Design of Security Framework for Next Generation IPTV Services

차세대 IPTV 서비스를 위한 보안 프레임워크 설계

Abstract

With the emergence of increasingly complex networks and diverse user terminals, demand for the next generation IPTV service is rapidly growing. It enables any content to seamlessly be reused on the diverse terminals as well as be broadcasted in real-time through the complex networks. In this paper, a novel security framework is proposed for the real-time and reusable IPTV services. The proposed framework is advantageous over the conventional content protection techniques in easily producing the scalable content with lightweight, perceptual, transcodable, and adjustable security features. It does not only ensure end-to-end security over the entire service range based on a single security mechanism, but also can control a level of security while dynamically transcoding the original content. This approach basically performs selective encryption during and after the compression using scalable video coding. The suitability of the proposed approach is demonstrated through experiments with a practical service scenario. Therefore, it is expected that security technology alone could practically contribute to creating new business opportunities for IPTV services.

최근 디지털 컨버전스가 가속화되면서 급부상하고 있는 차세대 IPTV 서비스는 디바이스에 구애받지 않고 자유롭게 콘텐츠의 생성과 소비가 가능하여, 전송환경과 디바이스의 특성에 맞는 실시간 서비스와 콘텐츠의 재사용 서비스를 확장성 있게 제공함을 특정으로 한다. 본 논문에서는 이러한 차세대 IPTV 서비스를 제공함에 있어서 요구되는 보안 요구조건과 이를 해결하기 위한 보안 프레임워크를 제안한다. 제안 방법은 기본적으로 SVC (Scalable Video Coding)를 사용하는 단일 메커니즘으로써, 서비스가 제공되는 모든 구간에 대하여 높은 보안성을 보장하며, 동시에 안전한 미디어 적응변환과 동적인 보안 강도 조절이 가능하다는 장점이 있다. 본 논문에서는 현실적인 서비스 시나리오를 바탕으로 제안 방법의 타당성을 입증하였고, 보안 기술 자체만으로도 새로운 비즈니스 기회를 창출 할 수 있는 가능성을 제시하고 있다는 점에서 의의가 있다.

I. Introduction

The television entertainment industry is currently experiencing a major transformation as broadband subscribers and improvements in compression techniques for digital video content continue to grow. This growth is accelerating the demand for a new generation of technology that allows any content to be watched on any device, anytime and anywhere. That is, the content is not only broadcasted in reaHim얀 through complex networks, but also is seamlessly reused on diverse devices. This next geii르fation IPTV service explores key 안}allonges associated with successfully managing the technical operation of increasingly complex networks and diverse user terminals. The complex networks have led to growing interest in the development of a video codec that can dynamically adapt to the network architecture and temporal variations in network conditions such as bandwidth and error probability. Furthermore, th이 diverse devices such as smartphones, handheld personal digital assistants and desktop workstations, each of which has different display resolutions and processing capabilities, may all have access to the same digital media content.

In this paper, a novel security framework is proposed that allows any content to seamlessly be mug얀d as well as be broadcasted in reaHime on diverse terminals through complex networks. Notably, the proposed framework is advantageous over the conventional content protection techniques in that it can easily produce the scalable content with lightweight, perceptual, transcodable, and adjustable security features. Moreover, it ensures endTQpnd security ov안r th완 entire service range based on a single security mechanism. The suitability of the framework is demonstrated through experiments with a practical service scenario. Therefore, it is expected that security itself could practically contribute to creating new business models for IPTV services.

This paper is organized as follows. Related work is discussed in fetion II. The scalable IPTV service is defined and its security r^uirements are derived in Section III. Then, the security framework for satisfring the requirements is presented in Section IV. In Section V, a service model is assumed and then experimente are performed under the model. The study concludes in Section VI with a summary and plans for future research.

Ⅱ. Related Work

The recent progress in video coding research is enabling the development of scalable video coding, which allows for almost arbitrary combinations of bitstream layers in temporal, spatial and quality dimensions Scalable coding is to encode the video once and then lower qualities, spatial resolutions, and temporal resolutions could be obtained by simply truncating certain layers or bits from the original stream. SVC (Scalable Video Coding) is a highly attractive solution amon흠 several scalable coding schemes since it oflfeiB a variety of valuable functionalities. It 眞 been standardized as a scalable video coding extension of the H.264/AVC standard by the Joint Video Team of the ITU-T VCEG and the ISO/IEC MPEG ⑴, 〔2〕. Thus, the scalable video coding is expected to easily produce scalable content for the next g슨neTation IPTV service.

However, security remains top 산lall은nge. Conventionally, two security techniques such as CAS (Conditional Access System) and DRM (Digital Rights Management) have been used for content protection. CAS is a technique for allowing only a subscriber who is authorized to r쟌ceive broadcast contents, to descramble the signals scrambled by a digital broadcast transmitter and thus to view a relevant program. Further, DRM technique is for technically protecting digital content under copyright: it is implemented such that, when a user desires to use distributed digital content which are under copyright, the di应tai content can be used only after obtaining license giving authorization to use the content. For interoperability tetween CAS and DRM technologies, an architecture which can securely convert the broadcasted content into the digital content under copyright is now being standardized ⑶.

However, the architecture for converting the CAS content into the DRM cont숀nt requires that the content protected by C您 should be decrypted. This mak咬 it difficult to ensure the end-tcrend security of the content over the entire service range. Moreover, conventional techniques usually encrypt the entire a)ntent. This approach ^ems inadequate in situations where only few resources are available (real-time networking, high-definition delivery, low memory, low power). Therefore, many functionalities of the encoding scheme may be disabled. Like this, conventional techniques for content protection have many limitations, especially in meeting new security requirements for the next generation IPTV 河vi任$ 〔4〕. Some recent works explores a way of selective encryption by applying encryption to가 subset of a bitstream ⑸-⑺.

Ⅲ. Security Requirements for Next Generation IPTV Services

This section defines the next generation IPTV 跄wic션 and then derives the secuiity requirements to successfully deploy this service.

The next 康汨쟌ration service is defined as a n운w paradigm service with 4A (Any-content, Any-device, Anytime, Anywhere) characteristic to the convergence of telecommunication and broadcasting. It seamlessly provides both the real-time broadcasting and reusable content services on diverse terminals through complex networks, as shown in (Fig. 1). This can be efficiently achieved with the scalable video coding technology and has the following two aspects distinguished from the conventional IPTV service.

(Fig. 1) The next generation IPTV service.

First, broadband distribution is adaptively serviced in real-time aceor由ng to bandwidth variation of delivery a픈tworks and condition of user's terminals. That is, the same content can be dynamically transcoded by a combin거一 tion of spatial, temporal and quality scalability. Variation in delivery networks also leads to different tradeoffs in 七얀rms of coding efficiency and error robustness, e.g. between wired and wireless networks. This media adaptation of the scalable content has an advantage of the lower server storage capacities since it is not necessary to store multiple versions of the same content. It also contributes to the simple management of the content. Consequently, this feature will surely provide practical benefits to service providers as well as consumers.

Second, a customer can directly reuse or redistribute the content even after content has been delivered to the customers home in real-time or on-demand. From a customers point of view, this will become a highly attractive service since the customer can reuse content on any devices, anytime and anywhere only if the customer is legally authorized. Reusable content can be easily produced by storing content in a PVR (Private Video Recorder) or a set-top box and then simply by truncating a part of the content to be suitable for a device. It thus can be redistributed to other devices through various Internet cham젼is such as P2P file sharing, websites, messenger services.

rrherefbre, for successfully providing this scalable service, it is important that the following security requirements should be met in preference.

3.1 Lightweight Security

Smartphones and other mobile terminate are more widely used for multimedia service while still requiring 잤a所s control and copyright protection. Their moderate resolution and computational power impose to make an effort in. reducing the encryption computational complexity. In particular, reai-time broadcasting services over network and public channels need to rely on access control systems to protect their content. Standard cryptographic techniques can guarantee high level of so:urity, but lead to the cost of expensive implementation and important transmission delays. Therefore, it is necessary to peiibrm lightweight encryption that can provide sufficient $샨이arity with an important gain in computational complexity and delays.

3.2 Perceptual Security

In traditional content protection schemes, the compressed bitstream is entirely encrypted using a standard cipher. It alters the whole bitstr^m syntax which may disable some codec functionalities. However, in some real-time content, it could be desirable to encourage us연rs to buy the content. For this purpose, only a soft visual degradation is achieved, so that anyone would still understand the content b냐t prefer tx> pay to access the ftillpuality unencrypted(x)ntent. Thus, an encrypted bitstream should be compliant with the encoder: any standard decoder should be able to decode the encrypted bitstream without decryption. This can be achieved by partially encrypting specific parameters within an encoding process. Consequently, peraptual security is highly attractive, espraally to service providers since it can suggest them with new business models.

3.3 Transcodable Security

After IPTV content is delivered to the customers home in real-time or on-demand, the need for reusing the content on various devices increases more and mo호e. This can be simply achieved by storing the content in a PVR (Private Video Recorder) or a set-top box and then securely transcoding the content according to the different capabilities of end-users devices. However, the conventional techniques such as CAS and DRM cannot sufficiently solve this problem since the content protected by th영 CAS should be decrypted to be coiaerted into the DRM content for reuse. Therefore, it is necessary that reusable content should be securely crated while being stored in the PVR and then b양ing transcoded according to the conditions of various devices without decryption.

3.4 Adjustable Security

Reusable content can be easily redistributed to other devices through vaiious Internet channels such as P2P file sharing, wefeites, messenger services. If the content is obtained by an illegal user, it can cause s얀Tious problems. Hence, the encryption strength of th 웒 contents needs to be higher than that of encryption applied to real-time broadcastii^. In this aise, the dmyption of encrypted content should not be performed during the process for converting the real-time broadcasting content into the reusable content.

3.5 End-to-end Security

End-to-end security should be ensured over the entire range to which the IPTV service is provided. For this, a single security mechanism needs to & applied to IPTV content for integrating the real-time and reusable content services. Such mechanism should also include key management concerning tradeoff between complexity and efficiency for multiple k원ys.

IV. Proposed Framework

_{In this section, the ptop}。_{딩ed security framework} is briefly reviewed and then its three main components are describe in detail: parameter-based encryptor, NAL-based e/CTyptm and security message generator.

Th 연 proposed framework is schematically shown in [Fig. 2〕. Fkst, the input media(x)ntent is enoxied while being selectively encrypted in the service provider side. For the encryption of specific parameters, the encoding parameters (e.g., inta4nter residue sig筋, and a motion vector diflerence value) obtained during the SVC encoding process, are selectively encrypted on a peHayer basis. Then, the secuiity message including encryption information is embedded into the encoded content, resulting in scalable secure aintent. This scalable s^ure content is broadcasted to the first device group in a form of bitstream. The ^curity messa^ can be identified to allow the media content to be used by the first device group.

[Fig. 2) The proposed security framework.

The first device can wateh a real-time broadcast if it is authorizai. Further, if the received content is attempted to be reused in another device, the content is first transferred to the secure transcoder whig keeping encrypted. Such transcoder is located within a home, and may be operated Wether with a PVR or a set-top box. In the trancoder, reusable content is created by additionally performing NAL-based encryption. Here, security messages are newly generated or modified by using the existing security messages which have 쥲heady been generated in the service pr쟝vider Then, the reusable secure content can be redistributed by means of various Internet channels such as Peertc广P양 (P2P) networks or web h가rd drives, and be easily used by the second device.

Clearly, this reusable content is very secure since the second device should have an NAL-based decryption key as well as a parameter-based decryption key to be normally decrypted. Therefore, its security strength is usually higher than that of the content encrypted based on parameters.

4.1 Parameterbased Encryptor

The aim of parameter-based encryption is to reduce the amount of data to encrypt while preserving a sufficient level of security without altering the whole bitstream syntax. This computing savings is very desirable especially in constrained communications such as real-time networking and mobile communications with limited computational power devices. Moreover, it can produce quality-^controllable content since the encrypted bitstream based on parameters is basically compliant with the encoder.

[Fig. 3) shows the parameter-based encryptor in the base layer. The residual sign values are encrypted before entropy coding by using exclusive-or operation with a random sequence. It can be easily generated from a pseudo random number generator with a seed value. On the other hand, motion vector differene샹 values, which are encoded with Exp-Golomb codes, are enciypted with only bits for representing the absolute of the values during th슨 entropy o)ding. However, its encryption process is similar to the method for encrypting the residual sign values. In this way, each layer can be selectively encrypted in the two domains. Consequently, this scheme can be effectively applied for satisfying both the lightweight and perceptual security requirements under the real-time broadcasting environment.

[Fig. 3) Base Sayer encocter with parameter-based encryptor.

4.2 NAL-based Encryptor

NAL—ba도ed encryption is configured such that the payloads of NAL unit types 5 (IDR; Instantaneous Decoding Refresh), 1 (non~IDR), 20 (Scalable Extension), 6 (SEI; Supplement Enhancement Information), 7 (SPS; Sequence Pai'arneter Set), and 8 (PPS- Picture Parametei' Set) ai'e selectively enciypted by using a standard cipher (DES, AES, etc.): where IDR, non-IDR, and Scalable

Extension NAL units contain information about encoded sli(^ data whi也 SEI, SPS, and PPS contain additional information. Such NAL unit types can be identified from NAL unit header as shown in (Fig. 4]. NAL-based encryptor is intends to additionally encrypt the received content and then directly transcode the encrypted content which might be encrypted based on parameter and NALs. As a result, it contributes to satisfying both the adjustable and transcodable security requirements, mentioned in Section III.

[Fig. 4) NAL unit syntax.

4.3 Security Message Generator

The bitstream of content basically includes security m냔ssages. Th든 security message format is d@hn양d as (Fig. 5]. It is noted that at the secure transcoder, the security message is created by sharing the security message that has been generated at the service provider. Thi옪 property enables one security m숸chanism to seamlessly be appli^i to both the real-time broadcasting and reuse services, resultir^ in end 너)(end security over the entire range to which 난! 연 IPTV service is provided. With the security message, encryption information can be identified to allow the media content to be used by a consumers device.

(Fig. 5) Security message format.

Such security message is characterized in that it is generated by recording security levels and encrypted keys for each SVC layer into the payloads of one of the NAL (Network Adaptation Layer) unit types 24 to 31, which are now unspecified for the optional 냐se. This security message can be differently set per SVC layer. Here, the security levels can be set in the m@ssag 영 by properly combining both the encryption types based on para­ meters and NALs. Each encryption type is defined as shown [Table 1]. It is possible to set various security levels per SVC layer since each bit of the security levels can be independently determined with maximum 28 security levels.

(Table 1) Security Level

[Table 2] An Example of Security Message

Similarly, encryption seeds or keys are encrypted by using a standard cipher and then the encypted values ar양 set into the message. Th아 number of the encrypted k영ys equals to the number of bits to be set in the security level. When the bitstream of content is generated, the NAL unit with the security message is located at th숸 beginning of the bitstream. This allows a device to interpret the NAL unit prior to other NAL units. [Tabl션 2〕shows an example of this security mess 자 go.

V. Experiments

In this section, the validity of the pro­ posed framework is evaluated through the experiments using the test sequence "ICE” to 난坨 JSVM9.19 [8), (9).

A service model is here assumed as shown in (Fig. 6] where the seala아e content with 3 spatial scalabilities (4CIF, GIF, QCIF), 3 桎mpoT잤 1 scalabilities and 1 quality scalability is encoded. The content is simultaneously encrypted with SP1 encryption type defined in [Table 1], and the seed in each layer is generM 용 d differently, resulting in 9 different se숭ds for overall 9 layers. However, for simple key management, such seeds are encrypted with only three keys (K), K2, K3) according to the spatial scalabilities. As shown in (Fig. 6〕, the security messages are gen른rated and then distributed while being embedded in the media bitstream. It is noted that at the secure transcoder, the b셨訟 layer of this content is additionally encrypted with SN₁ encryption type using the key K\. Then, only the base layer of the content is extracted in the sectwe transcoder for the reuse in the second device. Here, the security messages are also extracted and then modified as shown in [Fig. 6). In this scenario, the broadcasting ssv얀r first creates the protected content and then distributes the content to a consume匚 If the consumer has paid for the content, the broadcasting server delivers the th使 authorized keys to the first device. Therefore, the device can successfully decrypt and play the encrypted content after easily obtaining the overall 9 different seeds only if it has th숹 thr양。authorized keys corresponding to the three spatial layers. To evaluate the practicality of the proposed framework, experiments were performed at the five points n냐mb@r쟌d in (Fig. 이. (Fig. 7] shows the experimental results. That is, the second and fifth results demonstrate the images decrypted and decoded normally in TV and smartphone, respectively. The first result is the image decoded in TV without the keys (Ki, K幻 Ka), which is easily obtained owing to format compliant property of parameter-based encryption. Similarly, the fourth result is the image decoded in smartphone without the key Ki. When looking carefully at these two images, it is noticed that the scene is percep­ tually intelligible although they are quite noisy. On the other hand, the third image reveals no meaningful information. Since the original bitstream of this image is altered by the NAL-based encryptor, it cannot be directly decoded by using any standard decoder. There­ fore, only the bits compliant with the SVC codec are decoded without the keys (Ki, K'i) while replacing the noncompliant bits with a default value. It is suggested that the encryp­ tion strength of the content can be controlled to an almost unintelligible level by selectively using the encryption types.

〔Fig. 6〕An service scenario and security messages.

[Fig. 1] Decoded remits at the five points of (Fig. 6).

The experiments were additionally per­ formed using the standard video sequence “HARBOUR” which was encoded with the same configuration used in the "ICE” sequence. In real-world service environments, decryption is more critical rather than encryption because the encryption overhead can be sufficiently overcome by high-performance computing sys­ tems. Thus, the computational overhead during the decrypting process was measured instead of the encryption process.

[Table 3] shows the time overhead at three decryption processes in [Fig. 6L This is a time ratio between decryption and decoding. Here, the computer used is based on a 2.67 GHz Intel Processor and with 2.75 GB of RAM. As a result, the decryption overhead can be said to be negligibly small compared to the decoding time.

[Table 3) Time Overhead at Each Decryption Point

VI. Concision

The next generation IPTV service has notable features such that it can seamlessly provide the real-time broadcasting service and the reusable service. In this paper, a new scalable security framework suitable for this service is proposed. The proposed framework has many advantages in that it can potentially create various business models by using its lightweight, perceptual, transcodable, and adjustable encryption properties compared to conventional content protection techniques. Then, experiments under the practical service scenario are performed. The test results show the suitability of the proposed framework.

In the future, the implementation supporting more service models will be attempted. Moreover, the techniques of sei仁protecting, watermarking and fingerprinting will be studied for more securely protecting and exactly tracing the reusable content.