DTI WISE Audio/Video Solution for KID SystemeDeals... · Hardware manufacturer, Wireless IFE vendor and Customer (KID Systeme) an Airbus subsidiary responsible for providing and provisioning

Confidential and Proprietary DTI Software

DTI WISE Audio/Video Solution for KID Systeme

White Paper

Revision 1.7

DTI_WISE_AV_Solution_for_KID_Systeme_-_WhitePaper_v1.7.docx

Draft / Review Final

DTI WISE Audio/Video Solution for KID Systeme White Paper

Copyright DTI Solutions 2014 – Proprietary and confidential document 2

Revision history

Version Date Description of change By

1.0 2013-08-02 Original Draft DA

1.1 2013-08-21 Review JNV

1.2 2013-09-18 Added alternative SSD loading process DA

1.3 2013-10-09 Update to Key exchange process DA

1.4 2013-11-27 Applied comments from Airbus Reviewer DA

1.5 2013-12-09 Applied latest Airbus comments (MW) and release to studios DA

1.5 2013-12-17 Release candidate DA

1.6 2014-01-28 Breakdown of Verimatrix copy protection DA

1.7 2014-01-30 Applied latest generic updates (by JNV and AR) DA



Table of Contents

1 SUMMARY ....................................................................................................................................... 4

2 ABBREVIATIONS .............................................................................................................................. 5

3 MEDIA FLOW ................................................................................................................................... 5

MEDIA DISTRIBUTION ....................................................................................................................................... 6

Step One – Preparation .......................................................................................................................... 6

Step Two - CSP Processing and Content Integration .............................................................................. 8

Step Three – Deployment ....................................................................................................................... 9

4 WIRELESS SOLUTION ..................................................................................................................... 10

WIRELESS MEDIA STREAMING .......................................................................................................................... 10

WIRELESS SECURITY MEASURES ....................................................................................................................... 12

5 ALL-ROUND WIRELESS IFE SOLUTION ROBUSTNESS ....................................................................... 13

6 CONCLUSION ................................................................................................................................. 14



1 Summary

This document presents security parameters for the WISE (Wireless In-flight Services and Entertainment) solutions developed by DTI and deployed in partnership with the following business entities:

Hardware manufacturer, Wireless IFE vendor and Customer (KID Systeme) an Airbus subsidiary responsible for providing and provisioning the Head-End Server Unit (HESU) with OS and DTI virtual images through the industrialization process. KID also handles setup and maintenance of the Wireless IFE infrastructure across customer airlines. Note that throughout this document, the HESU will be referred to as the Wireless IFE server.

Content Service Provider (Inflight Productions or other airline-preferred CSP) oversees the supply chain ranging from content sourcing and aggregation to the management of source files and metadata with respect to airline sourcing strategies.

Content Integrator (Lab Aero or other MPAA approved facility) which embeds raw encoded media with an encryption layer and provides deliverable packages.

Secure Streaming solution (Verimatrix): onboard DRM key management server which segregates secure playback amongst supported OS platforms (IOS, Android, Windows, Mac, BB, and so on).

Airline companies which handle the actual media through their dedicated or sub-contracted teams of ground maintenance technicians.

Content security, or the protection of intellectual property, is a serious issue which plays a major role in maintaining trust with the content providers who are at the core of this service.

Media transport employed by the solution applies the DCI specification (Digital Cinema Initiative) which suggests the following sequence of events:

Use of studio approved DRM encryption and key encryption for secure media transport;

When Wireless IFE servers are industrialized, a Transport key pair is generated with private Transport key saved on the local SSD partition and public Transport key sent to content integrator for identification of individual packages;

Content integrator assigns an Airline key pair to each airline customer, providing the private entity to KID Systeme for inclusion into the Wireless IFE server’s base software (known as HoV).

Content integrator issues DRM-encryption keys which are then encrypted with the public Airline key;

Once media is airborne, DTI’s onboard deployment solution secures all steps leading to passenger media consumption;

Media remains secure at all stages of the deployment process up to the moment it is displayed on passenger devices (PED).

This document focuses on secure delivery of video content ranging from TV series and late-window home entertainment movies; with later plans for other media types. More specifically, this document is seeking approval for the supply of wireless late-window content to passenger devices.

In addition to studio-approved DRM encryption and reliance on a robust onboard DRM key management server component and DRM client applications, secure transfer protocols are enforced for digital media transiting from a secure server location to the W-IFE server. In other cases, a portable SSD drive is used for media transport to the airline’s maintenance facility with content deployed onboard through a wired dedicated data loader and in some cases, a preloaded (content-ready) SSD drive is swapped with defective W-IFE server drive with deployment achieved by way of internal processes.



2 Abbreviations

CDS Content Delivery System CMS Content Management Service CSP Content Service Provider DRM Digital Rights Management ESBR Entertainment Software Rating Board FAP Flight Attendant Panel HESU Head-End Server Unit HLS HTTP Live Streaming HOV Head of Version IDS Intrusion Detection System

IFE In-Flight Entertainment KDM Key Delivery Message LAMP Linux-Apache-MySQL-PHP PED Passenger Electronic Device RPM Red Hat Package Manager SSD Solid State Drive SSL Secure Socket Layer TLS Transport Layer Security VOD Video On-Demand WISE Wireless In-flight Services and Entertainment

3 Media Flow

This diagram summarizes the major constituents of the Wireless IFE media flow from media aggregation and preparation by CSP; content integration and packaging to passenger consumption.

(2) Media Preparation

- aggregation- mastering- packaging

(4) Wireless Solution

- media streaming- OS- hardware- peripherals

(1) W-IFE Server Industrialization

Public Transport key

(for encryption of private airline key)

Package Delivery

(with encrypted private airline key)

Encrypted

streaming

Figure 1 – Media in transit from CSP to passenger consumption



Media distribution

Step One – Preparation

The process of safeguarding media assets is initiated by KID Systeme, the hardware manufacturer who is in charge of generating and maintaining several protection layers implemented as follows:

1. Each newly commissioned SSD is encrypted with a unique Hardware identifier. This unique signature marries the drive to its surrounding hardware (HESU) rendering it useless otherwise. From then on, the SSD can only be decrypted by way of hardware signature extraction, a process which can only be achieved by running bootloader instructions contained on proprietary KID Systeme CF cards. Note that this particular CF card shall remain inside the server’s CF card reader at all times to support software restoration should system diagnostics reveal issues at SSD boot.

2. In addition to the hardware identifier, each SSD is built with a read-only Transport key partition during production at KID Systeme facilities. This partition stores the private entity of the KID Systeme Transport key. Meanwhile, the public counterpart of the Transport key is securely transferred to the content integrator.

3. A second partition is built at Operating System installation and used to store the software packages protection key (RPM key). This key is brought onboard through the proprietary CF card.

4. A global Airline key pair is issued and managed by the content integrator. As the name implies, this key is for use across an entire airline. The private Airline key is protected by the public Transport key and sent to KID Systeme for inclusion into each server’s HoV. In turn, this HoV is protected by the RPM key. The decrypted Airline key is only maintained in RAM disk while the system is running.

Aside from the media safeguard process described earlier, KID Systeme shall have the option to supply and install content-ready SSD drives and swap drives each time updates are made available. This method shall be limited to the unlikelihood the onboard HESU would require field replacement. This process involves IFP as the exclusive CSP allowed to populating SSD.



The next figure illustrates the key exchange process described earlier for integrity of both content and software (HoV).

Figure 2 – Key exchange process

Closer look at the key exchange process

The HESU launches CF-card bootloader. The bootloader fetches the hardware Identifier (256-bit) via IPMI from the HESU and unlocks the paired SSD secured using the ATA Security mechanism.

The bootloader checks for SSD integrity and if necessary, installs the OS, applications with initial Config file as well as the RPM key (RSA 2048-Bit).

The HoV (Customer-defined configuration set) encrypted with the RPM Key is installed via USB or CD and stored on the HESU. The private Airline key (RSA 2048-Bit) encrypted with the public Transport key (RSA 2048-Bit) is stored on the HESU. The private Transport Key is stored on the HESU SSD during unit industrialization and is additionally encrypted with a symmetric encryption hardware Identifier (256 Bit).

Content is installed from an external media. It is carried over to the HESU where installation transfers both encrypted content and appropriate DRM keys. DRM keys are encrypted with the Airline key.



During the HESU boot process, an encrypted binary compiled for the HESU (RC4 encrypted) decrypts the Transport key using the fetched hardware Identifier (256-bit).

During the HESU boot process, an encrypted binary compiled for the HESU (RC4 encrypted) decrypts the Airline key using the private Transport key and commits the decrypted Airline key to RAM disk to be mounted by the streaming VM. The unencrypted Transport key is deleted and only the encrypted Transport key is stored on the HESU. The decrypted Airline key only exists during runtime of the HESU RAM disk.

The Airline key is used to decrypt the DRM keys which are then sent along with content to client devices for content decryption and playback.

Step Two - CSP Processing and Content Integration

The following flow takes content handling downstream from CSP to content integration.

Figure 3– CSP Processing and Content Integration at a glance



Aggregation

CSP aggregators deal with various original content providers. They ensure content (media and other) from various sources is sent off to content integration.

Encoding Labs

Encoding Labs receive content directly from the studios through a studio-agreed secure channel and prepare it according to the desired specifications. For video content, several encoding types are applied to meet the requirements of specific platforms. Audio tracks are kept separate from video tracks to allow for multiple languages and lower file weight for faster transfers (notably to planes).

Selection

1. Content metadata is imported in DTI’s CMS where content selection criteria are applied according to CSP specification attributes such as activation window, motion picture rating, and so on.

2. Content is combined with flight information provided by the airline.

3. Once content has been selected, segmented by activation date and more specifically DRM-tagged, processed metadata can be exported by the CMS.

Content Integration and Packaging

4. After the prepared metadata has been exported, it is processed at the Content Integrator facility into a DTI packaging tool for the purpose of building a content package ready for deployment. The tool parses the metadata, retrieves corresponding audio and video files and applies DRM-encryption wherever applicable.

5. Next, the media-specific DRM-encryption keys are encrypted using the public Airline key. This key is kept in a folder distinct from those used for audio and video files.

6. Content integrator also ensures that each media package is tested on end-system replicas.

7. Tested and secure packages are then shuttled to the airlines via Signiant or SSD for deployment.

Step Three – Deployment

Deployment is a two-stage process which involves delivering media packages to the Wireless IFE server and making media available for passenger consumption.

Delivery of encrypted media packages to the Wireless IFE server is accomplished by way of physical transfer from a USB drive or CF card through the crew and maintenance control panel or through laptop-running loader software. As stated earlier, content is first retrieved by Signiant or physically transported on SSDs. Then, an airline technician prepares the loading media or laptop prior to heading to the aircraft. From there, the technician launches the deployment software (KID) which moves package(s) from the loading media to a location on the Wireless IFE server drive known as the DTI inbox.

Once the package is transferred to the Wireless IFE server, an installation script deploys content and decrypts the media keys which are fed to the DRM key management server component. As such, content remains encrypted on the Wireless IFE server at all stages of the deployment process.



4 Wireless Solution

With content in place and reaching activation date, passengers gain access to the data through their PED such as laptops, smartphones and tablets connected through an access point. End-users can choose what media they want to play, purchase or otherwise unlock with emphasis on the following security considerations:

Media release dates (movies, music albums, etc.) are enforced by the Wireless Portal’s media applications by relying on the metadata defined by the CSP earlier (see “Selection” on page 9).

DRM-protected content requires PED certificate exchange and use of DRM-capable player app.

DTI’s portal and media applications benefit from code proofing and apply code provided by the DRM solution.

The network is secured through restrictive access points and server configurations, as well as server protection software.

The Wireless IFE solution web interface is offered through standard LAMP stack with most standard best practice security measures in effect.

Satellite connectivity and Wireless IFE solutions are segregated over separate server boxes.

Internet connectivity is achieved through a private network supported by a ground proxy and firewall servers which prevent direct connection to the aircraft and its Wireless IFE assets from the Internet.

Wireless media streaming

Once media has been selected by passenger over a web interface, native PED software requests media from the streaming server component. While non-protected media can be streamed natively, the use of DRM encryption calls for an additional technology layer. Wireless DRM streaming is done using an integrated and proven commercial DRM Key management server solution (such as the Verimatrix VCAS component). From a high level standpoint, our solution is laid out as follows.

Users have to install a browser plug-in (for laptops) or acquire a mobile application (available in platform-specific app stores (may also be downloadable onboard depending on platform) to access DRM protected content. Keep in mind that application and plug-in must be provisioned by the onboard DRM key management server component before they can be put to use.

o Verimatrix verified browser plug-ins provide cross-platform solutions; supporting modern Windows and Mac OS X through Chrome, Firefox, Opera, Safari, and Internet Explorer.

o Support for iOS and Android mobile platforms is provided by way of standalone applications built on Verimatrix verified SDK.

o Both OS plug-ins and device applications allow for additional layers of protection in authenticating client devices to ensure secure key and media distribution. More specifically, they are configured to enforce the following security measures:

ACPv2 Macrovision and DCS copy protection;

GMS asset protection;

Detection and disablement of analog outputs;

HDCP compliance;

Detection and disablement of mirroring software;



Reliance on a single embedded digital output (such as the MediaFlow player) for content viewing.

OS-specific Verimatrix clients are screen-grab aware and effectively terminate playback upon detection of content capture software.

Communication between PED application and the DRM key management server component is secured through SSL / TLS. DRM encrypted HLS streams (with AES-128 bits encryption) render packet sniffing useless.

Four different cases are covered:

Free content Restricted / Paid content

Without DRM

“Public link”

“Secure access link” through billing solution

With DRM

DRM solution

DRM solution with billing solution

Table 1 - Security scenarios

1. In the case of free content without DRM, the Wireless Portal’s media applications send users to the streaming server component using technologies natively supported on the client device (RTSP, RTMP, HLS, etc.) to receive the stream.

2. For restricted content offered without DRM, the Wireless Portal’s media applications first bring the purchasing mechanism into play and send the user to the streaming server component through a secure link, only valid for that user over a short amount of time. The streaming server component then provides the stream using technologies natively supported on PED.

3. With free DRM-enabled content, the Wireless Portal’s media applications send the user to the streaming server component which returns a DRM encrypted (AES-128 bits) stream (HLS). The verified client PED application then contacts the DRM key management server component for authentication. PED is now provisioned with a unique key which allows content playback.

4. Finally, for restricted DRM-enabled content (paid or otherwise), the Wireless Portal and its media applications first bring the purchasing mechanism into play and communicate the information to the DRM key management server component. Through PED application or plug-in, purchased content can then be requested from the streaming server component which provides a DRM-encrypted HLS stream to the client. At this point, verified client PED application contacts the DRM key management server component for authentication. The DRM key management server component confirms with an accredited billing system that a specific user has obtained the digital rights to given content before key is awarded. PED is now provisioned with a unique key which allows content playback.



The next figure shows the detailed DRM solution flow for wireless streaming video.

PED

Secure Application

Verimatrix SDK

Browser

1: Buy 3: Stream URL

WISE Portal Server

6: Encrypted Stream

5: Request Stream

Wireless IFE Server

7. Authenticated Key Request

DRM Key Management Server

Billing2: Purchase

8. Pull Billing Confirmation

4: Stream URL

9: Decrypt Movie

Figure 4 - Wireless DRM process

Wireless Security Measures

The Wireless IFE solution implements a number of security measures to prevent illegal intrusions into the Wireless IFE server as well as to prevent content theft:

IDS: The IDS mechanism supported by the WISE solution sits next (downstream) to the local firewall and is designed to detect and block malicious network or host activity.

Ngnix application Firewall: To filter ports and prevent networks attacks (DOS, port scan, SYN Flood)

CHROOT Services: All services are run in separate roots with distinct users with rights limited to their respective root directory, thus preventing directory traversal attack. Please note that while a chroot-capable SCP user has been defined for access to the DTI inbox, successfully login shall be enforced.



5 All-round Wireless IFE Solution Robustness

As stated earlier, the Wireless IFE server is a compact box industrialized by KID Systeme containing OS, base DTI software, with several additional protection features such as hardware identifier, Transport and Airline keys. Individual units are brought onboard where they are maintained in a discrete location. From there, a Wireless IFE server can only be accessed by maintenance personnel for the purpose of physical replacement. It is worth noting that a plane’s multipurpose flight attendant control panels (FAP) are designed to report various operational statuses (through SNMP), direct access to the device remains limited to proper chroot authority.

Typical Wireless IFE server inputs/outputs include Gigabit Ethernet, discrete inputs/outputs, CF card reader, removable SSD and avionic data interfaces. Note that for the purpose of the current submission, only the Ethernet network port and CF card slot are open for maintenance through control panel software management.

Figure 5 – Avionic server hardware architecture



The following diagram enumerates individual DTI and KID Systeme software components involved in the deployment and operation of the Wireless IFE server with emphasis on OSI-model security layers.

In addition to content security controls expressed throughout this document, figure 7 illustrates how the Wireless IFE server is designed around a cascade of firewalls where the Linux host works in addition to the resources provided inside each of the two DTI virtual machines.

Figure 7: Avionic server Wireless-IFE software component breakdown

6 Conclusion

Content security is of the highest priority. Content is the backbone of any successful application and providers should feel confident putting their content in this service. Through secure communication channels, secure encryption, efficient software and hardware hardening and cutting edge DRM product, DTI’s W-IFE solution offers a secure platform capable of bringing rich content to users.

Documents

DTI WISE Audio/Video Solution for KID SystemeDeals... · Hardware manufacturer, Wireless IFE vendor and Customer (KID Systeme) an Airbus subsidiary responsible for providing and provisioning