C 2 PADRM And Content Protection
Notes.C2PADRMAndContentProtection History
Hide minor edits - Show changes to output
Added lines 1-41:
C2PA, DRM and Content Protection
Three items worrying in the DRM space
1. Dsenc - Sub sampling encryption, no authenticity to the data
* Modifying IPCM blocks to record screen to infer how decoder and CPM to discover the key
* CTR explained however CBC mode should also be exploited
* Fairplay is not affected
* Proposals coming out as to what to do short term. Pressure on MPEG for CENCV2 to resolve
* Actions are likely to fix ranges, bring in HMAC auth CDM or GCM (limited in device support) or prevent IPCM support decoder option
2. Widevine L3
* Scripts exist to steal key, removing key from CDM is easily, options to prevent intercept don't exist
* Publishers find streams within minutes
* Watermarking rat race blockers are mitigated quickly
* Options to reduce resolution to SD for all L3 content
* Google provides a revocation list of L1 supported devices down to the device, L3 devices are set at a group level pool of devices, the problem with this is the provisioning request controlled by Google are handled at start
* Devices that assume they are L1 with device certificate that could since have been revoked.
* 500M Android devices, 20% are L3 only
3. C2PA
* Please post slide from Valentin explaining the risk
* Asking as part of next update to CDM to fix issues in DRM and address CDM C2PA where watermarking with byteranges has challenges
* Who should be responsible? Suggestion it should be system level compontent for verification and not software level to prevent spoofing
* C2PA trusted source would also help in the coming AI content threats using trusted clients
* Encryption is applied in DRM packaging, C2PA could produce authenticity against deep fake
* C2PA certified can be screen recorded and redistrubuted if not applied at the system level component
* How to act when C2PA isn't trusted? Player message, fail playback? Suggested it should present only when certified
* C2PA is embedded certificate signed on all segments how we sign
* A centralized C2PA service/org will be handing out certificates requiring registration
* Collapsing at trusted points in the chain example collapsed at CDN edge as trusted for scaling
* Presented news teams need this most, verifiable certified trusted source content
* The known risks of piracy aren't known to users, some paid services are so good its hard to tell they are pirate sites. Services like https://streamed.su are free, no ads
* Hassle to find content, continued raising prices are the key reasons people end up pirating
----
Action items:
* Industry effort around security guidelines on SVTA on CDN delivery and DRM "properly" foundational rules.
* Everyone should look at multi-key start enforcing L1 on 1080p and higher
Three items worrying in the DRM space
1. Dsenc - Sub sampling encryption, no authenticity to the data
* Modifying IPCM blocks to record screen to infer how decoder and CPM to discover the key
* CTR explained however CBC mode should also be exploited
* Fairplay is not affected
* Proposals coming out as to what to do short term. Pressure on MPEG for CENCV2 to resolve
* Actions are likely to fix ranges, bring in HMAC auth CDM or GCM (limited in device support) or prevent IPCM support decoder option
2. Widevine L3
* Scripts exist to steal key, removing key from CDM is easily, options to prevent intercept don't exist
* Publishers find streams within minutes
* Watermarking rat race blockers are mitigated quickly
* Options to reduce resolution to SD for all L3 content
* Google provides a revocation list of L1 supported devices down to the device, L3 devices are set at a group level pool of devices, the problem with this is the provisioning request controlled by Google are handled at start
* Devices that assume they are L1 with device certificate that could since have been revoked.
* 500M Android devices, 20% are L3 only
3. C2PA
* Please post slide from Valentin explaining the risk
* Asking as part of next update to CDM to fix issues in DRM and address CDM C2PA where watermarking with byteranges has challenges
* Who should be responsible? Suggestion it should be system level compontent for verification and not software level to prevent spoofing
* C2PA trusted source would also help in the coming AI content threats using trusted clients
* Encryption is applied in DRM packaging, C2PA could produce authenticity against deep fake
* C2PA certified can be screen recorded and redistrubuted if not applied at the system level component
* How to act when C2PA isn't trusted? Player message, fail playback? Suggested it should present only when certified
* C2PA is embedded certificate signed on all segments how we sign
* A centralized C2PA service/org will be handing out certificates requiring registration
* Collapsing at trusted points in the chain example collapsed at CDN edge as trusted for scaling
* Presented news teams need this most, verifiable certified trusted source content
* The known risks of piracy aren't known to users, some paid services are so good its hard to tell they are pirate sites. Services like https://streamed.su are free, no ads
* Hassle to find content, continued raising prices are the key reasons people end up pirating
----
Action items:
* Industry effort around security guidelines on SVTA on CDN delivery and DRM "properly" foundational rules.
* Everyone should look at multi-key start enforcing L1 on 1080p and higher