to keep broadband bandits at bay

The new era of digital content delivery has elicited both opportunity and fear for service providers, as the threat of piracy has content owners reaching for a security blanket.

Skittish movie executives and content owners fear the theft and distribution of pristine digital copies of their content, which means that protecting and managing that content is paramount to ushering in the lucrative on-demand future.

Stoking the fires of fear is not limited only to rogue peer-to-peer file exchange networks such as Morpheus that have supplanted Napster, but also includes pirated versions of blockbuster movies that are being recorded on CDs in Asia. For example, news reports of a pirated "Harry Potter and the Sorcerer's Stone" appearing in China and Taiwan quickly followed the film's theatrical release.

While it's likely that these copies were made by pirates with camcorders in theaters, the almost inevitable pirating of movies has directed focus on protecting content every step of the way on the voyage from the content creator to the viewer.

In the world of video-on-demand platforms–specifically those that deliver content to cable TV headends–"asset management" has become the operative word, and security is a key component.

Dom Stassi
'Asset management
is absolutely
fundamental to the
success of VOD’
–Dom Stasi
"Asset management is absolutely fundamental to the success of VOD," says Dom Stasi, chief technology officer for TVN Entertainment Corp.

With addressable set-top boxes and conditional access-protected RF (radio frequency) channels guarding the path from headend to subscriber, securing the link from content provider to headend is an integral part of the platforms developed by companies such as N2 Broadband Inc., TVN and Pathfire Inc.

These platforms principally rely on the satellite transmission of content to cable headends, and most employ a "pitcher" and "catcher" metaphor, whereby content is sent from the platform provider's "pitcher" via satellite to a "catcher" server device positioned at the cable headend.

Securing satellite transmission

In the early days of TV satellite transmissions, the video scrambling systems VideoCipher I and VideoCipher II were developed by M/A-Com (the San Diego, Calif. manufacturer which was later purchased by General Instrument Corp.).

VideoCipher II scrambled analog video and digitally encrypted the audio portion of content using a form of DES (Digital Encryption Standard), a block cipher algorithm for encrypting data that requires a decryption key to "see" the data. VideoCipher II eventually was broken by pirates, although improved versions were developed over the years.

Electronic Frontier Foundation breached the security of DES in 1998. Since then, Triple DES, with its longer key length, has gained favor and is generally considered to be "military-grade" security. Recently, the National Institute of Standards and Technology announced a replacement for DES–the Advanced Encryption Standard, or AES.

As digital television was evolving in the early 1990s, DigiCipher, developed by GI, emerged as a satellite transport platform. Today, most digital satellite delivery systems use DigiCipher, which is employed by Headend In The Sky (HITS), for example. Time Warner Cable's Pegasus-based systems use Scientific-Atlanta Inc.'s Digital Broadband Delivery System (DBDS), which employs DigiCipher II or PowerVu secured channels.

Over the years, the security of DigiCipher has held up and remains strong, says John Vartanian, senior vice president of technology and operations for In Demand LLC.

One key differentiator between HITS-type transmissions and emerging on-demand content streams is that a digital HITS stream, simply put, travels from the satellite to the headend and eventually, after modulation, to each subscriber's addressable set-top box. That translates to millions of receive sites.

VOD streams, on the other hand, only travel from an uplink of a satellite to a cable headend's video servers, where the content is stored. Thus, there's a smaller universe of receivers, although theoretically, the digital streams are beamed to the whole continent and, depending on the type of encryption employed, can be received by anyone with a satellite antenna.

Streams that use standard DES encryption might attract the attention of well-heeled hackers who intend to capture a first-run movie, copy it to a DVD, and sell it to the masses.

However, the computing power and time needed to break Triple DES and its variants are considered far outside the means of today's computers to make the effort worthwhile.

"To date, we've been able to transmit VOD files without known breaks," says Vartanian. "It would take thousands of years to compute the key to encrypt content on a satellite."

Even in the event of a "brute force" attack of massive computing power to determine a Triple DES key, not only would it take ages to discover the key, but the key most likely would've changed. That's because Triple DES supports dynamic key generation, meaning the key is altered over specific time periods.

Vartanian explains that movie content destined for In Demand's service is typically sent by the creator to an encoding house, which takes the digital, uncompressed content and compresses it in MPEG-2 format. The content is then recorded onto Digital Linear Tape (DLT) before delivery to In Demand.

In Demand performs a quality control check to make sure no digital artifacts were created during the compression, and adds metadata, which describes the content. The movie, metadata and promotional artwork form the "asset package," which is loaded onto a server. Using an Internet Protocol (IP) multicast protocol, the package is transmitted via satellite (Telstar 7) to cable headends. As the content is leaving the In Demand server, it is encrypted on the fly.

Last summer, In Demand selected N2 Broadband's MegaPath platform.

N2 Broadband: putting VOD in the ballpark

According to Raj Amin, senior director of business development for N2 Broadband, three issues drive the development of the N2 Broadband platform: the cost of content delivery, control of digital media content and security.

Traditionally, delivering content to headends was largely accomplished through physically delivering (through next-day express shipping services) each movie's DLT to each cable headend, where they were stored and physically loaded onto servers for eventual pay-per-view release.

"From a security standpoint, shipping tapes is a very insecure method," said Amin. File transfers over the Internet are also problematic.

Today's platforms, for the most part, replace the physical delivery of tapes to headends by transmitting content via satellite to headends.

Figure 1: N2 Broadband’s content delivery system.

N2 Broadband's MediaPath platform "is a way for content providers to create for themselves a private, secure content delivery network," says Amin.

MediaPath consists of four components: Creation Tool, Manager, Pitcher and Catcher.

The Pitcher represents a server that sends content, utilizing the Pragmatic Group Multicast (PGM) protocol, over a satellite transport network to a receiving server–the Catcher–located at the headend. As instructed by the Manager, the Pitcher server acquires, encrypts and delivers the content packages.

At the core of the platform are two specifications developed by Time Warner Cable: Asset Distribution Interface (ADI) and Movies-On-Demand (MOD). ADI describes how content, as well as the metadata that describes the content, are transported from a content provider to a Time Warner asset management system.

N2 Broadband's system encrypts each file separately using the VideoSecure Triple DES encryption system. The PGM protocol manages the multicast transfer of assets from sending server to receiving server.

Once at the headend, the Catcher, which is in effect a short-term caching device, delivers the content to the video server. The content is not de-encrypted until the Catcher receives a request from the VOD server for that particular title.

N2 Broadband's platform is deployed and being evaluated in more than 60 cable headends in North America. Comcast Corp., Cox Communications Inc. and AOL Time Warner are N2 Broadband's announced customers.

TVN: Taking VOD into orbit

The TVN platform delivers content utilizing its Secure Satellite Transmission system over seven C-band transponders on PanAm Sat Galaxy 3 and 10 satellites.

According to Stasi, the company, which is a combination content aggregator/distributor and platform developer, encodes digital beta tapes of movies on a scene-by-scene basis for VOD.

To ensure security, TVN applies "link security," or DigiCipher II, 56-bit encryption on the entire transport stream, not on the content file itself. Unless a malicious person has the key prior to transmission, he or she doesn't have the opportunity to intercept and decrypt the signal. With mere file encryption, however, an interceptor could theoretically receive an encrypted file, Stasi says.

"We want to prevent the reception of a file so [pirates] can't work on it," he adds, noting that unless reception of the signal is authorized, it can't be captured.

TVN's security features are part of its Digital Content Express suite of services, which include the Automated Digital Online Network Interface Scheduling System (ADONISS). Last September, Adelphia Communications Corp. chose TVN as its primary content transport and VOD provider.

The satellite transmission in the TVN platform is received by a catcher or docking station at the cable headend, where the stream is encrypted and stored in a "clear text" or unencrypted state until it is passed to the video server. The station is password-protected. Content can be moved from the docking station to the video server under remote control in TVN's network operations center.

According to Stasi, TVN is evaluating various file encryption methods.

Pathfire: Blazing a secure trail

Combining link and file security, Pathfire's distribution system employs various levels of security, depending on customer type and content type, says company Chief Technical Officer Joe Fabiano.

Pathfire has staked out ground as a distributor of advertising for Charter Communications and others, as well as sending news content to broadcast stations via its "store and forward" platform. The company has been marketing its asset management platform for VOD content delivery via a satellite multicast network to cable headends.

Click image to enlarge
Figure 2: Pathfire's digital media distribution and management solution for content providers and MSOs eliminates the need for manual duplication of tapes and costly physical delivery.
[click here for enlarged image]
Pathfire applies 56-bit DES encryption to the satellite link itself.

"Inner layer" encryption to the content can also be applied using RSA Security Inc.'s RC-4 128-bit encryption algorithm with a supporting public/private key transaction scheme. These two layers make attempts to decrypt the stream a "fruitless exercise" Fabiano says.

He adds that the time it would take to crack the DES encryption would be many orders of magnitude longer than the transmission stream itself. The link encryption is hardware-based and performed by an encapsulator, which inserts encrypted data into the DVB (Digital Video Broadcast) satellite stream cells.

Once the content is received, the link encryption is removed by a decryption device and is stored in Pathfire's Digital Media Gateway.

When the video server sends an ADI 2.0 request to the gateway, the inner layer encryption is removed packet by packet. Everywhere in the transport chain, content, even while it's "sitting idle," remains encrypted.

Future paths

While satellite transmission of digital content is the preferred method for delivering digital content in cable VOD applications, other means–including fiber optic networks and the Internet–are emerging as key transport mediums with their own security schemes.

For example, Global Crossing Ltd. last year launched a media and entertainment extranet over its fiber optic network, and since then has cut deals with CNBC Europe, DirecTV and others. According to Jeff Singman, vice president of product management for digital media services, the extranet is a private, controlled, ATM (Asynchronous Transfer Mode) network.

Global Crossing also deploys Tandberg Television Ltd. MPEG-2 broadcast equipment with NDS Videoguard conditional access.

In order to break into the system, one would have to find a way to route the signal to an ATM switch, says Chris Spacone, director of engineering for Global Crossing's digital media services unit.

The Hollywood web

Two Web sites backed by movie studios– and–are demonstrating that Hollywood could seek ways to deliver films digitally directly to consumers, thereby cutting out the middleman.

"There is some opportunity for the multicast distribution of video and other types of content that will originate on the Internet," says Wil Walkoe, a director in the corporate strategy group of Sprint Corp. and co-chair of the Broadband Content Delivery Forum's technology working group. The forum is a trade association focused on the end-to-end delivery of broadband content and services to consumers and businesses.

Walkoe points out that while conditional access schemes try to protect the delivery channel itself, digital rights management (DRM) "tries to protect the content" and separates the distribution of the content from the ability to use it. In this way, one can actually have the file, but not be able to do anything with it without the DRM keys. This makes DRM a potential key to safe Internet content transfers.

The inevitability of delivering valuable content on an IP network is spawning new encryption methods, including the real-time data encryption developed by Widevine Technologies Inc. According to company President Brian Baker, Widevine's software-based system "encrypts audio and video content in an IP data packet."

Under this scenario, the header and routing information is left alone, allowing the packet to move through a number of devices–such as routers, switches and firewalls–which prevents the content from being decrypted and encrypted again.

"Most encryption schemes wrap the egg," says Baker. "We scramble the egg from inside."