best practices for content protection
DESCRIPTION
Technical information on the practices and formats of digital content protection. This paper discusses the ways of which content is relayed and the various formats that are available and used in today's industry.TRANSCRIPT
Best Practices for Content Protection
Specific and General Compliance and Robustness Rule for the Protection of Digital Content Delivered and Rendering
Valuable Audiovisual Content
David P. Beddow Technology and Security Consultant
September 15, 2008
CONTENT SUPPLY CHAIN .................................................................................................................................2
CONTENT PROTECTION SYSTEMS ....................................................................................................................3
WMDRM ............................................................................................................................................................ 4
MARLIN DRM ....................................................................................................................................................... 4
OMA 2.0 DRM .................................................................................................................................................... 4
CPRM ................................................................................................................................................................. 4
MAGICGATE ......................................................................................................................................................... 5
SAFIA .................................................................................................................................................................5
AACS .................................................................................................................................................................. 5
VCPS ...................................................................................................................................................................6
DTCP ..................................................................................................................................................................6
GENERAL COMPLIANCE & ROBUSTNESS RULES ...............................................................................................6
WATERMARKS. FINGERPRINTS. CONSENSUS WATERMARK AND RIGHTS SIGNALING MARK ...........................9
GEOFILTERING ...............................................................................................................................................10
OUTPUT COPY PROTECTION STANDARDS ......................................................................................................11
CHECKLIST FOR PHYSICAL AND DATA SECURITY ............................................................................................13
DEFINITION OF TERMS ..................................................................................................................................16
EXAMPLES OF REQUIRED SETTINGS FOR WIDOWS MEDIA DRM ................................................................... 23
DEFINITION OF MICROSOFT DRM OUTPUT COpy PROTECTION LEVELS .........................................................33
APPENDIX A - PHYSICAL AND DATA SECURITY AUDIT ...................................................................................38
APPENDIX B - CONTENT PROTECTION SYSTEMS ...........................................................................................41
APPENDIX C - END USER DEVICES .................................................................................................................44
It is not practical to cover every edge case encountered in content delivery system. The following scenarios cover the majority of the cases encountered in today's environment.
CD Content Licensor
@Content Licensee
Q)CPS
Packaging
@Relay
Packaging
® Content Delivery
Servers
(J) RF Service Providers
® Closed Private Network Providers
~ Open
<:) • Network Connected IP
Devices
® RF Network Connected
Devices
@ Closed
Network Connected Devices
Content Supply Chain Definitions: CD Content Licensor means the entity holding the rights to license the content for distribution.
o Content Delivery Path #1 - This is the path by which content is delivered by the Content Licensor to the Content Licensee in encrypted form by means of physical media or secure electronic delivery.
@ Content Licensee means the entity holding a license to distribute content.
@ CPS Packaging means the process by which the content is encrypted for use with a specific Content Protection System (CPS).
@ Content Delivery Path #2 - This is the delivery path by which the Licensee places the CPS protected content on Content Delivery Servers for delivery via the Internet or Private Network with open Internet access to end user Network Connected IP Devices.
® Content Delivery Servers (CDS) means the servers located in the Content Delivery Network (CDN), including primary storage servers and edge or caching distribution servers, for delivery via the Internet or Closed, Private Networks directly to Hard-line Connected IP Devices.
c) Content Delivery Paths #3 - This delivery path is the open Internet, Open Private Networks that allow open Internet access or from caching servers hosted within the Private Network Provider's facilities based on the IP ranges and/or IP domains.
Network Connected IP Devices means IP capable devices such as PCs, settops, TV
Issued 9,15,08 Page 2
Best Practices for Content Protection
displays or portable devices connected directly to the Internet or Private Network with open Internet access.
® Relay Packaging means the process by which content is protected by an accepted encryption mechanism for secure electronic delivery to a third-party affiliated distributor or RF Service Provider.
o & 0 Content Delivery Paths #4 & #5 These are the paths by which content is delivered by the Content Licensee in encrypted form by means of secure electronic delivery to an affiliated RF Service Provider or Private Network Provider for the purpose of hosting the content on servers in their facility.
CD RF Service Provider means the Content Licensee or an entity under contract to the Content Licensee to package and deliver content via a wireless network directly to RF Network Connected Devices which are registered to and authenticated by the network and might include cellular telephone networks or WiMAX.
o Content Delivery Path #6 - This is the delivery path by which content is delivered via a cellular telephone or WiMAX network directly to RF Network Connected Devices. Access to this network must be restricted to devices registered to and authenticated by the network.
® RF Network Connected Devices means devices such as cellular telephones or WiMAX enabled devices registered to and authenticated by the RF network.
® Private Network Provider means the Content License or its affiliate who delivers content via a Closed, Private Network, for example Cable Television Systems.
G Content Delivery Path #7 - This is the delivery path by which content is delivered via a Close, Private Network where the Private Network Provider re-encrypts the content using a CPS, typically a Conditional Access System (CAS) for delivery to Closed Network Connected Devices.
® Closed Network Connected Devices means devices such as settops registered to and authenticated by the Private Network.
Content Protection Systems (CPS) means a Digital Rights Management system (DRM) or Conditional Access System (CAS) used to protect audiovisual content for delivery to consumers or such other encryption systems used protect audiovisual content for point-topoint physical media or secure electronic delivery between the Content Licensor and the Content Licensee and between the Content Licensee and any node in their distribution system.
In general CPSs are not "pre-approved", On a case by case basis, a particular CPS
Issued 9.15.08 Page 3
Best Practices for Content Protection
implementation may be approved if it can be demonstrated that the overall system within which the CPS has been implemented is robust. CPSs that: (1) have published Compliance and Robustness Rules that are enforced by a License Agreement by and between the CPS provider and the implementing service; (2) can and do meet the General Compliance & Robustness Rules for Content Protection Systems contained in this document and (3) are offered by CPS providers who incorporate significant proprietary intellectual property in their products and aggressively seek to protect those IP rights, are favored.
The WMDRM or PlayReady (fully functional version), using the latest components (e.g., WMF 11 SDK, WMRM 10.1.2 SDK, WMDRM 10, WMDRM-PD, WMDRM-ND and PlayReady), provided that: (i) Licensee at all times shall comply with (a) the then-current version of Microsoft's Compliance and Robustness Rules for each WMDRM component, (b) all applicable WMDRM or PlayReady Specifications; and (c) the General Robustness and Compliance Rules for CPSs; (ii) the WMDRM MinimumSecurityLevel and MinimumClientSDKSecurity must be always set at the highest allowable value in all issued DRM licenses; and (iii) other WMDRM settings shall comply with the terms and conditions defined in the content license agreement. For the avoidance of doubt the version of PlayReady integrated with Silverlight, "Silverlight Powered by PlayReady" is a fully functional version of PlayReady.
D The latest version of the Marlin DRM provided that: (i) Licensee at all times shall comply with (a) the Marlin Architecture Overview, the Marlin - Core System Specification, Version 1.3, Final and the Marlin IPTV End-point Service Specification under the Marlin Client Agreement (Interim Version) administered by the Marlin Trust Management Organization, LLC., including but not limited to, Exhibit B Robustness Rules and Exhibit A - Compliance Rules as supplemented by the Marlin IPTV-ES / J Specific Compliance Rules, and (b) the General Robustness and Compliance Rules for CPSs; and (ii) have all Marlin DRM control parameters set to maintain the highest security level and to comply with the terms and conditions defined in the content license agreement.
The latest version of the OMA 2.0 DRM provided that: (i) Licensee at all times shall comply with (a) the then current Content Management License Administrator (CMLA), LLC, Service Provider Agreement, Exhibit A - Rights Issuer Compliance Rules and Exhibit B - Rights Issuer Rules and the Client Adopter Agreement, Exhibit A - Client Adopter Compliance Rules and Exhibit B Client Robustness Rules, (b) the General Robustness and Compliance Rules for CPSs; and (ii) have all OMA 2.0 DRM control parameters set to maintain the highest security level and to comply with the terms and conditions defined in the content license agreement.
The latest version of Content Protection for Recordable Media (CPRM) for DVD Recordable
Issued 9.15.08 Page 4
Best Practices for Content Protection
Disc and SO memory card (SO-Video) provided that: (i) Licensee at all times shall comply with (a) the CPRM/CPPM License Agreement and CPRM For Content Distribution Addendum administered by the 4C Entity LLC, including Exhibit C - Compliance Rules and Robustness Rules; (b) all applicable CPRM Specifications; and (c) the General Robustness and Compliance Rules for CPSs; and (ii) have all CPRM control parameters set to maintain the highest security level and to comply with the terms and conditions defined in the content license agreement.
The latest version of the MagicGate Type-R for Secure Video Recording (MG-R (SVR)) for Memory Stick PRO, Memory Stick PRO DUO, and Memory Stick Micro (Memory Stick Secure Video File Format) MagicGate Type-R for Secure Video Recording (MG-R (SVR)) for EMPR Type I and EMPR Type II (EMPR Video File Format) provided that: (i) Licensee at all times shall comply with (a) the Memory Stick PRO - Secure Video Recording Format - Content Protection License Agreement and the Embedded Memory with Playback and Recording Capability - Secure Video Recording Format - Content Protection License Agreement administered by Sony Corporation, including Exhibit C - Compliance Rules and Exhibit 0 Robustness Rules; (b) all applicable MagicGate Specifications; and (c) the General Robustness and Compliance Rules for CPSs; and (ii) have all MagicGate DRM control parameters set to maintain the highest security level and to comply with the terms and conditions defined in the content license agreement.
The latest version of Security Architecture for Intelligent Attachment device (SAFIA) for iVDR Hard Disk Drive (TV Recording Specification) provided that: (i) Licensee at all times shall comply with (a) the Security Architecture for Intelligent Attachment Device ("SAFIA") Specification License Agreement, administered by the SAFIA Agent Sanyo Electric Co., Ltd., including Exhibit B - Compliance Rules and Exhibit C - Robustness Rules; (b) all applicable SAFIA Specifications; and (c) the General Robustness and Compliance Rules for CPSs; and (ii) have all SAFIA control parameters set to maintain the highest security level and to comply with the terms and conditions defined in the content license agreement.
The latest version of the Advanced Access Content System (AACS) for Blu-ray Disc Rewritable Media/Blu-ray Disc; Recordable Media (Blu-ray Disc Rewritable Format Version 2.0/Blu-ray Disc Recordable Format Version 1.0) may be used as an Approved CPS for Export when employed in full compliance with; (a) the Advanced Access Content System ("AACS") Interim Adopter Agreement (and Final Agreement, when available), administered by the Advanced Access Content System License Administrator LLC, including Exhibit F - Compliance Rules and Robustness Rules; (b) all applicable AACS Specifications; and (c) the General Robustness and Compliance Rules for CPSs; and (ii) have all AACS control parameters set to maintain the highest security level and to comply with the terms and conditions defined in the content license agreement.
Issued 9.15.08 Page 5
Best Practices for Content Protection
The latest version of the Video Content Protection System (VCPS) for VCPS Disc may be used as an Approved CPS for Export when employed in full compliance with; (a) the Video Content Protection System Agreement, administered by Koninklijke Philips Electronics N.V., including Exhibit A Compliance Rules and Robustness Rules; (b) all applicable VCPS Specifications; and (c) the General Robustness and Compliance Rules for CPSs; and (ii) have all VCPS control parameters set to maintain the highest security level and to comply with the terms and conditions defined in the content license agreement.
The latest version of Digital Transmission Content Protection (DTCP) provided that: (i) Licensee at all times shall comply with (a) the Digital Transmission Protection License Agreement administered by the Digital Transmission Licensing Administrator, LLC, including Exhibit B Compliance Rules and Exhibit C Robustness Rules; (b) all applicable DTCP Specifications; and (c) the General Robustness and Compliance Rules for CPSs; and (ii) have all DTCP control parameters set to maintain the highest security level and to comply with the terms and conditions defined in the content license agreement.
1) A CPS shall be used to transmit content from the Content Licensor's supply facility to Licensee's origination facility and from the Licensee's origination point to any subdistribution facility in a secure, encrypted form such that access, reproduction of usable copies, re-encryption with a different CPS and/or further re-distribution can only be accomplished with a valid license and on secure devices located in a secure environment.
2) A CPS shall be used to transmit content from the Content Licensee's origination or sub-distribution facilities to the consumer's devices in a secure, encrypted form such that access, reproduction of usable copies and re-distribution can only be accomplished with a valid license and authorized consumer devices.
3) A CPS shall operate on the basis of cryptographically robust authentication methods such that a valid license, containing cryptographic keys and other information necessary to decrypt the associated content and associated usage rules, shall be required to access and playa specific instance of the content, and shall be delivered separately (although said transmission may be simultaneous with the transmission of the content).
4) A CPS shall have each installation of the CPS software on an end-user device individualized and thus uniquely identifiable.
5) A CPS shall have each content license keyed to work only on a specific individual end-user device and shall be incapable of being transferred between devices [including portable devices) unless specifically authorized by the license itself.
6) The CPS (or other software within the Licensee's system) must have the capability
Issued 9.15.08 Page 6
Best Practices for Content Protection
to detect the version of the CPS on the user's Authorized Device and, if not the latest version of the software, forces a CPS software upgrade and re-individualization.
7) A CPS shall be renewable and securely updateable in the event of a breach of security and allow for integration of new rules and business models.
8) A CPS shall encrypt content using standard, nonproprietary, time-tested cryptographic protocols and algorithms.
9) A CPS shall apply encryption to the entirety of the audio and video.
10) A CPS shall encrypt content using a unique cryptographic key for each CPS used if multiple CPSs are employed.
11) A CPS shall not encrypt any two content files with the same unique cryptographic key.
12) A CPS shall not transmit or store passwords, cryptographic keys or any other information that is critical to the cryptographic strength of the CPS, in the clear or reused.
13) A CPS shall cryptographically protected playback licenses, revocation certificates, and security-critical data against tampering, forging, and spoofing.
14) A CPS shall only decrypt streamed content or downloaded content into memory temporarily for the purpose of decoding and rendering the content and shall never allow writing of decrypted content (including portions of the decrypted content) or streamed encrypted content into permanent storage.
15) A CPS shall use FIPS 140-1 level 3 compliant hardware platforms (or equivalent platforms) for its license servers. See definition of FIPS 140-1 level 3 Definition of Terms.
16) A CPS shall be capable of both supporting and preventing viral distribution (also referred to as super-distribution and peer-to-peer distribution) of content.
17) A CPS shall support time and play count functions as required by business models
18) A CPS shall support the revocation and exclusion of licenses for insecure and/or compromised devices.
19) A CPS shall support proximity detection when supporting home network streaming content from the source device hosting the CPS protected content to a TV display or secondary sink device.
20) The CPS, any download or streaming manager software and/or any software used for physical media burning or transfer, move or copy from one Content Protection System to another shall employ current and contemporary industry accepted robustness methods,
Issued 9.15.08 Page 7
Best Practices for Content Protection
including tamper-resistant technology that meets industry standards, to prevent such hacks as a clock rollback, spoofing, use of common debugging tools, and intercepting unencrypted content in memory buffers.
Examples of tamper resistant software techniques include: i) Code Obfuscation: The executable binary dynamically encrypts and decrypts
itself in memory, so that the algorithm is not unnecessarily exposed to disassembly or reverse engineering.
ii) Integrity Detection: Using one-way cryptographic hashes of the executable code segments and/or self-referential integrity dependencies, the trusted software will fail to execute if it is altered prior to or during runtime.
iii) Anti-Debugging: Prevent the use of common debugging tools.
21) A CPS shall, where commercially available or otherwise feasible, implement internal secure data channels to prevent rogue processes from intercepting data transmitted between system processes.
22) A CPS shall employ currently available methods to prevent the use of media player filters or plug-ins that can be exploited to gain unauthorized access to content and shall be updatable as new methods become available (example: access to the decrypted but still encoded content by inserting a shim between the DRM and the media player).
23) If a CPS or authorized device complies with the compliance and robustness rules described and required herein when authorized by Content Licensor, but at any time thereafter circumstances arise which, had they been existing at the time of authorization, would have caused such CPS or authorized device to fail to comply with these rules ("New Circumstances"), then upon becoming aware of such New Circumstances, Content Licensor may require the distributor to discontinue use of the CPS or authorized device or make available upgrades to its affected CPS or authorized device to make such CPS or authorized device compliant with these robustness rules under the New Circumstances.
24) CPS or authorized device implementations must not include switches, jumpers or traces that may be cut, or control functions means (such as end user remote control functions or keyboard, command or keystroke bypass), debuggers or debugging aids or software equivalents of any of the foregoing by which content protection technologies may be defeated or by which decrypted content may be exposed to unauthorized copying, usage or distribution. Within CPS or authorized device implementations, decrypted compressed video data must be protected by a robust method when transiting a user accessible bus.
25) CPS or authorized device shall be clearly designed such that attempts to discover, reveal, or use without authority the device secrets, serial number, keys, confidential information or when decrypted uncompressed video is transmitted over user accessible bus, such data are reasonably secure from unauthorized interception by using either Widely Available Tools or Specialized Tools, and Professional Tools except with difficulty, other than Circumvention Devices. The level of difficulty applicable to Widely Available Tools is such that a typical consumer should not be able to use Widely Available Tools, with
Issued 9.15,08 Page 8
Best Practices for Content Protection
or without instructions, to intercept such data without risk of serious damage to the product or personal injury.
a) Widely Available Tools means merely by using general purpose tools or equipment that is widely available at a reasonable price, such as screwdrivers, jumpers, clips and soldering irons.
b) Specialized Tools means using specialized electronic tools or specialized software tools that are widely available at a reasonable price, such as EEPROM readers and writers, debuggers or decompilers, other
c) Circumvention Devices means devices or technologies whether hardware or software that are designed and made available for the specific purpose of bypassing or circumventing the CPS technologies.
d) Professional Tools means equipment such as logic analyzers, chip disassembly systems, or in-circuit emulators, but not including either professional tools or equipment that are made available on the basis of a non-disclosure agreement or Circumvention Devices.
26) The CPS shall be capable of enabling the generation of usage rights signaling methods (Output Copy Protection or OCP) with respect to digital and analog outputs and shall set the OCP as specified below.
OCP Tvpe Capabilitv Requires OCP Setting Reauired
1 CGMS-A Capable of CGMS-A
outputs on all analog
CGMS-A set to (1, 1: Copy Never)
2 Macrovision Capable of Macrovision AGC and 2/4 Line ColorStripe on analog outputs
Required to be enabled for some services
3 HDCP Capable of HDCP on all analog outputs
Required on digital outputs Digital Visual Interface (DVI), High-Definition Multimedia Interface (HDMI), Unified Display Interface (UDI) and DisplayPort
IEEE1394 or USB or IP port may be authorized if properly equipped with Digital Transmission Copy Protection ("DTCP" "DTCP-IP") specifications and license. Windows Media Digital Rights Management for Network Devices ("WMDRM-ND" or "Cardea") may be used in accordance with the applicable specification of the Microsoft WMDRM-ND specification and license.
The Content Protection System shall not remove, if present, any watermarks or fingerprints inserted by Paramount including the Consensus Watermark and/or Rights
Issued 9,15,08 Page 9
Best Practices for Content Protection
Signaling Mark and shall pass through marking data such that it appear in the outputted audio and/or video without alteration. "Consensus Watermark" means the first watermark (i.e., a digital signature embedded in the digital video signal intended to provide instructions relating to the permitted usage of such video signal) that receives a public endorsement as a content protection watermark by at least four member companies of the Motion Picture Association of America. "Rights Signaling Mark" means the rights assertion mark or other rights signaling technology that is required to be detected by legislation or regulation promulgated in the United States.
Licensee shall employ IP geo-filtering technology to prevent the unauthorized exhibition of the content outside of the territory for which the content is licensed. The algorithms and database used to geo-target customers by identifying the individual's IP address shall be reviewed periodically to ensure accuracy.
Issued 9.15.08 Page 10
NTSC Analog Interlaced Format Outputs (480i) YUV, YPbPr or Y, RY, B-Y component allowed if the
Token was not set, the Constrained Image is passed if the
Constraint Token is asserted and support for Macrovision Analog Protection System and CGMSA/Copyright information is available.
TYPE OF PROTECTIONTYPE OF OUTPUT
480i RF, Composite or S-Video
576i RF, Composite, S-Video
PAL, SECAM or YUV Interlaced Format Outputs (576i) YUV, YPbPr and Y, R-Y, B-Y component allowed if the Digital Only Token was not set, the Constrained Image is passed if the Image Constraint Token is asserted and support for Macrovision Protection System and CGMSA/Copyright information is available.
Macrovision Automatic Gain Control and Colorstripe copy control systems specified in the document entitled "Specifications of the Macrovision Copy Protection Process for DVD Products, Revision 7.1.01, (September 30, 1999)" or "Specifications of the Macrovision Copy Protection Process Revision 7.2.H1 (October 3, 2005)".
CGMS-A. APSIAPS bit and RCD: (i) CGMS-A and APS trigger bits signaling on Lines 20 and 283 to IEC 61880: 1998; (ii) CGMS-A and APS signaling on Line 21 of field 2 (line 284) according to CEA-608-C, where the repetition rate for the CGMS-A and APSTB shonld be no less than once every 10 seconds for Line 284 and (iii) in devices using chips with part numbers having a date of first commercial availability after October 1, 2007, RCD Signaling on Line 21 of field 2 (Line 284) according to CEA-608-C, where the re Jetition rate for the RCD shonld same as for CGMS-A
Macrovision Automatic Gain Control and Colorstripe copy control systems contained in the document entitled "Specification of the Macrovision Copy Protection Process for DVD Products, Revision 7.1.01, (September 30,1999)" or "Specifications of the Macrovision Copy Protection Process, Revision 7.2.H1, (October 3, 2005 "
CGMS-A, bits and Redistribution Control Descriptor (RCD): (1) CGMS-A and APS bits on Lines 20 and 283 to IEC 61880:1998; (ii) CGMS-A and APS Signaling on line 21 of field 2 (Line according to CEA-608-C, where the repetition rate for the CGMS-A and
in APS
should be no less than once every 10 seconds for Line 284 and devices with part numbers having a date of first commercial availability after October 1. 2007, RCD signaling on Line 21 of field 2 (Line according to CEA- 608-(, where the repetition rate for the RCD should same as for CGMS-A.
Macrovision Automatic Gain Control and Colorstripe copy control systems specified in the document entitled "Specifications of the Macrovision Protection Process for DVD Products, Revision 7.1.01, (September 30,1999)" or "Specifications of the Macrovision Copy Protection Process Revision 7.2.Hl, (October 3,2005 ".
Copyright information signaling on Line 23 accordin to ETSI EN 300 294
Macrovision Automatic Gain Control and Colorstripe copy control systems in the document entitled "Specifications of the Macrovision Copy
Protection Process for DVD Products, Revision 7.1.Dl. (September 30,1999)" or of tbe Macrovision Copy Protection Process, Revision 7.2.H 1
Copyright information: (i) Line 23 to ETSI EN 300294; and (li) for devices llsing a SCART connector, the SCART connector must be configured so that the RGB signa! carried by that connector must always be accompanied by a composite signal and that composite signal must provide the only synchronization for the RGB signal. Other RGB video outputs are not
ermitted.
480P Progressive Scan Outputs YUV, YPbPr or Y, R-Y, B-Y component Macrovision Automatic Gain Control copy control system specified in the allowed if the Digital Only Token was ciocument entitled "Specifications of the Macrovision AGC Copy Protection not set, the Constrained Image is Waveforms for Products with 52Sp (480p) Progressive Scan Outputs, Revision passed if the Image Constraint Token 1.2 (February 24, 2003)" is asserted and support for
Best Practices for Content Protection
TYPE OF OUTPUT TYPE OF PROTECTION
Macrovision Analog Protection System and CGMS-A/Copyright information is available.
CGMS-A, APS/ APS triggel bit and Redistribution Control Information (RCI): (i) CGMS-A and APS trigger bit on Line 41 according to IEC 618802:2002; and (ii) in devices using with part numbers having a date of first commercial availability after October 1, 2007, CGMS-A, APS and RCI Signaling on Line 40 for Type B according to CEA-805- B
625P Progressive Scan Outputs 576p YUV, YPbPr orY, R-Y, B-Y component allowed if the Digital Only Token was not set, the Constrained Image is passed if the Image Constraint Token is asserted and support for Macrovision Analog Protection System and CGMSA/Copyright information is available.
Macrovision Automatic Gain Control copy control systems specified in the document entitled of the Macrovision AGC Copy Protection
and/or 625p YPbPr Progressive Scan Outputs, Revision 1.2 24,2003)"
Copyri ht information: Line 43 accordin to IEC 62375- 2004
SCART connector
Automatic Gain Control and CGMS-A specifications for the composite signal carried such SCART connector, provided that such SCART connector must be
so that the RGB signal carried by such connector must always be accompanied a composite signal and that such composite signal must
the for the RGB signal.
TYPE OF OUTPUT TYPE OF PROTECTION
nop Progressive Scan Outputs VUV, VPbPr or V, R-V, B-V component allowed if the Digital Only Token was not set, the Constrained Image is passed if the Image Constraint Token is asserted and support for Macrovision Analog Protection System and CGMS-A/Copyright information is available.
1080i Progressive Scan Outputs VUV, VPbPr or V, R-V, B-V component allowed if the Digital Only Token was not set, the Constrained I mage is passed if the Image Constraint Token is asserted and support for Macrovision Analog Protection System and CGMS-A/Copyright information is available.
OVI or HOMI digital output (Capitalized terms used in this row of the table but not otherwise defined have the meaning set forth in the HDCP Specification and H DCP License Agreement.)
IEEE 1394, lOB 1394, IP & USB Outputs (Capitalized terms used in the but not otherwise defined shall have the meaning set forth in the DTCP specification and DTCP Adopter Agreement.)
CGMS-A, APS/APS trigger bits and RC!: CGMS-A, APS trigger bits signaling on Line 24 of 720p to JEITA EIAJ CPR 1204-2 complemented by bit assignment definition in IEC 61880:1998; and (iiO in devices using chips with part numbers having a date of first commercial availability after October 1, 2007, CGMS-A, APS and RCI on Line 23 for Type B according to CEA-805-B
CGMS-A, APS/APS trigger bits and RCI: (i) CGMS-A, APS trigger bits signaling on Lines 19 and 582 of 1080i according to JEITA EIAJ CPR 1204-2 complemented by bit assignment definition in IEC 61880:1998; and (ii) in devices using chips with part numbers having a date of first commercial availability after October 1, 2007, CGMSA, APS and RCI signaling on Lines 18 and 581 of 1080i for Type 8 according to CEA805-8
High bandwidth Digital Copy Protection ("HDCP") in accordance with the applicable specification of the H DCP license, provided that when so, the device shall (a) carry any HDCP System Renewability Message delivered in association with such content to the HDCP Source Function and (b) verify that the HDCP Source Function is fully engaged and able to deliver protected content, which means (i) HDCP encryption is operational on such output, (ii) processing of the valid received System Renewability Message associated with such content, if any, has occurred as defined in the HDCP Specification and (iii) there is no HDCP Display Device or Repeater on such output whose Key Selection Vector is in such System Renewability
Message.
A device may pass content for which the Digital Only Token was not set to an output protected by Digita Transmission Content Protection (DTCP), provided the device (a) carries any DTCP System Renewability Messages delivered in association with such content to the DTCP Source Function, and (b) sets the following fields of the DTCP Descriptor to the indicated values:
APS I Set same as Macrovision information
Issued 9.15.08 Page 12
Best Practices for Content Protection
DTCP CCI Set same as CGMSA information
EPN 1 (Not Asserted)
Image Constraint Token (ICT) o (Constrained)
Retention Move Mode 1 (No Retention)
For DTCP·IP: (i) full authentication, (ii) Internet datagram header time to live constrained to a value no greater than three, (iii) wired equivalent privacy or its successor engaged when wireless, and (iv) round trip time location protocol set to no more than 7ms ("DTCP-IP")in accordance with the applicable DTCP and license.
Windows Media Digital Rights Management for Network Devices ("WMDRM-ND") (Capitalized terms used in the foregoing but not otherwise
defined shall have the meaning set forth in the applicable WMDRM license, WMDRM specification, WMDRM compliance and robustness rules.)
In accordance with the applicable WMDRM license, WMDRM specification, WMDRM compliance rules, and WMDRM robustness rules, a device may pass content with the following settings applicable WMDRM license:
MinimumSecurityLevel" 5000 High Definition content robustness level. Compliance rules for WMDRM will require that level 5000 content be converted to constrained image if uncompressed HD video cannot be protected while traversing a User-Accessible Bus and ICT:s set.
MinimumSecurityLevel = 2000 Standard Definition content robustness level.
Min imu mDeviceSecu rltyLevel 2000 Content may flow to existing WMDRM-ND devices in a manner consistent with the rules of this table.
MinimumCompressedDigitalVideoOutputProtectionLevel = 500 Unprotected I LUI "1-" essed Digital Video Output not allowed.
MinimumUncompressedDigitalVideoOutputProtectionLevel " 300 Require System Renewability Message processing with HDCP.
MinimumAnalogVideoOutputProtectionLeve " 150, but may be changed to 200 in near future CGMS-A 'Copy Never' required for analog video output.
MinimumCompressedDigitalAudioOutputProtectionLevel " 300
MinimumUncompressedDigitalAudioOutputProtectionLevel " 200
DRM_ VIDEO_OUTPUT _PROTECTION.guid = D783A191-E083-4BAF-B2DAE69F910B3772 DRM_ViDEO_OUTPUT _PROTECTION.bConfigData =520000 if this GUID is set, product must convert to constrained image for computer monitor outputs.
DRM_VIDEO_OUTPUT _PROTECTION.guid = 811 C5110-46C8-4C6e-8163C0482A15D47E DRM_VIDEO_OUTPUT]ROTECTION.bConfigData " 520000 if this GUID is set, product must convert to constrained image for component video outputs.
DRM_ VIDEO_OUTPUT ]ROTECTION.guid = C3FD11C6-F8 B 7 -4d20-B008lDB17D61F2DA DRM_ VIDEO_OUTPUT ]ROTECTION.bConfigData APSTB if this GUID is set, Macrovision analog protection system will be turned on, and the APSTB field set based upon the Binary Configuration Data in the XMR license.
DRM_VIDEO_OUTPUT _PROTECTION.guid 6347574B-8FOF-4511-A8F4DB2502C1B7E9 must block display to analog outputs if this GUID is set.
1. Be prepared to describe in detail what physical perimeter security has been implemented to protect your facility and operations operation; what entry controls are in place to allow only authorized personnel into various areas within organization; and the precautions and security in place to safeguard content when handle or stored in the clear.
2. Do internal rooms and vaults, which contain content assets, have locks or have lockable cabinets or safes?
Issued 9.15.08 Page 13
Best Practices for Content Protection
3. Are incoming content assets identified, assigned an owner, given a security classification, moved immediately to a secure storage location and their movement there from tracked?
4. Is there security control for third parties and for staff personnel working in secure area?
5. Are the delivery area and content processing area isolated from each other to avoid any unauthorized access?
6. Are the power and telecommunications cable carrying data and supporting processing services protected from interception?
7. Is any equipment usage outside an organization's premises for information / content processing authorized by the management prior to usage?
8. Are storage devices and media containing sensitive information physically destroyed or securely over written?
9. Is there a procedure for management of removable computer media such as tapes, disks, cassettes, memory cards and reports?
10. Is security of media while being transported taken into account and protected from unauthorized access, misuse or corruption?
11. Is an automatic computer screen locking tool enabled? This would lock the screen when the computer is left unattended for a period of time.
12. Are all programs running on production systems subject to strict change control i.e., any change to be made to those production programs need to be pre-authorized and audit logs maintained for any change made to the production programs?
13. Are duties and areas of responsibility separated in order to reduce opportunities for unauthorized modification or misuse of information / content or services?
14. Are the development and testing facilities isolated from operational facilities?
15. Are there controls against malicious software installation and usage?
16. Does the security policy address software licensing issues such as prohibiting usage of unauthorized software?
17. Is antivirus software installed on the computers to check and isolate or remove any viruses from computer and media?
18. Does the operational staff maintain a log of their activities such as name of the person,
Issued 9.15.08 Page 14
Best Practices for Content Protection
errors, corrective action etc?
19. Is accesses to diagnostic ports securely controlled i.e., protected by a security mechanism?
20. Are there network connection controls for shared networks that extend beyond the organizational boundaries? Example: Electronic mails, web access, file transfers, etc.
21. Is a unique identifier provided to every user such as operators, system administrators and all other staff including technical?
22. Are audit logs recording exceptions and other security relevant events produced and kept for an agreed period to assist in future investigations and access control monitoring?
23. Does the policy adopted take into account the risks of working with computing devices such as notebooks, palmtops etc., especially in unprotected environments?
24. Are there policy, procedure and/ or standard to control home office and mobile activities? This should include threats such as theft of equipment, unauthorized disclosure of information etc.
25. Are there controls in place to ensure that the covert channels and Trojan codes are not introduced into current, new or upgraded system?
26. Are there procedures to ensure compliance with legal restrictions on use of material for which there are intellectual property rights such as copyright, design rights, trade marks?
27. Does a written Security Monitoring and Brach Management Plan exist that describe in detail how you monitor for DRM and CAS security breaches, continuously keep content providers up to date on events and take prompt corrective action to restore security in the event of a breach.
28. Does a written security policy document exists which is approved by the management, published and communicated to all employees?
29. Does the security policy have an owner, who is responsible for its maintenance and review according to a defined review process?
30. Are responsibilities for the protection of individual assets and for carrying out specific security processes clearly defined?
31. Are appropriate contacts with law enforcement authorities, regulatory bodies, information service providers and telecommunication operators maintained to ensure that appropriate action can be quickly taken and advice obtained, in the event of a
Issued 9.15.08 Page 15
Best Practices for Content Protection
security incident?
32. Is the implementation of security policy reviewed independently on regular basis in the entire organization?
33. Are security risks with third party contractors working onsite identified and appropriate controls implemented?
34. Are security requirements addressed in the contracts with the third party?
35. Are employees required to sign a document acknowledging all the security requirements to ensure compliance with the organization's security policies and standards?
36. Are verification checks on permanent staff carried out at the time of job applications? This should include character reference, confirmation of claimed academic and professional qualifications and independent identity checks.
37. Are employees asked to sign confidentiality or non-disclosure agreement as a part of their initial terms and conditions of the employment?
38. Do all employees of the organization and third party contractors receive appropriate security training and regular updates in organizational policies and procedures?
39. Do formal reporting procedures exist) to report security incidents through appropriate management channels as quickly as possible?
40.1s there a formal disciplinary process in place for employees who have violated organizational security policies and procedures?
Analo~ Television Outputs means such typical consumer electronics analog connectors as NTSC, PAL, SECAM, YPrPb, S-Video and/or Consumer RGB outputs or Y, R-Y, B-Y Component outputs at any resolution, including, but not limited to 480i, 480p, 576i, 576p, 720p or 1080i. RGB analog video outputs are only allowed for SCART connectors. Any SCART connector must be configured so that the RGB signal carried by that connector must always be accompanied by a composite signal and that composite signal must provide the only synchronization for the RGB signal.
Analo~ Computer Monitor Output means a connector for an analog monitor that is typically found and associated with a Computer Product and that carries uncompressed analog video signals. The term expressly includes those outputs known as VGA, SVGA (800X600 and greater), XGA (1024X768), SXGA, UXGA, and various non-standardized analog monitor connections.
Issued 9.15.08 Page 16
Best Practices for Content Protection
Analog Sunset has meaning as provided for in the AACS Final Agreements. Existing Models may be manufactured and sold by Adopter up until December 31, 2011. For any Licensed Player (other than Existing Models) manufactured after December 31, 2010, analog outputs for Decrypted AACS Content shall be limited to SD Interlace Modes Only (I.e., Composite, SVideo, 480i component). 576i component will be addressed in the applicable Final Agreements. No Licensed Player that passes Decrypted AACS Content to analog outputs may be manufactured or sold by Adopter after December 31, 2013. Notwithstanding the foregoing, Adopter may continue to manufacture and sell an Existing Model in which the implementation of AACS Technology is a Robust Inactive Product after December 31, 2010 provided that when such Robust Inactive Product is activated through a Periodic Update, such Periodic Update results in a Licensed Product that limits analog outputs to SD Interlace Modes Only.
Existing Model means: (I) a product, including without limitation a device, into which a Licensed Player is integrated, all aspects of which are exactly the same in all respects (including branding and consumer model number indication assigned to such integrated device), as any prod uct manufactured and sold prior to December 31,2010; or (ii) a software Licensed Player, all aspects of which are exactly the same in all respects (including branding and version number) as any software Licensed Player manufactured prior to December 31, 2010; provided, that changes to a product made solely (w) to comply with the Compliance Rules, (x) to implement changes solely of Device Key Sets, (y) to implement security patches (z) to implement bug fixes of failures of a product to operate in accordance with such product's pre existing product specification, shall be permitted.
Audio Watermark means the audio watermark solution described in the appropriate specification available and licensable from Verance Corporation.
CGMS-A Standard: Multiple standards define the Content Generation Management System Analog (CGMS-A) protection type. Various countries and regions use various versions of CGMS-A. A hardware vendor must ensure that his or her display miniport driver supports the appropriate CGMS-A version. For example, a driver for a graphics adapter to be used in Japan should probably support the Association of Radio Industries and Businesses (ARIB) TR-B15 standard, which is the operational guideline for digital satellite broadcasting. However, a driver for a graphics adapter to be used in the United States should support the International Electrotechnical Commission (lEC) 61880 standard or the Consumer Electronics Association (CEA) CEA-608-B standard. The standard that a graphics adapter's display mini port driver supports depends on the type of signal that the adapter transmits. The following list describes various standards that define CGMS-A. Currently, redistribution control is defined only in the CEA-805-A standard.
• CEA-805-A Data on Component Video Interfaces defines how CGMS-A and redistribution control information should be encoded in an analog 480p, 720p, or 1080i signal that is transmitted from a component video output (Y/Pb/Pr output). This standard is published by CEA. For more information about CEA, see
Issued 9.15.08 Page 17
Best Practices for Content Protection
the Consumer Electronics Association Web site.
• CEA-608-B and EIA-608-B Line 21 Data Services defines how CGMS-A information should be encoded in a 480i signal that is transmitted from an RF, composite, or SVideo output. This standard is published by CEA and Electronic Industries Association (ElA). For more information about EIA, see the Electronic Industries Association Web site.
• EN 300 294 V1.3.2 (1998-04) Television systems; 625-line television - Wide Screen Signaling (WSS) defines how CGMS-A should be encoded in a 576i Phase Alternation Line (PAL) or Sequential Color with Memory (SECAM) signa!. This standard is published by the European Telecommunications Standards Institute (ETSI).
• IEC - 61880 - First edition - Video systems (525/60) Video and accompanied data using the vertical blanking interval Analog interface is a method of encoding CGMS-A information in a 480i video signal that is transmitted from an analog or digital video output. This method is published by lEe.
• IEC - 61880-2 - First edition - Video systems (525/60) Video and accompanied data using the vertical blanking interval - Analog interface Part 2: 525 progressive scan system is a method of encoding CGMS-A information in a 480p video signal that is transmitted from an analog or digital video output.
• IEC - 62375 - Video systems (625/50 progressive) Video and accompanied data using the vertical blanking interval Analog interface is a method of encoding CGMS-A information in a 576p video signal that is transmitted from an analog or digital video output.
• ARIB TR-B15 Operational Guideline for Digital Satellite Broadcasting defines how CGMS-A information should be encoded in an analog 480i, 480p, 720p, or 1080i signal that is transmitted from a video output. This standard applies only to Japan and is published by ARIB.
Constrained Image means an image having the visual equivalent of no more than 520,000 pixels per frame (e.g., an image with resolution of 960 pixels by 540 pixels for a 16:9 aspect ratio). A Constrained Image may be attained by reducing resolution, for example, by discarding, dithering, or averaging pixels to obtain the specified value. A Constrained Image can be displayed using video processing techniques such as line doubling or sharpening to improve the perceived quality of the image. By way of example, a Constrained Image may be stretched or doubled, and displayed full-screen, on a 1000-line monitor.
Digital Audio Outputs means any of the following digital audio signals: IEC-958, IEC60958, lEC-61937, Bluetooth Audio Profiles, or HOM!.
Digital Only Token means the field or bits used to trigger the output of content to only digital outputs.
Issued 9.15.08 Page 18
Best Practices for Content Protection
Digital Video Output means any of the following: Digital Visual Interface (DVI), HighDefinition Multimedia Interface (HDMI), Unified Display Interface (UDI) and DisplayPort. HDMI includes DVI is a digital interface standard created by the Digital Display Working Group (DDWG) and support for digital audio. For the purposes of this definition, Digital Video Output refers to the DVI capability of HDMI. This definition applies only to the digital interface on DVI and/or HDMI and does not include DVI Analog.
Digital Video Interface (DVI) means a popular form of video interface technology made to maximize the quality of flat panel LCD monitors and modern video graphics cards. In addition to being used as the standard computer interface, the DVI standard was, for a short while, the digital transfer method of choice for HDTV, EDTV, Plasma Display, and other ultra-high-end video displays for TV, and DVDs. The market is now swinging towards the HOM I interface for high-definition media delivery, and DVI is being again constrained to the computer market. There are three types of DVI connections: DVI-Digital, DVI-Analog, and DVI -Integrated (Digital & Analog)
DVl-D - True Digital Video - This provides a faster, higher-quality image than with analog, due to the nature of the digital format. All video cards initially produce a digital video signal, which is converted into analog at the VGA output. The analog signal travels to the monitor and is re-converted back into a digital signal. DVI-D eliminates the analog conversion process and improves the connection between source and display.
DVI-A - High-Res Analog cables are used to carry a DVI signal to an analog display, such as a CRT monitor or budget LCD. The most common use of DVI-A is connecting to a VGA device, since DVI-A and VGA carry the same signal. There is some quality loss involved in the digital to analog conversion, which is why a digital signal is recommended whenever possible.
DVl-l - Integrated cables which are capable of transmitting either a digital-to-digital signal or an analog-to-analog signal. This makes it a more versatile cable, being usable in either digital or analog situations.
The Digital formats are available in DVI-D Single-Link and Dual-Link as well as DVI-I SingleLink and Dual-Link format connectors. These DVI cables send information using a digital information format called TMDS (transition minimized differential signaling). Single link cables use one TMDS 165 MHz transmitter, while dual links use two. The dual link DVI pins effectively double the power of transmission and provide an increase of speed and signal quality; i.e. a DVI single link 60-Hz LCD can display a resolution of 1920 x 1200, while a DVI dual link can display a resolution of 2560 x 1600.
When using DVI-l cables over 10 meters the digital image may not be clear. Because analog has a much longer run, your display may auto-switch once the digital signal is too weak. For this reason, long runs are best done with VGA (for analog) or HDMI (for digital).
Issued 9.15.08 Page 19
Best Practices for Content Protection
DV/-D Single Link, Digital only DV/-A, Analog only
Two sets of nine pins, and a solitary flat blade
DV/-D Dual Link, Digi,tal only
Two sets of nine pins, and a solitary flat blade
DV/·/ Single Link, Digital & Analog
One set of eight pins and one set of four pins, with four contacts around the blade
DV/-/ Dual Link, Digital & Analog
Two sets of nine pins and four contacts Three rows of eight pins and four around the blade contacts around the blade
Federal Information Processing Standard 140-2. May 25.2001: (Supersedes FIPS 140-1, 1994 January 11) Security Requirements for Cryptographic Modules- License Servers The standard specifies the security requirements that will be satisfied by a cryptographic module utilized within a security system protecting sensitive but unclassified information. The standard provides four increasing, qualitative levels of security: Levell, Level 2, Level 3, and Level 4. Security Level 3 is recommended.
• Security Levell provides the lowest level of security. Basic security requirements are specified for a cryptographic module (e.g., at least one Approved algorithm or Approved security function shall be used). No specific physical security mechanisms are required in a Security Level 1 cryptographic module beyond the basic requirement for production-grade components, An example of a Security Levell cryptographic module is a personal computer (PC) encryption board.
• Security Level 2 enhances the physical security mechanisms of a Security Level 1 cryptographic module by adding the requirement for tamper-evidence, which includes the use of tamper-evident coatings or seals or for pick-resistant locks on removable covers or doors of the module. Tamper-evident coatings or seals are placed on a cryptographic module so that the coating or seal must be broken to attain physical access to the plaintext cryptographic keys and critical security parameters (CSPs) within the module. Tamper-evident seals or pick-resistant locks are placed on covers or doors to protect against unauthorized physical access. Security Level 2 requires, at a minimum, role-based authentication in which a cryptographic module authenticates the authorization of an operator to assume a specific role and perform a corresponding set of services.
Issued 9.15.08 Page 20
Best Practices for Content Protection
• Security Level 3 attempts to prevent the intruder from gaining access to CSPs held within the cryptographic module. Physical security mechanisms required at Security Level 3 are intended to have a high probability of detecting and responding to attempts at physical access, use or modification of the cryptographic module. The physical security mechanisms may include the use of strong enclosures and tamper detection/response circuitry that zeroizes all plaintext CSPs when the removable covers/doors of the cryptographic module are opened.
• Security Level 4 provides the highest level of security defined in this standard. At this security level, the physical security mechanisms provide a complete envelope of protection around the cryptographic module with the intent of detecting and responding to all unauthorized attempts at physical access. Penetration of the cryptographic module enclosure from any direction has a very high probability of being detected; resulting in the immediate zeroization of all plaintext CSPs. Security Level 4 cryptographic modules are useful for operation in physically unprotected environments.
IEEE 1394 and USB: The IEEE 1394 interface is a serial bus interface standard for highspeed communications and isochronous real-time data transfer, frequently used in a personal computer. The interface is also known by the brand names of FireWire (Apple Inc.), LLINK (Sony), and Lynx (Texas Instruments). It is similar to USB but about 20 times faster. It provides a single plug-and-socket connection on which up to 63 devices can be attached with data transfer speeds up to 400 MB/sec.
The topology of 139,1, known as a tree is shovvn in figure 1 Any device can connected to other long as there are no loops. The devices can hot
swapped. If a device is added or removed, the bus will reset, reconfigure and continue operation. If the bus is broken, two eees will reset, and resume operation as two independent busses. Li also offers connectivity, so peripherals can talk to one another without intervention from the PC
In contrast, Universal Serial Bus (USB) hets what is known as a star-tiered topology shown in figure 2 belmv. acts ;:1S the host. Each d is connected to hub, which provides sockets and power nei acts as a re r. Hubs can either f-powered or bus powered. They can also be cascaded The U B topol supports up to 127 devices,
Issued 9.15.08 Page 21
Best Practices for Content Protection
Host
Image Constraint Token shall mean the field or bits used to trigger a Constrained Image.
User-Accessible Bus means an internal analog connector that is designed and incorporated (a) for the purpose of permitting end user upgrades or access or that otherwise readily facilitates end user access or (b) for the purpose of permitting end user upgrades or access such as an implementation of a smartcard, PCMCIA, Cardbus, or PCI that has standard sockets or otherwise readily facilitates end user access. A User-Accessible Bus does not include memory buses, CPU buses, or similar portions of a device's internal architecture that do not permit access to content in form usable by end users.
Issued 9.15.08 Page 22
Best Practices for Content Protection
By way of example, the WMDRM 10 settings are used here to explain Paramount's current requirements. When using other Content Protection Systems, the License will be expected to demonstrate that comparable setting are available and set correctly Paramount's requirements and the terms and conditions of the License Agreement.
ESTRight WMF SDK 11 WMDRM I Description VOD EST
Potable This right allows the consumer to
AllowBackupRestore WM manage licenses by making backup oFalse oFalse oFalse 1. Rights Manager 7 SDK or copies and restoring licenses from Not Not Not
later backups. The default value of this Allowed Allowed Allowed property is 0 (false).
AliowBurnToCD WM Rights2. This right has been deprecated and replaced by AliowPlaylistBurn.
Manager 7 SDK or later
This right allows consumers play AllowCollaborativePlay WM protected content in a collaborative oFalse oFalse oFalse Rights Manager 10 SDK or session using peer-to-peer services. Not Not later The default value of this property is I Allowed
3. Not Allowed Allowed
IFalse.
This right allows consumers to copy •
protected content to a device, such as a portable player or portable media, that supports Windows Media DRM 10 for Portable Devices. The default value 1 True of this property is False. in addition, a Allowed copy protection level is usually oFalse oFalse if
AliowCopy WM Rights4. specified in combination with the Not Not portable
Manager 10 SDK or later AllowCopy right by using the Allowed Allowed allowed WM RMRestrictions object. in However, in a purchase model, contract sometimes, the AllowTransferToSDMI and AllowTransferToNonSDMI rights
:are used for allowing content to be I
transferred to devices. I This right allows the consumer to play protected content on a computer or
AllowPlay WM Rights5. device. This right has been deprecated. Enabled Enabled Enabled
Manager 10 SDK or later Now, this right is always enabled and cannot be disabled.
This right allows consumers to copy a oFalseoFalse oFalseAliowPlaylistBurn WM Windows Media file from a playlist to a
NotNot Not6. Rights Manager 10 SDK or CD in the Red Book audio format. The !
Allowed Allowedlater Allowed •default value of this property is False.
AliowPlayOnPC I This right has been deprecated and the AliowPlay right is always enabled. 7. •
Not currently supported. 8. AllowSaveStrea m Protected
Issued 9.15.08 23
Best Practices for Content Protection
BurnToCDCount WM Rights This right is no longer supported. It has been replaced by replaced by 12.
Mana er 7 SDK or later MaxPlaylistBurnCount and PlaylistBurnTrackCount.
This right the number of times the consumer is allowed to copy If content using the AllowCopy right. allowed
CopyCount WM Rights Defa u It: this right is not set, and per13. 0 0Manager 10 SDK or later unlimited copies are allowed. The contract
number of copies that can be lor controlled from the computer is 0 more 249. If Allow Copy is enabled, set Copy Protection level to = 400 You can use the WMRMRestrictions object to
the technologies to require, include, or exclude for copying
Copy Restriction WM protected content. You can require Not14. Rights Manager 10 SDK or that content be copied to devices with 400 400
enabledlater at least a medium level of encryption (a protection level of 400). By default, copy restrictions are not set. For information about current output protection levels, see the document WMRM SDK Compliance Rules.
This right deletes the license if the consumer's computer clock is reset to
DeleteOnClockRollback an earlier time. Use this right if the Not Not Not
WM Rights Manager 7 SDK15. license also specifies an expiration enabled enabled enabled
or later date. This property works only if you have set an expiration date first.
Right WMF SDK 11 WMDRM Description VOD EST EST
Potable ! This right allows the consumer to
transfer the Windows Media file to a device or portable media that is not
AllowTransferToNonSDMI SDMI (Secure Digital Music Initiative) oFalse oFalse oFalse 9. WM Rights Manager 7 SDK compliant, but supports Portable Not Not Not
or later Device DRM version lor Windows Allowed Allowed Allowed Media DRM 10 for Portable Devices. The default value of this property is 0 (false).
This right allows the consumer to transfer the Windows Media file to a
AllowTransferTOSDMI WM SDMI-compliant device or portable oFalse oFalse oFalse
10. Rights Manager 7 SDK or media that supports Portable Device
Not Not NotDRM version lor Windows Media DRM 10 for Portable Devices. The
Allowed Allowed Allowed
default value of this property is 0 (false).
This right a date after which or later the license is valid ion Date ion Date ion Date
Issued 9.15.08 Page 24
Best Practices for Content Protection
ExcludedApplications WM
17. Rights Manager 7 SDK or
later y method to find out whether a player
is based on Windows Media Format
7.1 SDK or a later version, and then
specify the rights accordingly. licensee
must have written approval from
Microsoft before generating WMDRM
licenses that exclude an
' ExpirationAfterFirstUse This right specifies the length of time
(in hours) a license is valid after the18. Ii WM Rights Manager 7 SDK 24 Hours None None or later first ti me the license is used
Transacti
consumer's computer clock is reset to Not
an earlier time. This property works Enabled i enabled enabled
only if you have set an expiration date first.
Specifies the application 10 of a player that you want to prevent from
accessing your protected content. Only
players based on the Windows Media
Format 7.1 or later SDK can interpret
this right You can use the
WMRMChallenge.CheckClientCapabilit Not set Not set Not set
19. ExpirationDate WM Rights
Manager 7 SDK or later
This right specifies a date after which
i the license is no longer valid and the
, Windows Media file can no longer be
played
on Date
+ 30 <= end of
license
i window
None None
20. ExpirationOnStore WM
Rights Manager 7 SDK or
later
This right specifies the length of time
(in hours) a license is valid after the
i first ti me the license is stored on the
consumer's
None None
This right specifies the number of
I hours during which protected contentGracePeriod WM Rights
21. i can be played after a device clock o oManager 10 SDK or later
becomes unset. The default value of
I this property is O.
i MinimumAppS-e-c-u-ri-ty-W-M---t-1 Specifies and retrieves the minimum security level that a player must have
23. I Rights Manager 7 SDK or to use the content. This right has been deprecated and replaced by"'I'
Jlater , MinimumSecuritylevel. ,_____________---'
Issued 9.15.08 Page 25
Best Practices for Content Protection
Right WMF SDK 11 WMDRM Description
Player applications based on Windows Media Format 9 Series SDK or later with strict security requirements. Included devices Windows Media DRM 10 for Portable Devices and Network Devices. Excludes: Devices based on
MinimumSecurityLevel WM Windows Media Portable Device DRM 24. Rights Manager 10 SDK or vI or based on Windows CE 4.2 and
later later. When a consumer tries to play the Windows Media file, the minimum security level specified in the license is
.......
ESTVOD EST POi
I
2000 20002000
compared to the security level of the player application or device. The result determines whether the Windows Media file can be played.
If the Output Protection level specified in the WMDRM Licenses is greater than or equal to 101 and less than or
equal to 300, the Licensed Product may Pass the audio portion of compressed decrypted WMDRM Content only using Secure Audio Path.
Licensed Products must engage SAP by calling IWM DRM Reader: :Set DRM Property() with the parameters g_wszWMSAPLevel and 300. The audio portion of compressed decrypted WMDRM Content must not be Passed to Digita I Audio Outputs
except to HDMI with HDCP engaged.
If the Output Protection Level specified in the WMDRM License is
greater than or equal to 101 and less
than or equal to 200, the Licensed
Product may Pass the audio portion of uncompressed decrypted WMDRM
Minimum Output 300
Compressed Digital Audio Protection Level For 30025. 300
Minimum Output Content only using Secure Audio Path.
Protection Level For Licensed Products must engage SAP by 20026. 200 200
Uncompressed Digital calling
Audio IWM DRM Reader: :SetORM Property() with the parameters g_wszWMSAPLevel and 200. The audio portion of uncompressed decrypted WMDRM Content may be
Passed to Digital Audio Outputs.
Issued 9.15.08 Page 26
Minimum Output
Best practices for Content Protection
Product is Passing the video port'on ofI
uncompressed decrypted WMDRM Content to Digital Video Outputs, the Licensed Product must use COPP to
29,
Minimum Output Protection Levels For Uncompressed Digital Video
engage HDCP to protect the video portion of uncompressed decrypted WMDRM Content, Licensed Products must verify using COPP that the HDCP source function is engaged and able to
300 300 300
deliver protected content, which means HDCP encryption is operational on the Output, and Licensed Products must not Pass the video portion of uncompressed decrypted WMDRM Content to Digital Video Outputs if COPP fails to verify that the HDCP source function is engaged,
30, Output Protection Levels for Playback
Specifies protection levels to restrict how protected Windows Media files
[ are played Maximum: 500
i
1
500 500 500
Right WMF SDK 11 WM DRM
Minimum Output 27, Protection Levels For
Analog Video
Description
If the Output Protection Level specified in the WMDRM License is greater than or equal to 101 but less than or equal to 250 and the Licensed Product is Passing the video portion of decrypted WMDRM Content to Analog Television Outputs, the Licensed Product must attempt to use COPP to engage CGMS-A with the CGMS-A field set to 'Ub' ("copy never"); however, the Licensed Product may Pass the video portion of decrypted WMDRM Content to Analog Television Outputs even if COPP fails to verify that the Analog Television Outputs successfully
CGMS-A.
Compressed Digital Video Content must not be passed to any output,
If the Output Protection Level specified in the WMDRM License is greater than or equal to 251 and less than or equal to 300 and the Licensed
ESTVOD EST
Potable
150 150 150
500 500
Issued 9,15,08 Page 27
500
Best Practices for Content Protection
[Right WMF SDK 11 WMDRM
r-
Output Control for Analog31.
Computer Monitor Output
I Description I
VOD EST EST
Potable , If a licensed Product is Passing the
video portion of decrypted WMDRM Content to an Analog Computer Monitor Output and any DRM_VIDEO_OUTPUT_PROTECTION.g uidlD has a value of "D783A191-E0834BAF-B2DA-E69F910B3772", the
Enabled Enabled Enabled
Licensed Product must Pass the video portion of the decrypted WMDRM Content with an Effective Resolution of no greater than 520,000 pixels per
• frame.
! If a Licensed Product is Passing the video portion of decrypted WMDRM Content to Analog Component Video Outputs and any DRM_VIDEO_OUTPUT_PROTECTION.g
! Output Control for Analog
32. Component Video Output
WM Rights33.
Manager 7 SDK or later
uidlD has a value of "811C5110-46C84C6e-8163- C0482A15D47E", the licensed Product must Pass the video portion of the decrypted WMDRM Content with an Effective Resolution of
no greater than 520,000 pixels per frame.
This right specifies the number of times the consumer is allowed to play protected content. Default: if this right
is not set and unlimited playing is allowed
Enabled Enabled Enabled
Not set Not set Not set
34. • PlaylistBurnTrackCount • WM Rights Manager 10
SDK or later
! The maximum number of times a Windows Media file can be copied to a CD, regardless of what playlist it is in. By default, this is not set.
Not Not Enabled Enabled Enabled
35.
PlayRestrictions WM
Rights Manager 10 SDK or later
Object to specify the technologies to require, include, or exclude for playing
protected _content.
Call RestrictObj.AddRestriction(l, 390) Uncompressed digital video, see #28
Call RestrictObj.AddRestricti0r"1(2, 500) Compressed digital video, see #27
Call RestrictObj.AddRestriction(3, 150) Analog video, see #26
Call RestrictObj.AddRestriction(4, 300) ~ompressed digital audio, see #24
Call RestrictObj.AddRestriction(5, 300) Uncompressed ~igital audio, see #25
Issued 9.15.08 Page 28
Best Practices for Content Protection
Right WMF SDK 11 WMDRM Description VOD EST EST
Potable
1 Automatic Gain Control and I
ColorStripe. If a Licensed Product is
Passing the video portion of decrypted WMDRM Content to Analog Television
Outputs and any DRM_VIDEO_OUTPUT_PROTECTION.g uidlD has a value of "C3FD11C6-F8B74d20-B008-1DB17D61F2DA", the
Licensed Product must engage Automatic Gain Control and
ColorStripe and set the Analog 0 0 0
Macrovision Output Copy Protection System (APS) Trigger Bits
36. (APSTB) field via COPP using the value Protection
specified in
DRM_VIDEO_OUTPUT_PROTECTION.b
ConfigData. Additional technologies
and restrictions may be required as
specified in Section 4.2.5. For
avoidance of doubt, the value of
bConfigData for AGC and ColorStripe is
as follows:
bConfigData =0, No MV ACP, OOb, Off
bConfigData =1, AGC Only, 01b, APS 1
bConfigData =2, AGC & 2 line ColorStripe, lOb, APS 2
bConfigData =3, AGC & 4 line ColorStripe, 11b, APS 3
Specifies and retrieves the security level for content that is being
37. PMAppSecurity WM Rights transferred to portable devices or portable media. This right has been Manager 7 SDK or later deprecated and replaced by MinimumSecurityLevel and
MinimumClientSDKSecurity.
PIVI ExpirationDate WM Specifies and retrieves the expiration date for a portable license. This right
is no longer supported. This right has been deprecated. Expiration rights 38. Rights Manager 7 SDK or
such as ExpirationDate, BeginDate, ExpirationAfterFirstUse, and later
ExpirationOnStore now apply to all licenses, including licenses on devices.
PM Right WM Rights Specifies and retrieves the rights that govern content use with a portable
39. license. This right is no longer supported. This right has been deprecated. Manager 7 SDK or later
All rights now apply to all licenses.
Specifies and retrieves the number of
times the content can be transferred
40. TransferCount WM Rights to portable devices or portable media
0 0 0Manager 7 SDK or later using the AllowTransferToSDMI and
AllowTransferToNonSDMI rights. By
default, this property is not set.
Issued 9.15.08 Page 29
Best Practices for Content Protection
Right WMF SDK 11 WMDRM
Allowed Included Output ID41.
Value A
Allowed Included Output 1042.
Value B
Description
Indirect License Acquisition via USB. Licensed Products may Receive WMDRM Licenses via USB, provided that the Licensed Product (a) supports all mandatory features and supported optional features of the MTP protocol as specified in the WMDRM-PD MTP Extensions Technical Documentation or (b) supports the RAPI protocol.
Indirect License Acquisition via IP. Licensed Products may Receive and store WMDRM Licenses via IP (using a protocol other than MTP) if (a) the WMDRM License contains an Inclusion List with a value of {OFB334DC-DE98
4DDC-A8A7-67D7676C0163l; and (b) the Licensed Product uses a technical mechanism (which may but need not be part of the WMDRM-PD implementation) to verify that the Content Provider has authorized the
Not Not
I
Allowedallowed allowed
i I
Not Not Allowed
allowed allowed
I Licensed Product to Receive the WMDRM License.
Indirect License Acquisition via IP.
Licensed Products may Receive and store WMDRM Licenses via MTP over
IP if (a) the Licensed Product supports
all mandatory features and supported optional features of the MTP protocol as specified in the WMDRM-PD MTP Extensions Technical Documentation;
43. Allowed Included Output ID Value C
(b) the WMDRM License contains an Inclusion List with a value of
Not allowed
Not allowed
Allowed
{24533722-DACD-4f7e-9A96
84D848B46D59}; and (c) the Licensed
Product uses a technical mechanism (which may but need not be part of the WMDRM-PD Implementation) to verrfy
that the Content Provider has
authorized the Licensed Product to Receive the WMDRM License.
Issued 9.15.08 Page 30
Best Practices for Content Protection
ESTRight WMF SDK 11 WMDRM Description VOD EST Potable
,DTCP (Digital Transmission Content Protection) Licensed Product must confirm that GUID {D6B5030B-OF4F43A6-BBAD-356F1EA0049A} is returned from the GetlnciusionList API on the WMDRM License associated with the WMDRM Content. DTCP_EPN must be set to "Not Asserted";
Allowed Included Output ID DTCP_CCI and CGMS-A must be set to Not44. Allowed AllowedValue D "Copy Never"; and Only if the allowed
DRM_ VIDEO_OUTPUT _PROTECTION.g uidlD = "C3FDllC6-FBB7-4d20-BOOBlDB17D61F2DA" is specified, the DTCP_APS value shall be set to the least significant two bits of the DRM_ VIDEO_OUTPUT _PROTECTION.b ConfigData value when cast as a binary value.
CPRM (Content Protection Recordable Media) Licensed Product must confirm that GUID "CDDB01AD-A577-4Bdb
950E-46D5F1592FAE" is returned from
i the GetlnclusionList API on the . h hWMDRM License associate d Wit t e f
Allowed Included Output ID WMDRM Content. The CPRM Initial Not NotAllowed45.
Value E Move Control Information must be set allowed allowed to "Move is never perm itted". The
by contract
CPRM Current Move Control Information must be set to "Move is never permitted". The CPRM Copy
Count Control Information must be set to "Copy is never permitted".
Issued 9.15.08 Page 31
Be::it Practicfs for Cont~nt Protection
Right WMF SDK 11 WMDRM EST EST
Potable
Licensed Product must confirm that
GUID "002F9772-38AO-43e5-9F79
OF6361DCC62A" is returned from the
GetlnciusionList API on the WMDRM
License associated with the WMDRM
Content. Helix DRM AllowPlayOnPC = True; Helix DRM PlaybackCount l',
If Allowed Included Output 10
Helix DRM PlaybackThreshold =0; Allowed Not46. Helix DRM EMI = Copy Never; Only if
Value F the
by allowed
DRM_VIDEO_OUTPUT _PROTECTION.g contract
uidlD = "C3FD11C6-F887-4d20-8008
1D817D61F2DA" is specified, the Helix
APS value shall be set to the least
significant two bits of the
DRM_VIDEO_OUTPUT _PROTECTION.b
ConfigData value when cast as a binary
i value.
Content Scrambling System (CSS)
i Licensed Product must confirm that
GUID "3CAF2814-A7A8-467C-84DF
54ACC56C66DC is returned from the
GetlnciusionList API on the WMDRM
License associated with the WMDRM
Content. CGMS in the CPR_MAl in the
content sector headers of the
protected V08 files must be set to llb If
Allowed Included Output ID ("Copy Never"). Only if the
Not Allowed Not47. DRM_VIDEO_OUTPUT _PROTECTlON.g
Value G uidlD "C3FD11C6-F8B7 -4d 20-8008
allowed by allowed
IDB17D61F2DA"is specified, the APSTB contract
field of the Presentation Control
Information (PCI) in each navigation
data pack of the protected VOB files
shall be set to the least Significant two
bits of the
DRM_VIDEO_OUTPUT_PROTECTION.b
ConfigData value when cast as a binary
value.
Describes the number of machines on Defined i by Allow
48. Multiple Device Playback which playback may be licensed and to
1 Set per
Copy and (Business System) be set in the Licensee's business contract
Copy
i I system i Count i
Issued 9.15.08 Page 32
Secure Audio Device Drivers to Audio
Best Practices for Content Protection
restriction, the audio portion decrypted WMDRM
Products may compressed decrypted A/V Content to flow
201 to 300, If the Output Protection level specified in the WMDRM Licenses is
greater than or equal to 201 and less than or equal to 300, the Licensed Product may
Pass the audio portion of compressed decrypted WMDRM Content only using Secure Audio Path. Licensed Products
must engage SAP by calling IWMDRMReader::SetDRMProperty() with the parameters g_wszWMSAPLevel and 300, The audio portion of compressed decrypted WMDRM ConteGt must not be
Audio Outputs except to
engaged.
or equal to 201 and less than or equal to 250, PlayReady Final Product may Pass the audio portion of compressed decrypted A/V Content to (i) Secure Audio Device Drivers via HDMI with HDCP engaged, or (ii) Secure Audio
Level specified in the License is greater than or equal to 251 and less than or equal to 300, PlayReady Final Products may Pass the
audio portion of compressed decrypted A/V Content to Secure Audio Device Drivers via HDMI with HDCP engaged,
Output Control for Compressed Digital Audio Content. [Allowed for WMF
SDK 100, 200 or 3001 [For PlayReady also see Explicit Digital Audio Output Restriction in Compliance Rules]
Level 101 to 200, If the Output Level specified in the WMDRM License is
greater than or equal to 101 and less than or equal to 200, Licensed Products may Pass the audio portion of compressed decrypted WMDRM Content o~ly using Secure Audio Path, Licensed Products must engage SAP by calling IWMDRMReader::SetDRMProperty() with the parameters g_wszWMSAPLevel and
200, The audio portion of compressed decrypted WMDRM Content may be Passedto Digital Audio Outputs,
Level 101 to 150, If the Output Protection Level specified in the License is greater than or equal to 101 and less than or equal to 150, PlayReady Final Products may Pass without restriction the au dio portion of compressed decrypted A/V Content to Stream Rendering Applications, and via
the Output Protection Level specified in the License is greater than or equal to 151 and less than or equal to 200, PlayReady Final Products may Pass without restriction the audio portion of compressed decrypted A/V Content via Secure Audio Device Drivers to Audio Outputs,
Level 201 to 250, If the Output Protection Level specified in the License is greaterthan
Issued 9,15,08 Page 33
Best Practices for Content Protection
Output Protection
Output Control for Uncompressed Digital Audio Content.
[Allowed for WMF SDK 100, 200 or 300] [For PlayReady also see Explicit Digital Audio Output Restriction in Compliance Rules]
Protection Level specified i'1 the WMDRM Protection Level in the License is License is greater than or equal to 301, the Licensed Product must not Pass the audio portion of compressed decrypted WMDRM Content. Level 0 to 100. If the Output Level is not specified or the level in the WMDRM License is less than or equal to 100, the Licensed Product may Pass, without restriction, the audio portion of uncompressed decrypted WMDRM
greater than or equal to 301, PlayReady Final Products must not Pass the audio portion of compressed decrypted A/V
If the Output Protection or the Output
restriction. Level 101 to 150. If the Output Protection Level specified in the License is greater than or equal to 101 and less than or equal to 150, PlayReady Final Product may Pass without restriction the audio portion of uncompressed decrypted A/V Content to
Applications, and via Secure Audio Device Drivers to Audio
f--_______________--+_O_u_t___p_uts_.---------------l Level 101 to 200. If the Output Protection
I Level specified in the WMDRM License is greater than or equal to 101 and less than or equal to 200, the Licensed Product may Pass the audio portion of uncompressed decrypted WMDRM Content only using Secure Audio Path. Licensed Products must engage SAP by IWMDRMReader::SetDRMProperty() with the parameters g_wszWMSAPLevel and 200. The audio portion of uncompressed decrypted WMDRM Content may be Passed to Digital Audio Outputs.
Level 151 to 200. If the Output Protection Level in the License is greater than or equal to 151 and less than or equal to 200, PlayReady Final Product may Pass without restriction the audio portion of uncompressed decrypted A/V Content via Secure Audio Device Drivers to Audio Outputs.
Level 201 to 250. If the Output Protection Level in the License is greater than or equal to 201 and less than or equal to 250, PlayReady Final Product may Pass the audio portion of uncompressed decrypted
A/V Content to (I) Secure Audio Device Drivers via HDMI with HDCP engaged, or (ii) Secure Audio Device Drivers with SCMS engaged with the Cp-bit set to zero (0) and
Issued 9.15.08 Page 34
Best Practices for Content Protection
IWMDRMReader::SetDRMProperty() with the parameters LWSzWMSAPLevel and 300. The audio portion of uncompressed decrypted WMDRM Content must not be Passed to Digital Audio Outputs except to HDMI with HDCP engaged.
Level 301 or greater. If the Output Level 301 or greater. If the Output Protection Level specified in the WMDRM Protection Level in the License is License is greater than or equal to 301, the greater than or equal to 301, PlayReady Licensed Product must not Pass the audio Final Product must not Pass the audio portion of uncompressed decrypted portion of uncompressed decrypted WMDRM Content. Content.
Output Control for Licensed Products must not Pass the video If the Output Protection Level is not portion of compressed decrypted specified or the Output Protection LevelCompressed Digital WMDRM Content to any Output. Set to specified in the License is greater than orVideo Content.
equal to 0, PlayReady Final Products must 500.[Allowed for WMF not Pass the video portion of compressed
Output Protection WM Format SDK 11 Level 201 to 300. If the Output Protection Level specified in the WMDRM License is greater than or equal to 201 and less than or equal to 300, the Licensed Product may Pass the audio portion of uncompressed decrypted WMDRM Content only using Secure Audio Path. Licensed Products must engage SAP by calling
PlayReady Level 251 to 300. If the Output Protection Level specified in the License is greater than or equal to 251 and less than or equal to 300, PlayReady Final Product may Pass the audio portion of uncompressed decrypted A/V Content to Secure Audio Device Drivers via HDMI with HDCP engaged.
SDK 11 400, 200] [For PlayReady see also Section 3.5.4 of the Compliance Rules]
Output Control for
Uncompressed Digital Video Content. [Allowed for WM F
SDK 11100, 250 or 300] [For PlayReady see also Section 3.5.5
of the Compliance
Rules]
Level 0 to 100. If the Output Protection Level is not specified or the ;evel specified in the WMDRM License is less than or equal to 100, the Licensed Product may Pass, without restriction, the video portion of uncompressed WMDRM
Content to Level 101 to 250. If the Output Protection
video
Level specified in the WMDRM License is greater than or to 101 and less than or equal to 250 and a Licensed Product is Passing the video portion of uncompressed decrypted WMDRM Content to Digital Video Outputs, the Licensed Product must attempt to use COPP to engage HDCP to protect the video portion of uncompressed decrypted WMDRM Content. Licensed Products must attempt to verify using COPP that the HDCP source function is engaged and able to deliver protected content, which means
Output; however, the Licensed Product Pass the video portion of
to Digital Video fails to verify that the
HDCP encryption is operationa I on the
decrypted WMDRM
decrypted Content to Digital Video Outputs. Set to 500.
! Level 0 to 100. If the Output Protection Level is not or the Output Protection Level specified in the License is less than or to 100, PlayReady Final Products may direct the video portion of uncompressed decrypted A/V Content to flow without restriction.
Level 101 to 250. If the Output Protection Level in the License is greater than or equal to 101 and less than or equal to 250, PlayReady Final Products may Pass the video portion of uncompressed decrypted A/V Content to Digital Video Outputs, while attempting to engage HDCP to protect the video portion of uncompressed decrypted A/V Content. However, PlayReady Final Products may Pass the video portion of uncompressed decrypted A/V Content to Digital Video Outputs, even if HDCP cannot be
Issued 9.15.08 Page
Best Practices for Content Protection
Output Protection WM Format SDK 11
Level
Level 251 to 300. If the Output Protection Level 251 to 300. If the Output Protection Level specified in the WMDRM License is in the License is greater than greater than or equal to 251 and less than or equal to 251 and less than or equal to or equal to 300 and the Licensed Product 300, PlayReady Final Products may Pass the is Passing the video portion of video portion of uncompressed decrypted uncompressed decrypted WMDRM A/V Content to Digital Video Outputs with Content to Digital Video Outputs, the HDCP Licensed Product must use COPP to engage HDCP to protect the video portion of uncompressed decrypted WMDRM Content. Licensed Products must verify using COPP that the HDCP source function is engaged and able to deliver protected content, which means HDCP encryption is operational on the Output, and Licensed Products must not Pass the video portion of uncompressed decrypted WMDRM Content to Digital Video Outputs if COPP fails to verify that the HDCP source
function is Level 301 or greater. If the Output Level 301 or greater. If the Output Protection Level in the WMDRM Protection Level specified in the License is License is greater than or equal to 301, the greater than or equal to 301, PlayReady
Licensed Product must not Pass the video Final Products must not Pass the video decrypted portion of uncompressed decrypted
Video Content to Digital Video Outputs.
Outputs.
Level °to 100. If the Output Protection
may Pass the video portion of decrypted WMDRM Content to Analog Television
Outputs even if COPP fails to verify that
Level °to 100. If the Output Protection Level is not or the level specified Level is not specified or the Output in the WMDRM License is less than or Protection Level specified in the License is equal to 100, the Licensed Product may less than or equal to 100, PlayReady Final
Output Control for Pass, without restriction, the video portion Products may direct the video portion of Analog Television I of decrypted WMDRM Content to any uncompressed decrypted A/V Content to
Outputs [Allowed for i video output. flow without restriction. Level 101 to 150. If the Output Protection Level 101 to 150. If the Output Protection Level in the WMDRM License is
WMF SDK 11100, 150 Level specified in the License is greater than or 200 and see also
greater than or equal to 101 but less than or equal to 101 and less than or equal toSection 4.2.6 or equal to 150 and the Licensed Product 150, PlayReady Final Products may Pass the
Extended Output is Passing the video portion of decrypted video portion of decrypted A/V Content to
Controls for Analog WMDRM Content to Analog Television Analog Television Outputs, while Television Outputs] Outputs, the Licensed Product must attempting to engage CGMS-A with the [For PlayReady see attempt to use COPP to engage CGMS-A CGMS-A field set to "llb" ("copy never"). also Section 3.5.7, 8, with the CGMS-A field set to 'llb' ("copy However, PlayReady Final Products may
9 of the Compliance never"); however, the Licensed Product Pass the video portion of decrypted A/V
Content to Analog Television Outputs even if CGMS-A cannot be successfully
Rules]
Issued 9.15.08 Page 36
Level specified in the License is greater than or equal to 151 but less than or equal to
Best Practices for Content Protection
Analog Television Outputs if COPP fails to verify that the Analog Television Outputs
CGMS-A,
201 or greater, If the Output
Content to
Output Protection WM Format SDK 11 Level 151 to 200, If the Output Level specified in the WMDRM License is greater than or equal to 151 but less than or equal to 200 and a Licensed Product is Passing the video portion of decrypted WMDRM Content to Analog Television Outputs, the Licensed Product must use COPP to engage CGMS-A with the CGMS-A field set to 'lIb' ("copy never"), and the Licensed Product must not Pass the video portion of decrypted WMDRM Content to
200, PlayReady Final Products may Pass the video portion of decrypted A/V Content to Analog Television Outputs while engaging CGMS-A with the CGMS-A field set to llb ("copy never"),
Issued 9,15.08 Page 37
Best Practices for Content Protection
If the facility where content is handled in the clear has not been MPAA audited the following information may be required.
Physical and Data Security Audit Form:
• Name of Company:
• Name of Service:
• Name of Licensee: • Location where content is handled in the clear: If the answer to reasons below.
What physical perimeter security has been implemented to protect your operation? What entry controls are in place to allow only authorized personnel into various areas
1. within organization? Some examples of such security facility are card control entry gate, walls, manned reception etc.
the precautions and security in place to safeguard content when
rooms, which contain content assets, have locks or have lockable cabinets
content assets identified, assigned an owner, given a security moved immediately to a secure storage location and their movement
tracked?
control for third parties and for staff personnel in secure
screen locking tool enabled? This would lock the screen unattended for a of time.
Issued 9.15.08 Page 38
Best Practices for Content Protection
If the answer to any question is "NO", please explain your reasons below.
Are all programs running on production systems subject to strict change control i.e., 16. any change to be made to those production programs need to be pre-authorized and
audit logs maintained for any change made to the production programs?
17. Does an Incident Management procedure exist to handle incidents? Are duties and areas of responsibility separated in order to reduce opportunities for
18. unauthorized modification or misuse of information / content or services?
19. i Are the and facilities isolated from facilities? 20. Are there controls malicious software installation and
Does the security policy address software licensing issues such as prohibiting usage of 21. d funauthorize so tware?
22. Is antivirus software installed on the computers to check and isolate or remove any
from and media?
Does the operational staff maintain a log of their activities such as name of the person, errors, corrective action etc?
a secu rityIs accesses to diagnostic ports secu rely controlled 24. ?mechanism.
Are there network connection controls for shared networks that extend beyond the boundaries? electronic web file transfers, etc.
25.
Is a unique identifier provided to every user such as operators, system administrators 26. i and all other staff technical?
Are audit logs recording exceptions and other security relevant events produced and kept for an agreed period to assist in future investigations and access control
Does the policy adopted take into account the risks of working with computing 28. devices such as in environments?
Are there policy, procedure and/ or standard to control home office and mobile 29. activities? This should include threats such as theft of equipment, unauthorized
disclosu re of information etc.
Are there controls in place to ensure that the covert channels and Trojan codes are 30. not introduced into new or upgraded system?
Are there procedures to ensure compliance with legal restrictions on use of material 31. for which there are intellectual property rights such as copyright, design rights, trade
YES NO
marks?
Does a security policy document exists which is 32.
published and commu~icated to all employees? Does the security policy have an owner, who is
33·1 review according to a defined review process?
Are responsibilities for the protection of individual assets and for carrying 0 UtspeCITIC
Page 39
34.
35.
36.
37.
38.
39.
security processes clearly defined?
Are appropriate contacts with law enforcement authorities, regulatory bodies, information service providers and telecommunication operators maintained to
Are security requirements addressed in the contracts with the third party?
ensure that appropriate action can be quickly taken and advice obtained, in the event
of a security incident? Is the implementation of security policy reviewed independently on regular basis in the entire organization? Are security risks with third party contractors working onsite identified and appropriate controls implemented?
Are employees required to sign a document acknowledging all the security requirements to ensure compliance with the organization's security policies and
standards?
issued 9.15.08
1
i
I
Best Practices for Content Protection
If the answer to any question is "NO", please explain your reasons below. YES NO
I
40. Are verification checks on permanent staff carried out at the time of job applications? I This should include character reference, confirmation of claimed academic and I professional qualifications and independent identity checks.
41. Are employees asked to sign confidentiality or non-disclosure agreement as a part of
their initial terms and conditions of the employment?
42. Do all employees of the organization and third party contractors receive appropriate
security training and regular updates in organizational policies and procedures?
43. Do formal reporting procedures exist, to report security incidents through appropriate management channels as quickly as possible?
44. Please provide an explanation of why the answer is "NOli to any of the above questions:
45.
Explanation:
Issued 9.15.08 Page 40
Best Practices for Content Protection
Base on your responses to the initial Technical Questionnaire or if additional CPSs become a consideration, the following information may be required.
Content Protection Systems: Content Protection Systems (CPS) means a Digital Rights Management system (DRM) or
Conditional Access System (CAS) used to protect audiovisual content for delivery to consumers
or such other encryption systems used protect audiovisual content for point-to-point physical media or secure electronic delivery between the Content Licensor and the Content Licensee and between the Content Licensee and any node in their distribution system.
I
1) Name of Entity providing the service -+
2) Who is entity affiliated with -+
3) CPS (DRM or CAS) Vendor Name: -+
4) Please attach any Vendor white paper or specifications II List attached documents-+
Questions related to content reception, processing and re-encryption with CPS for delivery to YES
the end user device:
5) Is content received at your origination facility in encrypted form?
6) If yes, what is the encryption used on 11-+ I
the incoming content? Ii
7) Is the content decrypted and re-encrypted with a CPS for delivery to end users? I
8) If yes, identify the CPS used for re-encryption II -+
9) If yes, describe all the content decryption / re-encryption steps and steps used to protect the content in
storage and during transmission.
Description -+
10) Is content on the content distribution servers encrypted? I
11) If not, when is it encrypted for delivery to the end user device?
Description -+
12) How are content encryption keys generated?
Description -+
13) Is the re-encryption under your control, or provided as a 3rd
_Party service?
14) If re-encryption is provided by a 3rd
_Party, identify the service and explain.
I Description -+
The following questions are specific to the CPS used for re-encryption and delivery to end users:
15) On what Operating Systems does the CPS run on the
~wnIO'ded? II
user terminal device?
16) What Browsers, if any, are used?
17) Is content downloaded or streamed to the end user II Streamed?
IIdevice?
18) Is content always transmitted from your origination facilities to the end user's devices in a
secure, encrypted form using the CPS so that access, reproduction of usable copies and re
distribution is accomplished only via licensing and authorized of devices?
NO
I I
I
I I
II
Issued 9.15.08 Page 41
in if NO-+
that a valid license, containing cryptographic keys and other information necessary to decrypt the
Best Practices for Content Protection
19) Does the CPS operate on the basis of cryptographically robust authentication methods such
associated content and associated usage rules, is required to access and play each specific instance of the content?
Explain if NO -+ 20) Is the content license (decryption keys) delivered separately (although said transmissi be simultaneous with the transmission of the Included
NO-+
21) Is each installation of the CPS software on an end-user device individualized and thus u identifiable?
NO -+
content using standard, nonproprietary, t
of the audio and video?
licenses, revocation certificates, and
31} Does the CPS shall only decrypt streamed content or downloaded content into memory temporarily for the purpose of decoding and rendering the content and never allow writing of decrypted content (including portions of the decrypted content) or streamed encrypted content into perma~ent storage?
Explain if NO -+ 32) Does the CPS use FIPS 140-1 level 3 compliant hardware platforms (or equivalent
Issued 9.15.08 Page 42
Best Practices for Content Protection
Continued .....
33) Is the CPS capable of both supporting an su er-distribution and peer-to-peer distribution) of content?
the revocation and exclusion of licenses for insecure and/or
plain what technology is used -+
0-+
a) Examples
38) Does the CPS implement internal secure data channels to prevent rogue intercepting data transmitted between system processes?
Explain if NO -+ 39) Does the CPS employ currently available methods to prevent the use of media player filters or plug-ins that can be exploited to gain unauthorized access to content and shall be updatable as new methods become available (example: access to the decrypted but still encoded content by inserting a shim between the DRM and the media player)?
Explain if NO -+ 38) Output Copy Protection Which of the following rights signaling information with respect to digital and analog9~!P\J~s Copy Protection (OCP) be enabled by the CPS on a title-by-title basis?
Type of OCP YES NO Type of OCP YES NO
e) HDCP
f) DTCP - I P or 1394
g) WMDRM-ND
h) Image Constraint Token (520,000 ___•pixels or less)
i) Does the CPS pass through, if present, a watermark without alteration or removal?
37) Does the CPS, any download or streaming manager software and/or any software used for physical media burning or transfer, move or copy from one Content Protection System to another employ current and contemporary industry accepted robustness methods, including tamperresistant technology that meets industry standards, e.g., to prevent such hacks as a clock rollback, spoofing, use of common debugging tools, and intercepting unencrypted content in memory buffers?
of tamper resistant software techniques include: Code Obfuscation; Integrity Detection; and Anti-Debugging: Prevent the use of common debugging tools?
I
--~ Explain if NO -+
Issued 9.15.08 Page 43
Type I,.
Computer Monitor' • i Type-+i i .. -----..-----------!-------I-----I-
Composite • I • Type-+ S-Video
f---- -- ---------'------"----------~---~~+---'-'----- ..-- ..----------__.j----+____1..----____1
Best Practices for Content Protection
For certain End User Devices, the following information will be required. End User Devices: Settops, Integrated Products & Portable Devices: Please identify the devices used and provide a complete set of specifications. Please make sure that the specifications fully describe all analog and digital outputs and the type of analog or digital copy protection enabled. For each model of device complete the following table:
• Name of Company: • Name of Service:
• Name of licensee: • Location where End User Device will be
Device Vendor Name:
Device Version and Model: i-+
• What standards does the device com
8. I Does the device have a ------~--------~----------~-------------------~
• 9. What is the highest picture resolution supported? i-+ 10. What picture aspect ratios are supported?~'~------------
1----1-'" I " ---------------1-'11. What pixel aspect ratios are supported? -\' -+
12. ' Does the device contain a video display? , -+
i 13. Ilf so, what is the size of the display!___L~__ ----------------------i
I 14'1 Indicate below type of outputs and copy protections are, supported on the device, Please see Best Practices for definitions of Outputs and Copy Protection modes.
I i
Output I i- YES NO ICopy Protection on o.rtPut YES ! NO Comments:
Issued 9.15.08 Page 44
-------
Best Practices for Content Protection
HD signal is constrained to an analog SD signal, is the
Are the device and your system currently equipped to recognize and/or pass along watermarking
or fingerprinting technology? Is it deployed? If so, please specify.~.--------------1
16. Are any of the following functions supported? -+ a) Fast-forward In what time increments? -+
-+ c) Pause How long can the program remain on
features - In what time
Is content downloaded & licensed d I this device?
• b) Rewind In what time increments?
Does device support content transfer to portable devices?
19. If this is portable devices, describe content & license acquisition below.
-+ . Can the device stream content to a TV I display?
Can the device output content to a LAN? i-+ • Can the device output content to the , Internet?
Does your set top box have storage capacity {HDD}?
, If so, how many hours of programming can
• 23.
r I~be stored? 25. Can the storage capacity be expanded?
26. I Does the device connect to external storage devices?
-llTi
Does your set top box have PVR I fu
If describe what content ca
Issued 9.15.08 Page 45
Best Practices for Content Protection
31.
32. 33.
34.
35.
36.
e device (& system) have the ability -+ to remove a program from the HDD?
------------------~-----------
Support for Recordable Media: a) Does the device have disc drive?
b) Playback supported? ! DVD
Does the device kind? d) Does the device support disc recording for playback in
• another device?
Other
a) Recording of DRM encrypted, compressed file for playback on another device
after acquisition of another license on the additional device(s) or transfer of the
license from the device original downloading device to the additional device
(a.k.a. lVIulti-Machine Playback)
b} Recording andPlayback using CSS Managed Recording
c} Recording and Playback using CPRM Managed Recording
YES NO
d) Recording and Playback using AACS Managed Recording ----=-----------------~--~--~
,e) Recording and Playback using an anti-rip technology
I f) Recording and Playback using "any other" technology
Explain "any other" technology:
g) If this device supports any form of recording other than Multi-Machine Playback, provide a
complete description of the system implementation. Specifically identify and describe: all in
house and third-party server and client applications; content preparation and encryption (if
not provided above); when and where the content protection to be burned is applied to the
content; content extraction from DRM, transcoding, re-encrypting and temporary storage of
work-files prior to burning, if any; special media and drive requirements; and the pass-through
or generation of usage rights signaling methods with respect to copy protection on digital and analog of the device.
Description -+ I 37. ! The following specific q~~~tions require specific answers: YES NO
. a) Is each installation of the trusted client, DRM and/or CAS software on an end user device individualized and thus uniquely identifiable? If it is copied or transferred from this device to a subsequent device, will it work on the subsequent device without being uniquely individualized? b) Are playback licenses, revocation certificates, and other security-critical data stored and transmitted within the device cryptographically protected against tampering, forging and c) Are digital content signals and security-critical data ever transmitted within the device in un-encrypted form on exposed traces or accessible component mounting!
Issued 9.15.08 Page 46
Best Practices for Content Protection
points? d) Does the device employ contemporary industry accepted robustness methods and tamper-resistant technology. Devices should be robust against known hacks and standard methods of attack and should be able to evolve in their robustness and tamper resistance to meet new threats as they emerge
Explain if the answer to any question is "NO". Explanation -+
Issued 9.15.08 Page 47