C 2 PADRM And Content Protection

C2PA?, DRM and Content Protection

Three items worrying in the DRM space

1. Dsenc - Sub sampling encryption, no authenticity to the data

  • Modifying IPCM blocks to record screen to infer how decoder and CPM to discover the key
  • CTR explained however CBC mode should also be exploited
  • Fairplay is not affected
  • Proposals coming out as to what to do short term. Pressure on MPEG for CENCV2? to resolve
    • Actions are likely to fix ranges, bring in HMAC auth CDM or GCM (limited in device support) or prevent IPCM support decoder option

2. Widevine L3

  • Scripts exist to steal key, removing key from CDM is easily, options to prevent intercept don't exist
  • Publishers find streams within minutes
  • Watermarking rat race blockers are mitigated quickly
  • Options to reduce resolution to SD for all L3 content
  • Google provides a revocation list of L1 supported devices down to the device, L3 devices are set at a group level pool of devices, the problem with this is the provisioning request controlled by Google are handled at start
  • Devices that assume they are L1 with device certificate that could since have been revoked.
  • 500M Android devices, 20% are L3 only

3. C2PA?

  • Please post slide from Valentin explaining the risk
  • Asking as part of next update to CDM to fix issues in DRM and address CDM C2PA? where watermarking with byteranges has challenges
  • Who should be responsible? Suggestion it should be system level compontent for verification and not software level to prevent spoofing
  • C2PA? trusted source would also help in the coming AI content threats using trusted clients
  • Encryption is applied in DRM packaging, C2PA? could produce authenticity against deep fake
  • C2PA? certified can be screen recorded and redistrubuted if not applied at the system level component
  • How to act when C2PA? isn't trusted? Player message, fail playback? Suggested it should present only when certified
  • C2PA? is embedded certificate signed on all segments how we sign
  • A centralized C2PA? service/org will be handing out certificates requiring registration
  • Collapsing at trusted points in the chain example collapsed at CDN edge as trusted for scaling
  • Presented news teams need this most, verifiable certified trusted source content
  • The known risks of piracy aren't known to users, some paid services are so good its hard to tell they are pirate sites. Services like https://streamed.su are free, no ads
  • Hassle to find content, continued raising prices are the key reasons people end up pirating

Action items:

  • Industry effort around security guidelines on SVTA on CDN delivery and DRM "properly" foundational rules.
  • Everyone should look at multi-key start enforcing L1 on 1080p and higher