IPTV Myths -Part One: Technical Aspects

By Hemang Mehta

In the next three issues of Internet Telephony, we will be running a series of articles authored by Hemang Mehta, product management director for Microsoft TV. As IPTV deployments around the world ramp up, the series will dispel some of the most common myths about Internet Protocol TV (IPTV). This first “IPTV Myths” article focuses on some of the faulty technical assumptions about IPTV. The second installment will focus on the IPTV experience and what consumers can expect, now and in the near future. Finally, in September, Mr. Mehta will examine some of the deployment myths related to IPTV.

Myth: IPTV is just sending video files over the Internet, the same as Internet TV, file downloads and podcasting.

The reality: IPTV appears to consumers on the television screen at the flick of a switch, just like broadcast TV or cable. Internet TV, file downloads and podcasting all involve delay and uncertainty, and in some cases, poor quality. This is the most basic misunderstanding of the term IPTV.

The explanation: IPTV has a number of far-reaching implications because the underlying delivery mechanisms are the same as the Internet; instead of a unidirectional TV broadcast, IPTV is a point-to-(multi)point, bidirectional service that provides, for the first time, a direct, dedicated return channel from the TV viewer.

IPTV channels are NOT sent over the Web. Instead, they are sent over specially built private IP networks that belong to telecommunications carriers. While streaming video and audio over the Web is done on a best-effort basis (often leading to a degradation of the viewing experience, i.e., macro-blocking, picture freeze, audio interruptions, etc.), dedicated IPTV networks are designed and operated to guarantee a quality-of-service level that allows the optimum enjoyment of the delivered content.

IPTV uses the same basic protocols that the Internet uses. This means that once a TV program has arrived somewhere, it can be stored, replayed, copied and retransmitted, as long as this is permitted by the content owner, using standard Internet techniques. It also means that IPTV-enabled devices can accommodate other services that are also carried via Internet protocol.

IPTV is a new way of implementing television, although it appears to consumers very similar to existing cable and satellite TV. But IPTV can offer some key improvements, such as fast channel changing, a much greater choice of content, and extensive content search functions. It can also facilitate richer interactive content-related services than other pay-TV delivery systems. Interconnecting devices that speak the same “IP” language means that phone calls can emerge from TV speakers, or that the calendar on your PC can interrupt your TV viewing to remind you of an appointment, and that you will be able to surf the Internet via your TV.

IPTV has gone from concept to reality in a very short period of time. Over the last several years, service providers have consolidated disparate voice and data networks into a single, IP-based service delivery network. Delivering a ground breaking service such as IPTV requires a complex and sophisticated ecosystem of technology companies developing entirely new software, chipsets, set-top boxes, encoders, network access hardware and components. As this system of moving parts evolves, integration and coordination occurs at every level, including ongoing product development, lab trials, consumer trials and rigorous testing.

Myth: IPTV is less secure than normal TV because it travels over the Internet.

The reality: IPTV content is actually far harder for hackers to attack than either cable, satellite or terrestrial encrypted pay-TV. The use of Internet Protocol technology and a two-way set-top box means that security messages-including authentication messages, confirmations, and decryption codes-can travel easily in both directions, to and from an IPTV set-top box, to multiple destinations in the operator’s network.

The explanation: Existing security systems that prevent unauthorized viewers from watching pay-TV services are called Conditional Access (CA) systems. Originally these systems simply looked for whether or not a viewer had rights to view a particular piece of content. There are proprietary versions of CA that must be adapted to work with cable, terrestrial and satellite TV networks. But most CA systems, until recently, were based on the specifications from the DVB (Digital Video Broadcasting) Project, using its Common Scrambling Algorithm CSA encryption procedures.

There are numerous ways of storing decryption keys in both satellite and cable set-top boxes, but most of them rely on securely storing keys in a tamper-proof smart card or embedded security processor. This card is used to read keys that are sent alongside the content, which are in turn used to decrypt the content.

The usual commercial hacker attack on this type of system entails making a “clone” of the card, chip or set-top and then distributing copies of that “authorized” recipient. In satellite, and in many cases with cable TV, there are no return paths by which set-tops can talk back to a central system. This means that the set-top cannot send authentication data back to a central authentication server.

This is really a matter of setting a layer of conditions that the set-top must meet, and then granting access to the content when it meets them. This means that if a successful clone can be made, it can be freely distributed.

Once we introduce a return path to the system, as in IPTV, the authentication process can be two-way and frequent. If a particular set-top with a particular key has registered on the network, then it cannot register again and can be forced to re-declare itself every 10 minutes or twice a day, or once a week, at the operator’s command. If a second copy of the same keys appears and tries to register, it is a relatively simple matter to request the original to re-authenticate and if it does, that means there is an illegal clone on the network, which can now be declined service.

The way most people imagine content being stolen involves decrypting the digital signal, which means a pirate has to get his hands on the individual content decryption keys and work out how the issuing algorithm works. This has virtually never been done in modern cryptography and such a brute force attack is largely no longer tried.

A much simpler way is to take the output to a screen that is addressed as an analog, and then re-digitize it. So pirates focus on intercepting the instructions to the screen of a TV, storing them and then re-digitizing them. In this way individual TV programs can be copied and distributed over the Internet. The best way of dealing with this is to operate with devices that have some form of analog copy protection or to insert a watermark into the content that will persist beyond re-compression and distribution.

Recently there have been numerous efforts to personalize this method, so that each watermark contains the identity of the set-top that created it, revealing which individuals are pirates. This is a good direction, although still in its infancy.

There has been some use of traditional CA systems among IPTV operators, but in the meantime these have given way to more advanced systems based on the Advanced Encryption System (AES) and PKI (Public Key Infrastructure).

This advanced system is devised to take advantage of the return path, which uses frequent re-authentications. These have usually been married to more sophisticated ways of expressing viewing and copying rights, and they tend to be called Digital Rights Management (DRM) systems.

One weakness of such systems is that when they are implemented purely as a software download there is a tendency to extract a device key from things that the software can see. These are also sometimes things that a hacker can see. The software can read component numbers and device serial numbers and with a little bit of hit-and-miss trial and error, one or two of these have had their keys broken very rapidly.

Although this is easily fixed by downloading a new algorithm to extract a different key from the equipment, it is possible to combine the tried-and-true formula of the CA community and the new DRM specialists. This can be done by placing part of the key in a secure location on a chip, which only the DRM software can extract, and which won’t be available to visual or operating system inspection.

New methods have been developed by pirates to attempt to attack the AES-based IPTV content protection systems. These take the form of intercepting authentication signals and intercepting decryption keys, and forwarding these across the network to potential clones. Therefore, it is important to have a system that will not allow more than one copy of a device key on it at any time.

The war between piracy and content owners will continue, and future improvements in AES-style systems may focus on combining deeper usage knowledge into the authentication process. For instance, the line number for a specific DSL connection could be checked before allowing authentication, or usage data, such as the combination of channels that a viewer watched yesterday, could be used as part of the key. These are virtually impossible to copy or keep track of.

But at this moment in time the PKI systems using AES encryption provide a more secure environment than any other we know, especially when hardened further by using secret, secure device keys.

Myth: Net neutrality laws will mean that IPTV services could become illegal.

The reality: Net Neutrality laws, if they are passed, will make no difference to IPTV whatsoever, although they may make a difference to how popular video file download services and Web-based Internet TV becomes.

The explanation: Net Neutrality legislation, which has so far been defeated in Congress, is designed to safeguard existing services, not deny access to new services. It is fundamentally about the existing levels of quality in delivering high-speed Internet service.

If an Internet service provider (ISP) provides a good service to its customers in terms of download speed, or a poor service when measured by the same criteria, Net Neutrality is about every Internet destination getting the same treatment. As such, this legislation would be enacted by not allowing ISPs to apply varying priorities to traffic that comes through its Broadband Remote Access Servers.

Since IPTV is not about traffic that goes through the Broadband Remote Access Server, it can’t be affected.

The most affected traffic is large files (such as video) being served through the Broadband Remote Access Server. This traffic is already congested and consumers rely on their ISP providing enough bandwidth to ensure this is reasonably loaded at each of its servers. But the legislation is not about ensuring there is sufficient bandwidth there-only that every service has equal access to the bandwidth that exists.

The fear behind this attempt at new legislation is that ISPs will begin to slow traffic if it is coming from a service, such as MSN or Google, in an attempt to prevent such services getting a “free ride” on consumer ISP services. The exception would be if the ISP is allowed to somehow share in that profit by making an extra charge.

This fear is ungrounded, and all dialogue along these lines has actually been about providing “improved” bandwidth to these larger players, not deliberately limiting bandwidth provided to them, and re-assurances have been made repeatedly by all the major ISPs that this is the case.

None of this affects IPTV in the slightest and we believe that in a competitive broadband economy, market forces would conspire against any individual ISP attempting such a strategy, with or without new laws. IT

Hemang Mehta is Product Management Director for Microsoft TV.

Internet Telephony Magazine Table of Contents