Irdeto Keys & Credentials

Last modification: 27-05-2015 / 01:51 PM GMT+01:00
Solution Overview
Media Protection
Irdeto Keys & Credentials
A VENDOR-NEUTRAL, TECHNOLOGY-AGNOSTIC SERVICE TO MANAGE THE COMPLEX ECOSYSTEM OF SECURITY
SUPPLIERS, INTERFACES AND PROCESSES THAT UNDERPIN A PAY-TV OPERATOR’S PLATFORM AND SERVICE
OFFERING
The long-term security contracts typically
subscribed to by Pay-TV operators can
also lock them into relationships with their
partner’s chipset and set-top-box (STB)
suppliers. Dependence on a monolithic
security solution not only takes critical choices
out of the operator’s hands, it diminishes
their control over current and future strategic
business decisions.
Irdeto Keys & Credentials gives control back to the operator.
As an independent managed service, Keys & Credentials
provides a comprehensive and efficient approach to
managing multiple security technologies while ensuring
operators maintain full control over their platform delivery
and technology choices.
KEY BENEFITS
Irdeto Keys & Credentials enables Pay-TV operators to
partner with the security, chipset or set-top box (STB)
providers of their choice regardless of previous and / or
future technology decisions. By ensuring that all security
and technology choices can remain independent, Irdeto
enables operators to:
•
•
•
Leverage the latest advances in technology to bring
new services to market quickly
Cultivate a more competitive bidding process for each
new service offering
Control future service offerings by directly managing
and enhancing their content distribution platforms
www.irdeto.com
©2015 Irdeto, All Rights Reserved.
1
In a fast-moving industry, operators need to ensure
current and future business plans are not impeded by
limited technology options
WHY OPERATORS ARE LOOKING TO
CHANGE THEIR SECURITY SET-UP
technology, there is simply insufficient
competition.
The restrictions on chipset and STB
partnerships common to most security
agreements means that, over time,
an operator may not have access
to the latest features or functionality
options available from other vendors.
This hinders the operator’s ability to
bring new services to market and can
cause them to fall out of step with the
needs of a rapidly-evolving consumer
market.
Perhaps most importantly, technology
lock-in diminishes the operator’s
ability to maintain longer-term control
over their service offerings and
strategy. By gaining direct control
over the design and architecture of
the service platform, operators can
ensure that it is always in alignment
with current and future strategic
business decisions.
The advantage of a more
flexible
security
solution
brings with it the increased
complexity of managing a
growing number of diverse
security
processes
and
workflows
Another side-effect of technology
lock-in is decreased bargaining power
when requesting bids for new platform
builds. Ideally, an operator would
request qualified bids from multiple
vendors to maintain a healthy level
of price competition. With a limited
number of vendor options for each
OEM Partners?
Production?
Licensing Authorities?
For all of these reasons, operators
worldwide are increasingly motivated
by alternatives to traditional security
vendor relationships. As they look to
define new generations of managed
Customer
Premises
Equipment
(CPEs),
they
seek
modular
architectures that can leverage
the latest technology advances
and innovation on all levels. This
ensures direct access to technology
breakthroughs and shorter time-tomarket for new features, functionalities
and service offerings.
However, in order to benefit from the
advantages of modular architectures,
the operator must be able to work
directly with each of their system-onchip (SoC) suppliers and
Revocation?
OEMs to gain control of
the keys in the chipset
– the fundamental rootOS versions?
of-trust.
In-field
Provisioning?
Operators must also
be able to manage
each key or security
asset
through
its
entire lifecycle. This
requires
an
ability
to support security
upgrades at all points
in the management
ecosystem down to
each device on the
network.
MANAGING COMPLEXITY
For operators, the freedom to mixand-match technology components
and vendors brings advantages as
well as a new set of challenges. Taking
control of service platform design also
entails taking on the security elements
that underpin the myriad features and
functionalities offered.
Critical to controlling the platform is
controlling the keys in the chipset. This
is a highly specialized field, requiring
deep expertise and experience in
managing the multiple workflows that
exist between the SoC foundry, STB
production and activation of services
in the subscriber’s home.
Achieving this level of control requires
the ability to:
1. Provision multiple types of
security assets
2. Ensure smooth interactions with
numerous ecosystem operators
3. Manage the end-to-end lifecycle
of diverse security assets, from
production to renewal, update or
revocation
4. Accommodate the variations in
security processes for all CPEs
Some of the world’s largest
Pay-TV operators including
two tier 1 North American
MSOs and a major panEuropean operator have
called on Irdeto to help
them move to modular
technology
architectures
that
leverage
multiple
suppliers.
A solution is required to reduce this complexity
www.irdeto.com
©2015 Irdeto, All Rights Reserved.
2
Irdeto brings 40 years of content security experience
to delivering the Pay-TV industry’s first vendor-agnostic,
fully managed security service
THE SOLUTION
Operator
Supporting this complex array of
security processes would pose an
obstacle for most operators who
need to stay focused on their core
competencies of subscriber retention
and acquisition.
OEMs
SOC
Vendors
Because it is a fully managed service,
Irdeto Keys & Credentials allows
operators to retain control over their
technology choices and partner
relationships without having to directly
manage the multiple and complex
operational processes involved in a
multi-vendor security system.
Operator
Asset
Packages
SOC
Assets
Licensing
Authorities
Third
Party
Assets
IrdetoKeys &
Credentials
Managed
Service
Secure
Production
Facilities
Asset
Distribution
Infrastructure
Ecosystem
Management
Personnel
Ecosystem
Management
Lifecycle Management
across devices
Highlights include:
•
•
•
•
Comprehensive management of
complex, highly technical security
processes specific to each
chosen technology
Coordination with all technology
suppliers, OEMs and licensing
authorities using pre-established,
proven workflows
Support for all security keys and
certificates throughout the full
lifecycle of initial production,
provisioning,
renewal/updating
and revocation
Dedicated team of security
technology experts working in
highly secure, state-of-the-art
facilities
to ensure the secure generation,
provisioning, revocation and renewal
of all operator-owned and third-partysupplied security keys and certificates.
Irdeto also performs the monitoring
and reporting required to track the
performance of all processes across
the supply chain.
HOW IT WORKS
Lifecycle of
Security Assets
Produce
Irdeto Keys & Credentials ensures
that operators maintain ownership
and control over all crucial security
assets while offloading the complexity
of managing the various security
processes and workflows. Irdeto
experts manage the full lifecycle
of key and security assets as well
as interfacing with the associated
ecosystem of suppliers.
Provison
All Keys & Credentials activities are
carried out within dedicated, highsecurity facilities using advanced
cryptography. Staffed by a team of
experts in both security management
and service provider operations,
Irdeto delivers a world-class, nextgeneration security management
system.
Leveraging Irdeto’s 40-years of
experience as a global leader in
content security, Keys & Credentials
allows operators to benefit from
the efficiencies of a shared-cost
infrastructure with the assurance that
each company’s security requirements
and its vendor relationships are
supported and managed to their
unique specifications, with full
dissociation from all cryptographic
operations for other customers.
Update
Revoke
As part of the service, Irdeto
integrates the operator’s security
asset management system into the
workflows of SoC suppliers and OEMs
www.irdeto.com
©2015 Irdeto, All Rights Reserved.
3
Keys & Credentials Use Case Examples
ABILITY TO ADD NEW SERVICES
EASILY
Having invested in a powerful home
gateway platform, a major North
American MSO
wanted greater
control over the addition of new
features and services to their IP
connected boxes.
By leveraging the hardware root of
trust for the backbone of the STB
security, Keys & Credentials has been
able to provide highly secure DRM-
CONTROL THE PLATFORM DESIGN
AND LEVERAGE COMPETITIVE BIDS
Like all major MSOs, Charter
Communications
traditionally
purchased set-top boxes that had
been developed by their long-term
STB and CA partners. This limited
Charter’s service offerings to features
and functionalities that were currently
available or soon to become available
BREAK FREE OF VENDOR LOCK-IN
Operating
in
an
increasingly
fragmented
and
complex
environment, this tier 1 pan-European
operator delivers a range of services
to its subscribers through STBs
with embedded security related
components from a variety of vendors.
These technologies include CA
systems, DRM systems, public key
infrastructure certificates and more.
They wanted to extend the control
they have over their set-top boxes,
notably for new and future features
as well as the price at which these
can be offered, instead of being
restricted by the exclusive reliance
on their incumbent CA vendor.
With the introduction of their next
generation STB platform, they took
www.irdeto.com
protected video delivery of streamed
content over IP, enabling a whole
range of on-demand offers direct to
subscribers.
significantly reduced error levels and
enabled the operator provide better
overall customer service to their
customer base.
Initially,
this
operator
began
developing the necessary processes
“in-house” but quickly switched to a
managed service once they realized
the benefits for cost reduction and
efficiency through Irdeto’s established
relationships with SoC and STB
vendors. The fully-managed Keys
& Credentials service has also
Furthermore, in order to extend the
life cycle of their deployed set tops,
this operator will soon be rolling out
an extension of their current Keys
& Credentials service to include the
Field Key Provisioning Service, which
enables the secure deployment of
new services to devices in the field.
from their partners. As a result,
Charter did not feel fully in control
of their STB decisions or the price
negotiation process.
box, it has also fostered competition
and enabled them to receive bids
from a worldwide range of vendors.
When it came to their new Worldbox
project, Charter leveraged Irdeto
to help enable them to take control,
and specify their own set-top
design architecture. This freed up
the process to request bids and
proposals from any competent STB or
technology vendor. Not only has this
given Charter direct control over the
features and functionalities of their
the opportunity to do exactly that and
involved Irdeto as an independent
Licensing Authority.
Specifically, this means that Irdeto,
on behalf of this customer, are
embedding a separate root of trust in
the SoCs of their new set-top boxes,
alongside those that are routinely
provided by their incumbent CA
vendor. This provides the operator
with a means to activate new services
without requiring the involvement of
their incumbent CA vendor, as well
as the ability to even replace the CA
vendor altogether – if they so desired
– without having to swap out already
deployed set-top boxes.
Keys & Credentials allows for the
coordinated management of all of
these technologies in compliance
©2015 Irdeto, All Rights Reserved.
By taking management control of the
core security elements of Charter’s
new World Box, Keys & Credentials
has put Charter back in control of their
service features and functionalities.
For example, Charter can now activate
downloadable CAS on their new
settop platform, effectively eliminating
the need for a CableCARD.
with ETSI K-LAD (TS 103 162). This
has enabled the MSO to establish
its long term security and technology
needs, while directly controlling its
media distribution ecosystem and
determining exactly which vendors
and technology partners it wishes to
work with and when.
The fact that it is not beholden to the
individual needs and development
cycles of partners and vendors
with regard to the roll out of new
technology, has enabled this MSO to
set up a clear, independent path to be
able to deploy security functionalities
that underpin new subscriber services
as and when they wish without
necessitating the direct or explicit
support from their incumbent CA
vendor.
4