C 2 PADRM And Content Protection
C2PA?, DRM and Content Protection
Three items worrying in the DRM space
1. Dsenc - Sub sampling encryption, no authenticity to the data
- Modifying IPCM blocks to record screen to infer how decoder and CPM to discover the key
- CTR explained however CBC mode should also be exploited
- Fairplay is not affected
- Proposals coming out as to what to do short term. Pressure on MPEG for CENCV2? to resolve
- Actions are likely to fix ranges, bring in HMAC auth CDM or GCM (limited in device support) or prevent IPCM support decoder option
2. Widevine L3
- Scripts exist to steal key, removing key from CDM is easily, options to prevent intercept don't exist
- Publishers find streams within minutes
- Watermarking rat race blockers are mitigated quickly
- Options to reduce resolution to SD for all L3 content
- Google provides a revocation list of L1 supported devices down to the device, L3 devices are set at a group level pool of devices, the problem with this is the provisioning request controlled by Google are handled at start
- Devices that assume they are L1 with device certificate that could since have been revoked.
- 500M Android devices, 20% are L3 only
- Please post slide from Valentin explaining the risk
- Asking as part of next update to CDM to fix issues in DRM and address CDM C2PA? where watermarking with byteranges has challenges
- Who should be responsible? Suggestion it should be system level compontent for verification and not software level to prevent spoofing
- C2PA? trusted source would also help in the coming AI content threats using trusted clients
- Encryption is applied in DRM packaging, C2PA? could produce authenticity against deep fake
- C2PA? certified can be screen recorded and redistrubuted if not applied at the system level component
- How to act when C2PA? isn't trusted? Player message, fail playback? Suggested it should present only when certified
- C2PA? is embedded certificate signed on all segments how we sign
- A centralized C2PA? service/org will be handing out certificates requiring registration
- Collapsing at trusted points in the chain example collapsed at CDN edge as trusted for scaling
- Presented news teams need this most, verifiable certified trusted source content
- The known risks of piracy aren't known to users, some paid services are so good its hard to tell they are pirate sites. Services like https://streamed.su are free, no ads
- Hassle to find content, continued raising prices are the key reasons people end up pirating
Action items:
- Industry effort around security guidelines on SVTA on CDN delivery and DRM "properly" foundational rules.
- Everyone should look at multi-key start enforcing L1 on 1080p and higher