nagra - optimizing multiscreen tv delivery with a secure video player
DESCRIPTION
ÂTRANSCRIPT
SECURE – ENGAGING – EVERYWHERE
DTV.NAGRA.COM
OPTIMIZING MULTISCREEN TV DELIVERY WITH A
SECURE VIDEO PLAYER
WHITE PAPER - AUGUST 2015
2
3
+ CE devices use a wide range of fast-evolving OS platforms, streaming standards, DRM products.
+ Pay-TV service providers face significant challenges in delivering OTT multiscreen services
to these ever-changing CE devices.
+ They are dependent on decisions taken by device manufacturers and sudden changes in browser or operating
platforms can be very disruptive and have a negative impact on pay-TV customers and service providers.
+ Google’s recent withdrawal of support for the NPAPI plug-in on its Chrome browser is a case
in point and has caused problems for some leading pay-TV service providers.
+ Service providers could opt for common encryption DRMs for their OTT TV services, hoping to solve all their
interoperability issues, but this approach will only address part of the technical and business challenges.
+ A better option is an operator-controlled secure player solution delivered by a trusted content
security partner that ensures a consistent user experience across all devices while providing
value over the entire lifecycle of CE devices.
This paper looks at the market needs and challenges that pay-TV service providers face when deploying multiscreen
TV solutions on third-party consumer electronic (CE) devices such as PCs, tablets, and smartphones. It evaluates
the alternative solutions that are available for addressing the needs of both content owners and service customers,
and it examines the potential business benefits of choosing an operator-controlled solution delivered by a trusted
content-security partner. The paper is based around the following key themes :
EXECUTIVE SUMMARY
FURTHER INFORMATION
NAGRA has published a range of additional information on the MediaLive Secure Player portal which can be
found at https://medialive.nagra.com.
To discuss your requirements for a Secure Player deployment in your organization, please contact your Account
Manager or email us at [email protected]
4
CHALLENGE #1 : KEEPING CONTROL
OVER DEVICE PLATFORMS
Service providers are dependent upon strategic and
technological decisions taken by device manufacturers
and software providers. This can leave them vulnerable,
for example, to changes in browser platforms
used on PCs and to the Android and iOS operating
systems of mobile devices. This can also mean that
multiscreen TV applications that worked previously
may suddenly stop streaming content, creating havoc
with subscribers and leading to calls to customer-care
centers, dissatisfaction with the operator, damage to
its brand, and loss of revenue 1. Rather than cement
and strengthen the relationship between pay-TV service
providers and their customers, OTT TV – if not deployed
carefully – could potentially end up undermining
customer confidence.
The latest example of this kind of potentially disruptive
change is Google’s decision to implement the HTML5
Encrypted Media Extensions (EME) standard to manage
DRM content in the Chrome browser, while phasing
out support for the Netscape Plug-in API (NPAPI) (see
Case Study 1). The withdrawal of support for NPAPI
– on which Microsoft’s Silverlight streaming media
application framework and its PlayReady DRM depend –
will affect pay-TV subscribers whose service providers
use these players to provide video content within a
Chrome browser. Given that the share of the Google
Chrome PC browser users is estimated to be more than
52% 2 of a typical pay-TV operator’s subscriber base
and that Silverlight and PlayReady are widely used by
some service providers, this potentially presents a very
significant challenge. For example, Google’s decision
led Sky and BT Sport to encourage their subscribers
to move from Chrome to Firefox or Internet Explorer 3.
The theoretical solution to the problem is greater OTT
standardization, which would enable service providers
to increase their efficiency and reduce the risk in
delivering OTT services. While there has been some
technical progress in simplifying streaming formats,
codecs, and DRM, the reality is that standardization is
an ever-evolving process that brings alignment over
time but is not the panacea to all market needs in the
short term. A more pragmatic approach is required.
CHALLENGE #2 : KEEPING CONTROL
OVER CONTENT SECURITY
Service providers also need to ensure that content
security standards are not compromised by choosing
a vertical, per-device, per-platform and per-browser
vendor approach, and that content licensing complexities
are not increased by having to deal with multiple DRM
vendors. Pay-TV service providers should not forget that
the very Silicon Valley giants (i.e. Apple, Google, and
Microsoft among others) that sometimes unilaterally
define their proprietary technologies are also their
competitors in delivering OTT TV. As a result, dependency
on the strategies of these companies increases business
risk levels for service providers.
OTT TV services are increasingly important to pay-TV service providers as they deploy multiscreen offerings to
complement their core services and to compete more effectively with Internet-based rivals. But delivering them
over consumer electronic (CE) devices such as PCs, tablets, smartphones, video game consoles, and smart TVs
presents several significant challenges regardless of the operator’s network type – whether telco, cable, or
satellite. Many of these challenges result from the fact that – unlike the pay-TV set-top-box environment – service
providers do not have control of the open devices, which use a wide range of operating systems and standards.
CHALLENGES IN MAXIMIZING THE REACH OF OTT DEVICES
5
CHALLENGE #3 : KEEPING CONTROL
OVER THE TV EXPERIENCE
Another fundamental requirement is the provision of
a consistent set of pay-TV-centric features and use
cases, available across all devices and platforms.
Such capabilities are best provided by a secure player,
with features such as multiple audio tracks, subtitles,
dynamic advertising, and trick modes, as well as use
cases such as casting or sharing between devices.
As well as streaming standards and DRMs, it is
important to include the overall and consistent control
of the TV experience delivered across multiple devices
that also interact with each other.
Understanding the longer-term implications of
technical decisions related to OTT and multiscreen
TV content delivery and their impact on business is
absolutely key for the success of service providers.
1 According to consulting firm nScreenMedia, US and European pay-TV operators are spending an estimated
$2.8 billion of their almost $10 billion annual network and maintenance expenses to directly address
multiscreen service delivery failures
http://www.rapidtvnews.com/2015071539066/pay-tv-operators-spend-billions-to-address-multiscreen-delivery-failures.html
2 An estimated 52% of World Wide Web users use Google Chrome as their browser on their personal
computers, according to StatCounter.com
3 “Sky has no plans to fix Chrome compatibility after Google’s Silverlight shun”, The Inquirer, May 1, 2015
http://www.theinquirer.net/inquirer/news/2383624/google-will-kill-microsoft-silverlight-in-chrome-by-disabling-npapi-plug-in
6
Google’s new Pepper Plug-in API (PPAPI), which
replaces NPAPI, is intended to increase security for
browsers as it provides a direct link to a sandboxed
environment where the code is executed – Chrome’s
Native Client (NaCI) – and provides greater stability, as
the code is executed in a separate thread rather than in
the main browser thread. It is also designed to facilitate
code portability across different platforms.
Google’s justification for its action is that PPAPI/NaCl
is more advanced and allows plug-ins to work more
seamlessly and securely within Chrome. However, the
move needs to be considered in the context of the wider
commercial battle between Google and Microsoft and
the fact that it may push service providers towards
adopting Google’s Widevine DRM.
NAGRA’s new PPAPI/NaCI browser plug-in is packaged
as the NAGRA MediaLive Secure Player for Chrome,
and integrates NAGRA anyCAST PRM, NAGRA’s studio-
approved DRM. It is fully compliant with the new HTML5
Chrome browser security architecture. The secure-
player browser plug-in is delivered as a Chrome
extension via the online Chrome Web Store, so it can be
easily installed by end-users. Updates are performed
via the operator’s Chrome Web Store account and easily
installed to the end-user’s Chrome browser.
With this solution, NAGRA ensures that pay-TV service
providers who had been using Silverlight and PlayReady
can continue to provide video services to their Chrome
customers with only a simple action required by the
subscriber. As a result, service providers do not have
to adopt another DRM (i.e.Google Widevine) and player
or point their subscribers to use Firefox, IE or Safari
browsers instead of Chrome.
NAGRA continues to deliver the NPAPI secure player
plug-in for Internet Explorer (on Windows), Firefox
(Windows and OSX), and Safari (OSX), ensuring support
for all major browsers.
Google’s decision to withdraw support for NPAPI on its Chrome browser created a potential challenge for pay-TV
service providers who were faced by a significant percentage of their base not being able to watch their content
via a Chrome browser. After Google announced the change in September 2013, NAGRA started developing a
solution so that affected premium content could continue to be delivered securely to Chrome browsers.
CASE STUDY 1 : GOOGLE CHROME
7
OTT STREAMING STANDARDS :
WHAT ARE THEY, WHAT IS COMING NEXT ?
Standards and Fragmentation: No Panacea
Video streaming over the Internet has evolved
tremendously over the past decade. Adaptive bitrate
(ABR) streaming formats such as Apple HLS and
Microsof t HSS have emerged, along with AES
encryption and interoperable DRM products. Despite
this, there has been considerable fragmentation
in the streaming formats and DRMs that are
implemented on specific devices, creating the need
to re-encode and re-encrypt content several times
in order to reach as broad a range of devices as
possible. While more recent origin servers allow to
re-encrypt content on the fly, hence removing the
need for ever-increasing storage, having to deal with
many different versions of the same content still adds
operational complexity.
The video and pay-TV industries have tried to confront
this situation by creating a common format through the
DASH Industry Forum, created in 2012. The vision here
involves the combination of the DASH adaptive bitrate
streaming format with the CENC common encryption
scheme for protecting content 4.
In addition, feature fragmentation both from a DRM and
Video Player perspective are also an issue. Indeed, while
modern browsers include a video player and support
for a DRM, the supported feature set varies from one
browser to another. For instance, one given subtitle
format supported on one browser is not on another.
In addition to the challenges pay-TV service providers face in maximizing device reach, there are also several
complex technology-based challenges that need to be considered to ensure the delivery of a high-quality
video product :
+ Selection of a reliable OTT streaming standard
to provide an optimal solution in a complex and
fragmented environment;
+ Selection of proven content-security solutions
that provide the best technology to deliver secure
content to all screens;
+ Deployment of rich multiscreen TV user
experiences that ensure superior TV-centric
services across all screens;
+ Addressing an ever-evolving, growing range of
devices and platforms while ensuring fast time
to market and optimized costs for launching
services to new screens.
4 NAGRA was shortlisted (and won the runner-up award) at the IBC 2013 Innovation Awards for the first
commercial deployment of DASH/CENC in the market.
SERVICE PROVIDERS SHOULD ASSUME THE CONTINUATION OF A
FRAGMENTED MARKET AND PLAN TO PROVIDE AN ABSTRACTION LAYER
– IN THE FORM OF A SECURE PLAYER SOFTWARE CLIENT – TO MANAGE
THE DIFFERENT STANDARDS AND PLATFORMS.
MARKET AND TECHNOLOGYCHALLENGES
8
DASH and CENC as New Alternatives
CENC allows encr yption to be done once, with
decryption performed across multiple DRM clients as
required. In theory, this allows a substantial reduction
in the complexity of both content preparation and
packaging workflows. A single secured file can be
played out across multiple devices which each support
a specific DRM client product.
In practice though, fragmentation remains extensive.
Apple, for instance, imposes its own HLS streaming
standard on its devices and has not yet adopted
DASH. In addition, some legacy CE devices with older-
generation browsers do not natively support DASH and
rely on NPAPI Microsoft or Adobe plug-ins to play back
DRM-protected content. Moreover, the different options
that one can select within the DASH specification can
also lead to fragmentation, as the specification provides
the choice of several audio codecs, different encryption
schemes and other specific features.
The positive news is that DASH has started to replace
legacy Microsoft HSS and Adobe HDS formats and
is expected to become the industry standard ABR
format. The very nature of next-generation streaming
standards is to decouple the file format from the actual
DRM used and ensure that multiple DRMs can coexist.
Indeed, we can expect to see more devices emerge
with their own native DRM when it makes sense for the
device vendor.
Planning for Evolving Standards : Being Pragmatic
The technology industry is notorious for defining
“standards” that take several release cycles to dislodge
previous-generation technologies. In this context, it
would be wise for service providers to take a pragmatic
stance and consider that standardization is always
likely to be a highly desirable outcome rather than a
sure reality. So they should assume the continuation of
a fragmented market and plan to provide an abstraction
layer – in the form of a secure player software client –
to manage the different standards and products.
HLS (HTTP Live Streaming) Proprietary : Apple, for QuickTime X and iOS
HSS (HTTP Smooth Streaming) Proprietary : Microsoft, for Silverlight plug-in
HDS (HTTP Dynamic Streaming) Proprietary : Adobe, for Flash plug-in
DASH (Dynamic Adaptive Streaming over HTTP) MPEG and ISO international standard
CENC (Common Encryption Scheme)Enables the same encrypted file to be used
by different DRM systems
SELECTED ABR STREAMING STANDARDS
NAGRA IS INVOLVED IN THE DASH STANDARDIZATION EFFORT AND IS
THE LEAD EDITOR OF THE RECENTLY RELEASED CONTENT PROTECTION
INFORMATION EXCHANGE FORMAT (CPIXF), A SPECIFICATION THAT
ALLOWS DRM LICENSE SERVICE PROVIDERS TO PERFORM EASIER PRE-
INTEGRATION WITH OTHER COMPONENTS OF THE STREAMING BACKEND
SUCH AS ENCODERS AND CDNS, HENCE DELIVERING SIGNIFICANT COST
SAVINGS WHILE IMPROVING TIME TO MARKET AND AGILITY.
9
CONTENT SECURITY : HOW TO DELIVER
THE BEST CONTENT ON EVERY SCREEN
Pay-TV service providers typically seek to license the
best available Hollywood and live TV content, which
implies high protection requirements as rights holders
are wary of piracy and its impact on the business model
of the entire content value chain.
Approved DRM Products and
Robust Client Implementations
Delivering HD content to high-resolution screens
including tablets, PCs, and game consoles requires
the use of various pieces of technology to maximize
content security. This includes advanced content-
protection technology based on DECE and DTLA studio-
approved DRM products, as well as sophisticated
software techniques such as whitebox cryptography,
secure video paths, sunrise key change, output
control, software obfuscation and hardening, and –
when available – Hardware Root of Trust to ensure the
proper client implementation of the DRM module and
the overall security of the client platform.
In the browser environment, the World Wide Web
Consortium (W3C) has worked at defining a secure
architecture for implementing DRMs using either the
native HTML5 Embedded Media Extension (EME) or
through secured plug-ins.
DRM Vendor Choice
With EME and CENC, content can be encrypted once at
the head-end and multiple DRM servers can be used to
generate licenses for specific DRM clients. However, the
DRM implementation carried out by browser vendors
such as Google has tended to be restrictive for service
providers: only one DRM is natively supported. Thus they
are implicitly forced to use a proprietary consumer-
device DRM such as Google Widevine. Fortunately,
newer generation browser plug-in frameworks such as
Chrome PPAPI – that include auto-update capabilities –
can also be used, thereby avoiding a total dependency
on a single DRM vendor; this is the approach that
NAGRA has taken. However, some less widely deployed
devices, such as the Microsoft Xbox games console,
support only PlayReady, without allowing the option of
implementing another DRM product.
As a result, service providers find themselves forced
into relationships with multiple DRM vendors, one
for each vendor-controlled platform on which they
want their content to play out. This has three major
implications :
(1) It increases the complexity and costs of content
rights negotiations ;
(2) Some content may not get the same rights, or face
a different liability on different platforms ;
(3) Service providers are left with little control over
the way that the DRM products evolve on a given
platform.
Optimizing this increasingly complex situation is a key
requirement.
Support for Multi-Usage Scenarios
Another important issue concerns content-usage
rules. For Hollywood studios and other rights holders,
the rights to view content on a small screen are worth
significantly less than those for viewing the same
content in HD on a large flat-panel display. Preventing
users from casting content without authorization has
become a big concern in rights negotiations. A secure
player solution that can manage this requirement
and ensure that content is played out on the intended
screens as laid down in the negotiated contract (with
secure reporting back to the content rights owners)
offers significant value to service providers.
Other rules for distributing and sharing content –
usually managed by the DRM system head-end and
implemented in a secure-player client – can be defined
by content type or by device. They need to be securely
transported to the device, which means that rooted
device and jailbreak detection is also required to ensure
that the usage rules are not tampered with.
10
BEYOND SECURITY :
WHY A VIDEO PLAYER IS REQUIRED
Beyond confronting the challenges involved in managing
a multi-DRM environment, service providers face other
requirements to ensure that their OTT TV services
function optimally. These include the provision of :
+ Video trick modes
+ Multi-CDN interfacing and dynamic selecting
+ Multi-audio, close captioning and
multi-language subtitles
+ Parental and playout control
+ Dynamic Advertising Insertion (DAI)
+ Detailed user-behaviour analytics
All these functions need to be packaged together on the
client side before interfacing with backend systems, and
this is best achieved with a secure video player.
In the early days of OTT TV, the licensing of premium
content was mainly a DRM issue. But these new
requirements – which result from the huge uptake in
OTT TV consumption – have set new expectations that
increase the need for service providers to adopt a multi-
purpose, multi-platform secure player solution.
There are several key aspects to the deployment of a
secure video player :
CDNs : The ability to dynamically select the best source
of content implies that algorithms are embedded into
the secure player to optimize the user experience
and the costs of streaming content.
DRM servers : Key information needs to be securely
retrieved from the backend and used by the player,
especially in the context of advanced use cases
such as local storage of downloaded content for
offline playback and side-loading of content to other
devices.
Analytics : Measuring the Quality of Experience (QoE)
by capturing deep data on player and user behaviour
enables the improvement of products and services.
Ad platforms : With Dynamic Ad Insertion being
imposed by more content providers, it is important
to deploy smart interfaces with leading advertising
delivery and tracking systems (such as Freewheel,
Omniture, ComScore, and Nielsen). A secure player
can include ID3 demuxing capabilities to control
ad-skipping and disable the search bar during ad
play-out and thereby have a direct impact on the
price of ads sold and revenues shared with content
providers.
Player packaging : The way the secure player is
packaged also has to be taken into consideration.
Having access to a browser plug-in for HTML5/JS
app development on PC platforms or an SDK for
native app development on iOS/Android platforms
allows the development of rich user experiences.
Another attractive option is a packaged app that
embeds HTML rendering capabilities, enabling
the development of apps using HTML/JS with the
same back-end business logic that is portable
across multiple platforms, leading to lower app
maintenance and deployment costs.
11
In scenarios where such a generic secure player
cannot be deployed – games consoles, for instance –
a platform-specific solution may be required, with the
core secure-player principles and APIs implemented
using a specific DRM client and file-streaming format,
adding controlled multi-DRM capabilities to the
overall platform.
EVER-EVOLVING DEVICE PLATFORMS : WHY
AN OTT TV APP CONSTANTLY NEEDS UPDATING
Accelerated Device Update Lifecycles
A new phenomenon in the CE industry over the past
five years has been the accelerated pace of innovation
brought on by frequent software renewals during the
lifecycle of a hardware device. In the smartphone and
tablet segment, Apple and Google update their OS and
app platforms several times a year, while desktop
browsers are also regularly improved by software
vendors, with software updates automatically pushed
to users. Similar approaches have systematically
emerged for OTT streaming boxes and casting sticks,
games consoles and connected TVs. Ensuring that
video content is always seamlessly played out on all
supported devices can quickly become a complex
process to manage, in which different technologies
and skills are required to deliver robust applications
at the lowest cost and with the highest level of
customer satisfaction.
Anticipating Evolution
For service providers, the standardization of streaming
technologies and the availability of some open-source
player components like dash.js can help reduce costs,
but there are other issues to address. The overall
challenge of managing app evolutions across a large
number of client platforms and devices adds risks and
costs to home-grown OTT TV operations. For instance,
staying ahead of rapid platform evolution often means
having dedicated technical staff who are involved with
leading software vendors and developer communities.
This represents a fixed cost that can be significant for
service providers in the early phases of deployment
or which have a geographically constrained customer
base. Opting out of such involvement, however, could
lead to a risky situation where service providers could
face a service blackout.
LicenseManagement
Rooting /JailbreakDetection
CryptographyUpgrade
ManagementDevice
Management
DRM & Player APIs
Player Core
Security Core
Customer UEXNative/HTML – JavaScript
I/O AdaptiveStreaming
Stack
H.264, AACA/V Synch
Video Trick Modes
Close Captioning, Subtitle Rendering
DownloadManagement
OutputControl
SECURE VIDEO PLAYER OVERVIEW
12
GENERIC OR OPERATOR-CONTROLLED DRM :
WHICH APPROACH BEST ADDRESSES
THE INDUSTRY’S NEW NEEDS ?
Consumer Electronics DRM Products
At first glance, the adoption of DASH and CENC along
with the implementation of new Web browser standards
should greatly simplify the delivery of DRM-protected
content to different devices that natively support CE
DRM clients such as Microsoft PlayReady, Google
Widevine, Adobe PrimeTime, or InterTrust Marlin. In
theory, all that would then be needed is a multi-DRM
backend key server to establish the proper interfaces
with the different DRM systems.
This approach is relatively simple to implement on the
server side and does not require deep integration on the
client side. But it forces service providers to surrender
significant control to the Silicon Valley giants which
provide DRM products for an increasingly important
aspect of their pay-TV operations. Moreover, it can
constrain service providers, preventing them from
evolving their platforms to satisfy content-provider
licensing requirements or to offer more advanced
services.
Operator-controlled DRM products
As more devices are used to access TV content within
the connected home – either on-demand (unicast)
or live (unicast and multicast) – the rules for content
sharing and usage need to be defined centrally, at the
head-end, and then applied to the different devices
in the home, usually through a secure-player client
that leverages specific DRM rules. For instance,
transferring a PVR recording to a tablet or starting to
watch a movie on a PC and then casting it to a TV set
while limiting the number of concurrent viewers who
can access the OTT TV service within the same home
requires specific DRM license management features
– most of which are not provided by the CE vendors’
generic DRM products. This can lead to three main
problems for pay-TV service providers – (1) security
loopholes; (2) missing or incomplete content rights;
(3) missing or incomplete use-case support – with the
latter two impacting user experience.
An operator-controlled DRM product provides the same
core features and content-protection capabilities as a
generic DRM as well as the required flexibility and extra
features that allow service providers to stay ahead
of the competition. By packaging such an operator-
controlled DRM product within a secure player that
delivers similar capabilities across multiple device
platforms, service providers have a powerful tool for
delivering a superior, seamless consumer experience.
They are also able to benefit from the strengths of a
product that is published by a focused security provider.
So a service provider should make use of an operator-
controlled DRM as much as possible, packaged within a
secure player, and restrict the use of third-party DRMs
to scenarios where the limitations and constraints of
the target platform are fully acknowledged.
As previously discussed, modern multiscreen TV-streaming services require a secure video player that has
at its core both an operator-controlled studio-approved DRM product and a secure-client implementation
that delivers advanced TV features. In this section, we analyze the benefits and limitations of each approach.
KEY APPROACHES TO CONSIDER
13
DO-IT-YOURSELF (DIY) VERSUS VENDOR PLAYER
SOLUTIONS : WHICH APPROACH TO INCREA SE
DEVICE REACH AND REDUCE COSTS ?
Multiscreen TV is all about extending device reach
to address the diverse needs of subscribers while
ensuring the delivery of quality pay-TV experiences to
all selected devices. This is better delivered by using
a secure player that can be developed in-house or
sourced from a software vendor.
DIY Secure Players
The DIY approach gives service providers control and
flexibility on how they implement their multiscreen
clients and apps, but the cost and complexity of
addressing an ever-increasing range of PCs, tablets,
smartphones, and other devices – all implementing
advanced frontend and backend secure-player and
service-management features – can become significant.
In addition, the risks of being late to market, or of not
being able to support some key devices and therefore
disappointing subscribers, can have a negative impact
on customer acquisition and increase churn.
Vendor Secure-Player Solutions
Vendor solutions typically leverage secure-player
products deployed worldwide and can provide huge
economies of scale, allowing service providers to
benefit from vendor expertise and firepower. This
approach helps improve time-to-market and delivers
leading solutions that are widely deployed by some of
the TV industry’s most demanding players.
Vendor solutions also offer access to an advanced
developer portal to get greater product insight and
more effective and comprehensive online technical
support from the vendor’s product-support teams.
14
Pros
DRM
Secure Video Player
Cons
Generic CE DRM • DRM provided by CE players / Silicon Giants• Core cloud-to-device features provided• Low-cost solution
• Lack of some TV-centric functions• Risk of dependency on CE player strategies / competitors• Need to manage multiple security liability agreements
• More flexibility for service providers• Full range of connected home features• Superior customer experience• Operator remains fully in control through its security partner
• Some devices (eg Xbox) require additional specific DRM (multi- DRM headend solution required)
Operator-controlledDRM
Own player based on Web standards and multi-DRM headend
• Limited specific security integration needs on the client side• Flexibility in developing browser-based solutions or native apps
• Limitations in delivering consistent TV-centric features across all browsers and devices• Surrenders significant degree of control to CE players (DRM, user experience)
• All the advantages of an operator-controlled DRM• Multi-DRM headend manages proprietary devices• Consistent, advanced TV-centric features across devices, management complexity transferred to security specialist• Future-proof, maintained over lifecycle
• Integrated solution, requiring managing a strategic relationship with a dedicated, long-term focused partner vendor
Secure player product with operator-controlled DRM
+ Premium content on every screen : ensure
the delivery of HD content on almost any
screen, meeting the most demanding security
requirements from content owners while enabling
content sharing between devices ;
+ TV-centric features : deliver a rich user experience
with advanced service capabilities such as parental
control, subtitles, close captioning, and multi-
audio tracks ;
+ Ease of use and smart advertising : offer intuitive
content navigation capabilities, such as smart
seeking within content, while ensuring the
implementation of dynamic advertising insertion in
a controlled and user-friendly context ;
+ Seamless multiscreen TV : provide seamless
integration with cloud PVR capabilities for
start-over and catch-up TV services – including
download-to-go capabilities – that truly contribute
to transform the TV experience on any screen.
Beyond these business considerations, a secure player, such as NAGRA’s MediaLive Secure Player, must
address these key functional value points :
DRM AND SECURE VIDEO PLAYER: ANALYZING ALTERNATIVE SOLUTIONS
As demonstrated in this paper, choosing a secure-player solution based on an operator-controlled DRM provides
several benefits that translate into a fast ROI while reducing risks in terms of customer satisfaction, costs
overruns, and content-security risks.
SECURE PLAYER BUSINESS BENEFITS
15
NAGRA’s Secure Player product line is designed to take
away some of the costs and risks of staying on top of
fast-evolving technologies and devices by mutualizing
the development and maintenance of products across a
large portfolio of customers. NAGRA also offers a variety
of standard and premium player maintenance and support
services, including a beta program for new releases.
NAGRA closely follows the iOS and Android evolutions
and is involved in the DASH Industry Forum, which helps
anticipate the directions of new releases. NAGRA’s
leadership position in the security industry means we are
on top of this complex area and apply product direction as
appropriate, for the benefit of all customers.
With so many devices available (for Android there are
now over 20,000 models), the MediaLive Secure Player
technology is first validated on the most popular devices,
covering over 95% of the general market. We provide
tools for customers to test additional, less-deployed
local devices. The new MediaLive online customer
portal http://medialive.nagra.com gives customer
engineering organisations access to straightforward
information about the MediaLive Secure Player, its APIs
and the latest product information.
NAGRA’s experience has shown that customers used to managing STBs can find the addition of multiscreen
solutions both challenging and a significant overhead. NAGRA manages this through our comprehensive approach.
CASE STUDY 2 : NAGRA’S MEDIALIVE SECURE PLAYER
MEDIALIVESecure Player
The Medialive Secure Player is a secure media player that delivers protected services and content to open devices running on Windows, iOS and Android by leveraging anyCAST PRM,
NAGRA's DECE and DTLA-approved DRM.
Video Player DRM Content Protection Multiscreen
Secure Player SDKs HTML Secure Players Adaptive Streaming / OTT
Audience Measurement Subtitles & Multi-Audio Download Manager
16
This means that pay-TV service providers need both
expertise and economies of scale to lower costs and
improve performance if they are to remain ahead of the
curve and provide superior products and services to a
growing and increasingly diverse population of users
and devices.
As this paper has demonstrated, the optimal approach
to safeguarding an investment in OTT TV services
delivered to CE devices is a secure-player solution
based on an operator-controlled DRM.
Working with an experienced content-security specialist
such as NAGRA also ensures that future challenges
can be met. NAGRA has more than 20 years of industry
experience in securing the business models of some
of the world’s largest pay-TV service providers. It has
delivered multiscreen OTT TV solutions to more than
20 leading pay-TV operators worldwide.
In conclusion, an approach based on a proven vendor
solution like the NAGRA MediaLive Secure Player
provides the following short-term tangible benefits to
pay-TV service providers :
+ Best content on every screen
+ Better device reach
+ Enhanced and consistent QoE
+ Lower operational costs
+ Fewer business risks
In addition, it ensures that service providers are
protected from potentially disruptive changes by CE
software providers and stay in control of their OTT
TV services as technology evolves and as consumer
viewing habits develop.
Consumer electronics products, both hardware and software, are evolving quickly, and nowhere is this
clearer than in the video capability of connected devices.
CONCLUSION : FACING THE FUTURE WITH CONFIDENCE
17
18
ABR
Adaptive Bit-rate Streaming, a technique for distributing video over unmanaged IP networks for which both international and proprietary standards exist.
DASHDynamic Adaptive Streaming over HTTP, an MPEG and ISO international ABS streaming standard.
AES
Advanced Encryption Standard, also known as Rijndael (its original name), a specification for the encryption of electronic data established by the US National Institute of Standards and Technology (NIST) in 2001.
dash.jsDASH JavaScript is an open source reference client implementation for the playback of MPEG DASH via Javascript and compliant.
API
Application Programming Inter face, a set of routines, protocols, and tools for building software applications. An API defines functionalities that are independent of their respective implementations, which allows definitions and implementations to vary without compromising the interface.
DECE
Digital Enter tainment Content Ecosystem, a consortium of major Hollywood studios, consumer electronics manufacturers and retailers, network hardware vendors, systems integrators and DRM vendors which creates rules and back-end systems to manage those rules that enable consumers to share purchased digital content between registered consumer-electronics devices.
CastingA technique for transferring Internet-delivered video content from a computer or a mobile device to a TV display
DRM
Digital Rights Management, a class of copy protection technologies used by hardware and software manufacturers, publishers copyright holders, and individuals to authorize and control the use of digital content and protect intellectual property rights.
CENCCommon Encryption Scheme, enables the same encrypted file to be used by different DRM systems.
DTLA
Digital Transmission Licensing Administrator, created by a consortium of technology companies in 1999 to license the Digital Transmission Content Protection (DTCP) technology which ensures consumers’ reasonable and customary right to make personal-use copies and enjoy digital content that is networked throughout the home. DTCP has been widely adopted in consumer electronics products including set-top boxes, digital TVs, and Blu-Ray and DVD recorders.
Cloud TV
Use of cloud computing technology to deliver TV services, where play-out technology is based in the cloud rather than at a cable, satellite or telco operator’s head-end.
EME
Encr ypted Media E x tensions , a W 3C dr af t specification for providing a communication channel between web browsers and DRM software, allowing the use of HTML5 video to play back DRM-wrapped content such as streaming video services without the need for third-party plugins such as Adobe Flash or Microsoft Silverlight.
CDN
Content delivery network (or content distribution network), a distributed system of servers deployed in multiple data centres across the Internet, which allows content (including live streaming media and on-demand video) to be served to end-users with high availability and high performance.
Hardware Root
of Trust
A hardware component that is secure in design and inherently trusted to perform one or more security-critical functions, such as measuring and/or verifying software and protecting cryptographic keys.
DAI
D y n a m i c A d v e r t i s i n g I n s e r t i o n , a l l o w s adver tisements within streaming on-demand content to be changed by operators, thereby enabling advertising to be targeted at specific groups of subscribers. DAI is increasingly imposed by content providers.
HDSHTTP Dynamic Streaming, Adobe ABS streaming standard for Flash plugin.
GLOSSARY
19
HLSHTTP Live Streaming, Apple ABS streaming standard for QuickTime X and iOS.
PPAPI Pepper Plugin API, Google replacement for NPAPI.
HSSHTTP Smooth Streaming, Microsoft ABS streaming standard for the Silverlight plugin.
PrimeTime Adobe proprietary DRM system.
IntertrustMarlin
Open-standard DRM developed by Intertrust Technologies Corporation with four consumer electronics companies: Sony, Panasonic, Philips, and Samsung.
PVR
Personal video recorder (also known as Digital Video Recorder or DVR), a consumer electronics device or application software that records video in digital format to a local or networked (nPVR) storage device.
ID3
ID3 is a metadata container most often used in conjunction with the MP3 audio file format. It allows information such as the title, artist, album, track number, and other information about the file to be stored in the file itself.
Sandbox
A security mechanism for separating running programs. A sandbox is often used to execute untested code, or untrusted programs from unverified third parties, suppliers, untrusted users and untrusted websites.
Multi-DRMThe use of multiple DRM systems at the backend to deliver content to a range of devices that use different DRM formats.
SDKSoftware Development kit, a set of tools for developing software.
NaCI
Google Native Client (NaCl) is a sandboxing technology for running a subset of Intel x86, ARN or MIPS native code in a sandbox, allowing the safe running of native code from a web browser, independent of the user operating system, allowing web-based applications to run at near-native speeds. It may also be used for securing browser plugins, as well as other applications.
Secure Video
Player
A video player that incorporates DRM and anti-hacking techniques to ensure content protection.
NAGRAanyCAST
PRM
Provides DECE and DTLA-approved DRM protection of high-value content on both closed and open devices.
Silverlight Microsoft proprietary streaming media application framework.
NPAPINetscape Plugin API, a cross-platform plugin architecture, first developed for Netscape browsers in 1995, used by many web browsers.
Sunrise key
change
Ability for a DRM system of automatically change the content key on a Live channel, for example once per day.
Obfuscation
The deliberate act of creating obfuscated code that is difficult for humans to understand. Programmers may deliberately obfuscate code to conceal its purpose (security through obscurity) or its logic, in order to prevent tampering or deter reverse engineering.
Trick modes
A feature of digital video systems including PVRs and video-on-demand systems that mimics the visual feedback given during fast-forward and rewind operations that were provided by analogue systems such as VCRs. Trick play manipulates the video stream to include only a subset of frames.
OSX Apple operating system for personal computers. WhiteboxWhite-box cryptography, a cryptographic system designed to be secure even when its internals are viewed.
OTT TVOver-the-top TV is TV delivered via the web over unmanaged IP systems.
Widevine Google proprietary DRM system.
PlayReady Microsoft proprietary DRM system.
GLOSSARY
20
KUDELSKI, NAGRA, OPENTV, SMARDTV and their respective logos are trademarks, registered trademarks or service marks of Kudelski SA and/or its affiliates.
All other trademarks are the property of their respective owners.
All product and application features and specifications are subject to change at the sole discretion of Nagravision SA at any time and without notice.
© 2015 Nagravision SA - All rights reserved.
SECURE – ENGAGING – EVERYWHERE
DTV.NAGRA.COM
de
sig
n:
dia
bo
lo.c
om