Vous êtes sur la page 1sur 22

NAGRA MEDIA PRM

A SOLUTION FOR THE DELIVERY AND PERSISTENT


STORAGE OF PROTECTED CONTENT

PREPARED FOR DTLA


FOR USE IN REVIEW OF PRM AS AN APPROVED
RECORDING PROTECTION TECHNOLOGY FOR DTCP

DECEMBER 2010

Copyright © 2010 Nagravision SA. All Rights Reserved.


CH-1033 Cheseaux, Switzerland
Table of Contents
1 Introduction 3
2 Nagra Media PRM Overview 5
2.1 Digital Video Recorder (DVR) 6
2.2 Video On Demand 6
2.3 Authorized Domain 7
3 DTCP TO Nagra Media PRM Use Cases 8
4 Nagravision Security Architecture 10
4.1 Compliance and Robustness 10
4.2 Nagra On-Chip Security (NOCS) 11
4.3 Nagra Advance Security Certification (NASC) 12
4.3.1 Software Boot and Download Protection 12
4.3.2 Port Protections 12
4.3.3 Software API Testing and Validation 12
4.3.4 Hardware Access Protection 13
4.3.5 Networking Communication 13
4.3.6 NASC Certification Centers 13

5 Nagravision Legal Framework 14


6 DTLA Objective Criteria 15
6.1 DTLA Review 15
6.1.1 Policy Review 15
6.1.2 Legal Review 15
6.1.3 Technical Compliance 16

6.2 Content Owner and Implementer Support 17


Appendix A. DTCP Copy Information mapping to PRM 18
Appendix B. Usage rules 20

Persistent Rights Management


Page 2 of 22
1 INTRODUCTION
Nagravision is proposing that Nagra Media “Persistent Rights Management” (PRM) be approved by
Digital Transmission Licensing Administrator (DTLA) as a Recording Protection Technology for Digital
Transmission Content Protection (DTCP) 1 .
Nagravision has developed and deployed PRM to enable cable, satellite and IPTV service providers to
securely propagate and store content and its associated rights across a variety of media devices.
PRM is comparable to a Digital Rights Management (DRM) system. PRM has three major use cases:
1. Digital Video Recorder (DVR) security for stored content,
2. Video on Demand (VoD) security for pushed, pulled and streaming content, and
3. Content distribution in an Authorized Domain, for home networking and device refurbishment.
In various applications of PRM, DTCP is already an approved output, e.g., from a PayTV set-top box.
In other words, PRM can be a source for DTCP content. This document provides information to
support Nagravision’s request that PRM be approved to serve as a DTCP Sink for the persistent
storage of DT Data. Enabling PRM for DTCP sink protection will enhance interoperability of protected
content among consumer devices, including those typically associated with PayTV and others.
PRM’s specification and license are similar to other DRM compliance and robustness rules. As with
most other systems, the specification must be followed by the application or middleware using PRM.
PRM allows both hardware and software implementations, but these are managed separately in the
market. The hardware PRM is available for device manufacturers to implement in their devices, while
Software PRM is currently provided by Nagravision as part of a bundled solution call Nagra Media
Player. Software PRM is cryptographically segmented from Hardware PRM so that entitlements from
one system cannot be interpreted by the other.
This document describes Hardware PRM and how it meets the requirements for use as a persistent
storage technology for DTCP. Hardware PRM uses cryptographic tools to secure the content and
leverages hardware security features in silicon.
For Hardware PRM, Nagravision has very specific requirements because the device must comply with
the Nagravision Advanced Security Certification (NASC), which is a device manufacturer certification
program. Traditionally for set-top box (STB) manufacturers, NASC specifies the platform security
requirements for the device. NASC ensures robustness of not only PRM, but Conditional Access (CA)
systems, 3rd party DRMs, boot loaders, software download mechanisms and other software stacks.
NASC requires the use of a chipset which includes Nagravision On-Chip Security (NOCS), which a
certification program for embedded hardware security features implemented by chipset manufacturers.
NASC highlights include:
 Requirement to follow specification and to include NOCS hardware security
 Four (4) centers around the world to certify that the devices meet all requirements
 All major device manufacturers are customers 2
 Over 120 certifications per year
 Specification for leveraging chipset security for secure boot and download authentication
 Robust hardware design specification to prevent hardware attacks
 Network connection guidelines to avoid network attacks (e.g. cross scripting, denial of service
attacks)
NOCS hardware security is available in a range of high-end and low-end chipsets, and does not
require the complexity and expense of a special security processor. NOCS highlights include:

1
Pursuant to Appendix B, Part 1, Section 2.2.1 of the Adopter Agreement
2
E.g., ADB, Arion, Changhong, Cisco, Coship, Echostar, Huawei, Humax, Kaon, LG, Novabase, Netgem, Pace, Prime, Sagem,
Samsung, Skardin, Technicolor, Telsey, and Zinwell

Persistent Rights Management


Page 3 of 22
 All major PayTV chipset vendors implement NOCS 3
 NOCS requires adherence to specification and security requirements
 Over 30 chipset models certified to meet all requirements
 Over 40 million chipsets deployed
 Unique ID, unique device secrets, code signing, anti-debug protections
 Cross-chipset software API provides portability across devices
 Secure key generation, insertion and management infrastructure
PRM benefits from Nagravision’s culture of content protection:
 Over 20-year track record in content protection and device security
 Experience, independence and processes that ensure customers receive the best in breed of
platform security
 Industry leading certification and best practices in device security
 Experience in multi-vendor security environments and horizontal device markets 4
In addition, Nagravision has legal agreements with all device manufacturers that implement PRM to
ensure that devices manufactured and distributed by such entities:
 Meet the NASC security specification and pass certification tests
 Are able to securely update through software downloads to support revocation and renewal
requirements
 Do not use Open Source Software in such a way to taint the PRM software
The legal agreements also ensure that such manufacturers:
 Allow audit and sampling of locations and devices to ensure devices comply with the original
certified device. Penalties are US$250,000 per model or actual damages for non-compliance.
 Do not participate directly or indirectly in hacking activities and does not include any “defeating
functions” to assist in such hacking, with penalties of US$ 5 million or more per violation.
As summarized above and further described herein, PRM equals or exceeds the requirements
outlined in the document “Statement of DTLA Objective Criteria for Reviewing Recording and
Retransmission Protection Technologies”. Major service providers are already using PRM with new
devices anticipated to combine both DTCP and PRM. Accordingly, Nagravision has prepared this
white paper to accompany its formal request to DTLA for approval of the use of PRM for the persistent
protected storage of content that has been delivered using DTCP.

3
E.g., ST, Broadcom, Intel, NXP, NEC (Renasys), Sigma and Conexant
4
NASC is already the certification standard for horizontal device and multi-CA/DRM environments in a number of countries

Persistent Rights Management


Page 4 of 22
2 NAGRA MEDIA PRM OVERVIEW
PRM is a security solution providing content protection for:
1. Digital Video Recorder (DVR) security
2. Video on Demand (VoD) security for pushed, pulled and streaming content, and
3. Content distribution in an Authorized Domain, for home networking and device refurbishment
These different cases are summarized in Figure 1.

Figure 1 – Nagra Media PRM: Persistent Right Management

The common aspects of each of these use cases are as follows:


Content Protection
Any piece of content recorded or received on the device is encrypted. Recorded content protection is
done as soon as CAS, DTCP or other link protection is removed. PRM uses one scrambling key per
asset.
Credentials Protection and Authentication
Access to protected content requires a valid credential, PRM cryptography is based on the presence
of a unique secret in the device hardware. This secret allows PRM to create a specific entitlement that
can only be decrypted by a specific device. In addition, in VOD use cases, entitlements are signed to
ensure both the integrity and that they were created in the Nagra head-end.
Cryptography
The protection of content and credentials is performed using state of the art cryptography:
 PRM supports the AES cipher, in several modes applied either on the MPEG-2 TS payload or
on the full file. The CBC or ECB encryption modes are used. 128-bit keys ensure proper
protection of content.
 PRM ensures both confidentially (by encryption) and authenticity and integrity (by signing) of
all credentials. The signing is based on a 1024-bit long RSA key pair.

Persistent Rights Management


Page 5 of 22
2.1 DIGITAL VIDEO RECORDER (DVR)
PRM enables secure recording of content with usage rules (see Appendix B). These usage rules
enable a variety of use cases to be securely managed, for example, some content may be only
available for live watching, while other content may be stored on the device’s hard disk drive (HDD) for
later viewing.
The system secures local content by individually scrambling each asset with a unique content key:
 Unique to the device – the same asset recorded by two different devices at the same time will
be scrambled with a different content key.
 Unique to the content – each asset recorded by the same device is scrambled with a different
content key.
This protection mechanism has two main advantages:
 An asset recorded by a device can only be viewed by that device.
 If the content key of one asset is compromised, it cannot be used to descramble any other
content on the device.
When a device records content, it produces an entitlement that is then associated to that particular
asset on the storage unit. The entitlement contains both the content key and the usage rules for that
asset. The entitlement is encrypted by a hardware secret that is unique to that device.
Whenever CAS, DRM or link protection such as DTCP is used to protect content received by the
device, PRM evaluates and enforces usage rules received in conjunction with the CAS, DRM or link
protection for controlling the recording on a storage unit. These usage rules can be Copy Control
Information (CCI), digital and analog outputs management, etc. These usage rules are then assessed
again at playback and when transfering to another device.
Local Recording of Broadcast Content
When content is received protected by a CA System, PRM can control how linear or broadcast content
is recorded by the device. PRM usage rules are retrieved from CAS information embedded in the
ECMs, which are securely delivered to the device.
Local Recording of Content received using DTCP
PRM securely handles, in the device, content that has been delivered protected by DTCP. The
mapping of DTCP CCI and other DTCP fields to PRM is given in Appendix A.

2.2 VIDEO ON DEMAND


PRM protects Video on Demand (VoD) content, including adaptively streamed content whether VoD or
“Live”. VoD encompasses both Push-VoD (content is pushed to the device storage unit before the
end-user may purchase it), Pull-VoD (content is loaded to the device storage unit upon end-user
request only) and streamed content (content is rendered immediately and not stored permanently).
The system encrypts content at the head-end and generates entitlements uniquely associated with the
target device 5 . PRM works with a wide range of mechanisms to transport the content from the head-
end to the device, and does not place specific limitations on such delivery.
Access to content is granted through the delivery to the device of the unique PRM entitlement. This
entitlement is generated by the PRM head-end components upon request for a specific content item
by a specific device. Usage rules for controlling the consumption of content are securely conveyed in
the entitlements associated with the content. A portal handling the viewer’s VoD purchase typically
performs the delivery of this entitlement to the device, which can be through a range of delivery
mechanisms.

5
The head-end has the means to securely encrypt licenses uniquely for a device

Persistent Rights Management


Page 6 of 22
Content Revocation
Content may reside on the device storage unit at the time content is intended to be removed from the
VoD catalogue or after rights expire. PRM enforces the expiration of authorized usage through
content revocation. Content that is globally revoked (i.e., revocation which applies globally to all users)
is no longer playable, regardless of whether or not entitlements have been previously delivered.
VoD Entitlement Revocation
For various reasons (e.g. an entitlement contains an erroneous expiration date), an entitlement might
need to be revoked. This is a unique revocation, where only the end-user of that particular entitlement
is affected by the revocation.

2.3 AUTHORIZED DOMAIN


Each locally recorded live content is protected in such a way that only the device that performed the
recording is able to retrieve the content key to play it back.
The principle of the Authorized Domain is to allow several authorized devices to share the same set of
recorded contents, while preventing non-authorized devices to have access to it.
When DT Data is input into PRM, the usage rules are set to preclude output of content from one PRM
device to another, effectively disabling the Authorized Domain functionality for DT Data.
The Authorized Domain is under complete control of the head-end: Two devices need to get a
common secret provided by the head-end upon authorization, before being able to share content.
Content Refurbishment
The Content Refurbishment is a feature that allows a device to access all contents recorded by a
former device, despite that content is uniquely protected. It is a particular use case of Authorized
Domain.
This is especially useful in case a device crashes and must be replaced by a new hardware, keeping
the same storage unit. It allows the end-user to preserve access to all its recorded contents.

Persistent Rights Management


Page 7 of 22
3 DTCP TO NAGRA MEDIA PRM USE CASES
The DVR-VoD Library (DVL) is the PRM component on the device. The DVL software relies on a
Driver Abstraction Layer (DAL) that gives access to the OS, hardware cryptography functions and
other chipset resources of the device. The DVL is in charge of decrypting and evaluating the
credentials passed by the device application and of setting the content key into the chipset for
recording or playback.
The DVL has no access to received content and the associated metadata regardless of the manner in
which received content was protected, using DTCP or a CA System (e.g. live stream). For PRM
features, this means that the DVL has to cohabitate with a DTCP stack or CAS kernel on the device.
Transfer of the protection of content between these different components relies on compliance with
the PRM Specifications, which the device has to follow. The device application and all these
components are signed and integrity is checked at boot time, so that only authorized applications can
manipulate content following the defined usage rules. More details on compliance and robustness are
given in Section 4.
The DTCP Sink function handles protected content descrambling. When recording, the CCI are
retrieved by the device Application and provided to the PRM DVL.

Figure 2 – Device with the PRM DVL, DTCP stack, and CAS kernel

The following description applies to the typical DTCP Sink function use case. Persistent storage
control is based on the value of the CCI bits carried in the stream.
The recording workflow is illustrated in Figure 3:
1. Content is made available from the DTCP Sink and the CCI evaluated to define if recording is
allowed or not;
2. The device application triggers the start of a recording session and provides the credentials to
the DVL;
3. The DVL generates a content key for scrambling of the content;
4. The DVL returns a entitlement to the device application; and
5. The device application stores the entitlements alongside content.

Persistent Rights Management


Page 8 of 22
Figure 3 – DVR Recording

Within this flow, the enforcement of the CCI/usage rules is under the responsibility of the full device.
The correct behavior of the device is ensured by compliance with the PRM Specification plus the
NASC certification as described in Section 4.3. DTCP maps to the PRM as defined in the metadata of
the PRM entitlement as described in Appendix A.
Playback is illustrated in Figure 4:
1. The device application retrieves the entitlement stored alongside content;
2. The device application provides it to the DVL;
3. The DVL checks the entitlement validity and, if valid, sets the content key in the descrambler;
4. The DVL returns an updated entitlement to the device application (e.g. updating usage rules);
and
5. The device application stores the entitlements alongside the content.
Note that should content be later exported or moved using DTCP (DTCP Source Function), CCI and
usage rules are asserted by the DTCP Source and, if entitled, content is encrypted and exported by
the DTCP stack.

Figure 4 – DVR Playback

Persistent Rights Management


Page 9 of 22
4 NAGRAVISION SECURITY ARCHITECTURE
4.1 COMPLIANCE AND ROBUSTNESS
When Nagravision considers device security we look at it in three steps (Figure 5):
 Security into the device, including both scrambled content and its usage rules;
 Security on the device, including access to clear content and persistent storage of content on
a storage unit; and
 Security out of the device, including both uncompressed (e.g. HDCP on HDMI) and
compressed outputs (e.g. DTCP on IP).
DTCP can provide security into a device (DTCP Sink), and security out of the device (DTCP Source).

Figure 5 – Nagravision perspective on content protection and device security

Since in most cases the security system is independent of the middleware or media player that must
implement the usage rules, the concept of “compliance” has been developed to ensure the device as a
whole – both the PRM and the application – complies with the usage rules and rights associated with
content. Some rights can be enforced by the DRM or CA system itself, for example access to the
content and time-based rights. However, some rights and usage must be determined in conjunction
with the application such as output controls (e.g. turn on analog protections, or image constraint on
unprotected digital outputs), play counts, persistent storage, bridging of rights to other DRM or
protected digital outputs.
In short, compliance requires that the whole device must correctly perform what is communicated via
the PRM usage rules. Generally, compliance is testable.
“Robustness” specifies the precautions necessary to avoid compromise of the software and content on
the device. Most DRM systems specify the different asset types (e.g. device secrets vs. content keys
vs. personal data) and the level of resistance to attack required for different assets on the device
based on different types of attack tool categories (e.g. Professional Tools vs. Specialized Tools vs.
Widely Available Tools).
Nagravision has taken a different approach to robustness, because robustness is much harder to
actually test. Rather than leave this up to each device manufacturer and risk weak implementations in
the market, Nagravision developed a certification program called Nagravision Advanced Security
Certification (NASC). This includes specifications, visual analysis, security design reviews and
functional tests to ensure the proper security precautions have been under taken.
To help visualize compliance and robustness rules, Figure 6 shows how robustness and compliance
rules are met on the typical device.

Persistent Rights Management


Page 10 of 22
Device Security
Into the On the Out of
Device Device Device

DRM or CA Middleware + Middleware +


Compliance System DVR Software STB Drivers

Device Secret
Robustness Anti-tamper
Anti-debug 
Figure 6 – Device security relationship to compliance and robustness rules

4.2 NAGRA ON-CHIP SECURITY (NOCS)


In fact, Nagravision has two levels of certification. One for chipset vendors called Nagra On-Chip
Security (NOCS), and a certification for device manufacturers called NASC, that requires the NOCS
chipset features.
NOCS was first specified to chipset manufacturers in 2002. Nagravision has implemented and evolved
this security since and NOCS 1.2 was recently released in 2010. All major Pay-TV chipset providers
have NOCS certified chipsets including, ST, Broadcom, Intel, NXP, NEC (Renasys), Sigma and
Conexant. Over 30 different chips have been certified and over 30 million NOCS chipsets have been
deployed.
NOCS is a secure, cross-chipset security certification and key management system that ensures a
consistent quality of implementation for chipset security features. The significant value is the common
API and infrastructure, which provide a scalable chipset security solution for Nagra products, device
manufacturers and our service providers.
NOCS includes many security features, and the following key elements:
1. Nagra Unique ID (NUID) – ensures uniquely identified chipsets;
2. Unique device secrets – ensures device secrets are not accessible in memory for secure
decryption of secrets, entitlements, content keys and control words;
3. Software authentication – provides software tamper-resistance and secure boot loading via an
embedded RSA key;
4. Debug port protections – prevents observation and modification of software and data in
memory during execution; and
5. Persistent Values & Configuration – defines specific secure chipset configurations and values
that must set and locked.
NOCS is more than just chipset features, but a complete infrastructure including:
 Specification and implementation guidelines used by chipset vendor design teams
 Nagra certification team and processes to certify chipset implementations
 A common cross chipset API to access the NOCS hardware elements
 Nagra Black Boxes that are installed in chipset manufacturers around the world for key
insertion into the chipsets.

Persistent Rights Management


Page 11 of 22
 Nagra Production Services, which performs a number of important services:
 Key generation, reporting and delivery to Black Boxes
 Key generation, reporting and delivery to device manufacturers
 Delivery of device specific key files to operator head-ends
NOCS security is an important element in all Nagra products, including:
 Nagra Media Access CLK product (card-based CAS for Linear TV and VoD)
 Nagra Media Access ELK product (cardless CAS for two-way connected networks)
 Nagra Media PRM (DVR, VoD and Authorized Domains solutions

4.3 NAGRA ADVANCE SECURITY CERTIFICATION (NASC)


Nagra Advanced Security Certification (NASC) is a specification and certification process for device
manufacturers to ensure their devices properly leverage the NOCS security features in the chipset in
order to provide the security needed for Nagra CA and DRM products and content protection.
Most major device vendors have produced NASC-certified devices, including ADB, Arion, Changhong,
Cisco, Coship, Echostar, Huawei, Humax, Kaon, LG, Novabase, Netgem, Pace, Prime, Sagem,
Samsung, Skardin, Technicolor, Telsey and Zinwell.
The advantage of a certification process is that it ensures a minimum standard and prevents weak
implementations from entering the market. Device manufacturers are not all created equal and without
a standard, they are not motivated to improve the security. Often weaker devices that facilitate piracy
will sell better than secure devices. While in theory a heavily pirated class of devices could be
revoked, this is at the risk of annoying many legitimate customers.
The NASC specification is highly technical and only available under NDA. The next sections highlight
some key aspects of the specifications and certification process.

4.3.1 Software Boot and Download Protection


An important certification step centers around the software booting and software download
authentication processes. These must correctly leverage signature checking features in the NOCS
chipset. NASC includes:
 Preventing modifications on the boot loader code and validating the code during boot by using
the signature process.
 Preventing download of non-authorized code in flash memory and validating the update
software using the signature process.

4.3.2 Port Protections


JTAG access must be either locked with a password/key or permanently disabled. Nagravision
provides JTAG passwords as part of the NOCS features. These passwords are unique per device and
are individually tracked. Devices whose passwords have been released (e.g. for pre-production or
debugging purposes) are typically removed from the field and/or blacklisted on the operator head-end.

4.3.3 Software API Testing and Validation


NASC certification checks that NOCS unique identifiers, keys, key ladders and other security features
can be accessed correctly by the software This testing is performed using specific generated test
streams and keys following a well established and defined process to ensure a consistent response
across a wide variety of customer platforms. This certification step ensures a cross-chipset solution.

Persistent Rights Management


Page 12 of 22
4.3.4 Hardware Access Protection
NASC ensures that the physical hardware implementation secures device memory (e.g. flash, RAM,
mass storage), sensitive communication buses (e.g. flash bus), as well as internal components or
connectors on these buses.
The most basic requirement is to remove all unnecessary connectors or solder pads. There are
requirements for certain components and parts on the PCB that need to be protected:
 Flash: shall contain a permanently locked sector (PLS) and shall be protected against
unauthorized replacement.
 Alternatively employ flash where some sectors could be transformed in read only sectors
by burning a fuse or use flash where some sectors could be protected by a password.
 Flash bus: must protect against unauthorized access to the flash bus (e.g. BGA packaging).
 RAM: must limit access to the bus (e.g. BGA packaging).
 Connectors: must disable non-required or unused sensitive connectors.
This minimum hardware protection is defined as a level where reprogramming of the code and data in
the flash device shall be restricted to professional tools in authorized premises.

4.3.5 Networking Communication


NASC also has requirements that apply to network communication between the device and other
hosts. Network communication is any communication through a network interface such as:
 Ethernet interface
 WiFi interface
 USB interface with an Ethernet dongle
 Bluetooth interface, etc
The NASC networking concept is closely linked to the definition of “host” and “trusted host”. The
device shall authenticate the hosts it communicates with, not the opposite. More formally, a trusted
host is one of the following device types:
 A device compliant with NASC security requirements. In this case, the device can authenticate
such device relying on either asymmetric or symmetric keys algorithm.
 A device that owns a certificate issued by a trusted authority. The certificate validates that the
host is what it claims to be.

4.3.6 NASC Certification Centers


Nagravision has NASC certification centers in Switzerland (Cheseaux), the USA (Atlanta) and China
(Shanghai & Beijing). These centers certify over 120 different devices each year.
In addition Nagravision provides device testing via an independent subsidiary called TESC. TESC can
test that the user interface follows specific guidelines and/or that compliance rules are properly met.

Persistent Rights Management


Page 13 of 22
5 NAGRAVISION LEGAL FRAMEWORK
PRM is also governed by a standard legal contract between Nagravision and the device manufacturer.
This section describes the key points covered under this agreement. The document can be made
available for review under a Non-Disclosure Agreement (NDA).
The device manufacturer:
 Shall have no rights to reverse engineer, or decompile the PRM Software.
 Must meet the requirements of the PRM Specification and the NASC Specification.
 Must implement any updates to the NASC Specification on new devices according to the
timeframes and process outlined in the license agreement.
 Shall allow a security audit of their location to ensure procedures and precautions are in place
to guarantee the confidentiality of the elements furnished or made available, as well as to
verify that the use of the PRM Software is in accordance with the rules.
 Shall allow for sampling of devices for compliance with the NASC specification.
 Must represent and warrant that it has not incorporated and will not incorporate any Open
Source Software in whole or in part into any part of the software, and has not used and will not
use any Open Source Software in whole or in part in the development of any part of the
software in a manner that may subject the PRM implementation, in whole or in part, to all or
part of the license obligations of any Open Source Software.
 Shall provide the right to perform software updates free of charge to the device and must
provide support for such updates, if needed, under a time and expenses agreement.
 Must warrant that there is no Conflict of Interest, such that the device manufacturer
 has no contractual or other relationship with any entity or individual involved in piracy or
hacking, and that
 is not and shall not be directly or indirectly involved in piracy or hacking, including by
using in the STB defeating functions (by defeating functions it is meant switches,
buttons, jumpers and software equivalent, service menus or remote control functions
which can be used to defeat conditional access or content protection technologies,
output restrictions or protections, recording restrictions or protections or by which data in
the STB can be exposed to output, interception, retransmission or copying other than as
permitted).
Financial Penalties for the device manufacturer are as follows:
 Liability associated with breach of Open Source warranties is uncapped.
 Liability for the lack of compliance with the certified devices, if discrepancies found, or
information withheld, is US$250,000 per model, or more for actual financial damages.
 Liability associated with the breach of Conflict of Interest is US$ 5 million per violation.

Persistent Rights Management


Page 14 of 22
6 DTLA OBJECTIVE CRITERIA
This section is based on the document “Statement of DTLA Objective Criteria for Reviewing Recording
and Retransmission Protection Technologies”. Answers are provided to help assessment of the
evaluation criteria.

6.1 DTLA REVIEW


6.1.1 Policy Review
The proposed technology does not impair interoperability with respect to the exchange of DT
Data among licensed products.
Approval of PRM will not impair, but will instead enable, interoperability. The exchange of DT Data is
carried out by Nagravision or other 3rd party DTCP stack implementations in compliance with this
requirement. This ensures that the complete product associating DTCP and PRM is interoperable with
other licensed products.

6.1.2 Legal Review


The license agreement implements requirements that are no less stringent than the
requirements of Exhibit B Part 1: Compliance Rules for Sink Functions, as set forth in the most
current version of the DTLA Adopter Agreement, including with respect to maintaining the
protection of DT Data through authorized digital, analog and high definition analog outputs,
and prohibiting unauthorized retransmission of DT Data over wide area networks and the
Internet.
The PRM specification and associated NASC and NOCS licenses are, at least as stringent as the
DTLA Compliance rules. NASC compliance and robustness has been designed for PayTV Conditional
Access Systemswi technologies that are widely trusted. PRM provides selectable output controls and,
under those controls, can only enable output to protected digital outputs that prohibit retransmission of
DT Data over wide area networks and the Internet.
If the technology so permits, the license agreement provides for a right of revocation or for
renewability where the security elements of a particular device have been cloned.
The PRM license and architecture fully support revocation and renewability. PRM is taking advantage
of a unique hardware secret on a device. When receiving or exchanging content, devices need to
acquire from a head-end credentials and entitlements to allow this. This required connection to the
head-end allows monitoring of the activity and cloned devices or any other suspicious device can then
be detected. A device will be black-listed and not allowed to get content. PRM also allows revocation
of entitlements already delivered, hence disabling a device from accessing content. All devices are
required to support secure software updates to enable renewability.
The license agreement provides protections against the device interfering with a consensus
watermark, in a manner no less stringent than the obligations set forth in Section 6 of Exhibit
B, Part 1: Compliance Rules for Sink Functions in the most current version of the DTLA
Adopter Agreement.
Clear content is not modified by the PRM solution. So Nagra Media PRM does not interfere with any
known Watermark technology.
The license agreement imposes robustness requirements that are no less stringent than the
applicable Robustness Rules as set forth in the most current version of the DTLA Adopter
Agreement.
PRM is built upon NOCS (see Sections 4.2) NASC (see Section 4.3). The robustness requirements
are more stringent than DTCP and must be certified prior to distribution of the device. A DTCP
software stack (whether provided by Nagravision or a 3rd party) will also benefit from robustness
provided by NASC as the requirements are the same or more stringent.

Persistent Rights Management


Page 15 of 22
Nagravision has established license agreements with chipsets manufacturers for NOCS and license
agreements with device manufactures for PRM and NASC. Agreements are available only under NDA.
 The PRM and NASC license agreements include clauses allowing Nagravision to perform
security audits. In case of piracy, the licensee is liable for a certain indemnity.
 The NOCS license agreement includes clauses allowing Nagravision to suspend the product
validation in case of security issues. In addition, chipset architectures are validated by
Nagravision. Lastly, in case of piracy, the licensee is liable for a certain indemnity.
Legal recourse potentially is available in case of circumvention of the technology by persons
other than licensees.
The Kudelski Group has a history of tracking companies or individuals that circumvent Nagravision
technologies. The Kudelski Group has dedicated monitoring and countermeasures team including
both legal and technical personnel for this matter. In the last years, the Group was able to win several
trials in this field. Please refer to the following press releases for further details:
 The Kudelski Group continues its fight against piracy initiatives, available at
http://www.nagra.com/cms/THE-KUDELSKI-GROUP-CONTINUES-ITS.html
 Verdict against pirating of television programs, available at
http://www.nagra.com/cms/VERDICT-AGAINST-PIRATING-OF.html
 Pirating of television programs: A further verdict on illegal decoder cards, available at
http://www.nagra.com/cms/PIRATING-OF-TELEVISION-PROGRAMS-A.html
The license provides, or the licensor commits, that future amendments to the license that
would affect the license terms and conditions that were disclosed to DTLA will not diminish the
protections afforded to DT Data, as described above.
Nagravision has the reputation as the provider of the highest-level of security technology and services
in the PayTV market. Our commercial interests are completely aligned with the DTLA and the Content
Participants to continue to provide best in breed security. Evolution of NOCS security and NASC
robustness will be at least if not more restrictive compared to existing versions. As a consequence, the
offered protection with PRM and in the device will not diminish and therefore the protection offered to
DT Data will not diminish.

6.1.3 Technical Compliance


The proponent of the technology should provide to the DTLA sufficient technical information to
demonstrate that:
The recording technology provides for detection and correct response to copy control
information, as defined by the DTLA Specification (in EMI, Embedded CCI or both).
CCI carried through DTCP link is handled by the device application and maintained within the
entitlement by the DVL. In case of an export of the content, CCI are provided for carriage over output
protection link. When recording is requested, the device application correctly enforces the CCI. NASC
ensures that the device application is not modified and hence ensures that CCI enforcement is
performed.
The recording technology provides for a means of security for the making of permissible
copies, as set forth in Section 2 of Exhibit B, Part 1: Compliance Rules for Sink Functions of
the most current version of the DTLA Adopter Agreement.
The handling of CCI is managed by the combination of the PRM DVL component, the DTCP stack
provided by Nagravision or a 3rd party and the device application. This is described in detail in sections
2 and 3.
The recording technology provides that removable recorded media will maintain the required
level of protection when played back on a device other than the device upon which the
recording was made.
Content recorded on removable media can only be played back on a trusted device for which
dedicated credentials has been generated. These credentials can only be obtained from the head-end.

Persistent Rights Management


Page 16 of 22
6.2 CONTENT OWNER AND IMPLEMENTER SUPPORT
In addition to meeting the above criteria, the proponent may provide to DTLA evidence of
support for the technology and licensing terms and conditions from Content Participants and
DTCP Adopters. In addition, the proponent also may provide to DTLA evidence of support for
the technology and licensing terms and conditions from:
a. Motion picture companies that are members of the MPAA, in the case of technology used to
protect audiovisual works,
PRM is already used to protect premium VOD and DVR recording at Canal+, Mediaset and other
major service providers.
b. Major sound recording labels, in the case of technology used to protect only sound
recordings, and
Not applicable.
c. Manufacturers interested in implementing both the proposed technology and DTCP.
Samsung
In the event that the proposed technology and licensing terms and conditions do not meet one
or more of the requirements set forth in subsections B and C of Section I above, the proponent
should provide DTLA with evidence of support for the technology from a substantial number of
major motion picture or recording companies, as applicable.
Not applicable.

Persistent Rights Management


Page 17 of 22
APPENDIX A. DTCP COPY INFORMATION MAPPING TO PRM
DTCP defines the following fields controlling content display and further export when received on a
Sink device:
 Retention_Move_mode
 Retention_State
 EPN
 DTCP_CCI
 Analog_Sunset_Token
 Image_Constraint_Token
 APS
If the Sink device implements Nagra Media PRM, then the following rules apply:
All fields take their default values as shown in Appendix B, except as expressed below.

The Authorized Domain functionality of PRM is disabled for DT Data.


PRM_ token = 0

 Analog_Sunset_Token asserted
digital_only_token = 1.

 DTCP_CCI = 11 (Copy-Never) and Retention_Move_mode = 0


This is the case where the Sink device receives content that is streamed. It can not be stored
permanently and it can be displayed. The “Retention_State_value” defines the duration that can be
temporary stored for replay buffer functionalities, Received content is protected by the PRM and a
PRM entitlement is created with the following values:
recording_flag = 0, cci = 11, retention_state = Retention_State_value, image_constraint =
Image_Constraint_Token_value, digital_only_token = 1.

 DTCP_CCI = 11 (Copy-Never) and Retention_Move_mode = 1


This is the case where the Sink device receives content that is streamed. It can not be stored
permanently or in a review buffer and it can be displayed.

 DTCP_CCI = 01 (No-more-copies)
In this case, the Sink device will treat the content as Copy-Never and not allow permanent storage of
the content. Received content is protected by the PRM and a PRM entitlement is created with the
following values:
recording_flag = 0, cci = 01, image_constraint = Image_Constraint_Token_value, digital_only_token =
1, concurrent_viewing = 000

 DTCP_CCI = 10 (Copy-one-generation) and Retention_Move_mode = 0


This is the case where the Sink device is allowed to permanently store the content and to make an
additional copy. Received content is protected by the PRM and a PRM entitlement is created with the
following values:

Persistent Rights Management


Page 18 of 22
recording_flag = 1, cci = 01, image_constraint = Image_Constraint_Token_value, digital_only_token =
1.

 DTCP_CCI = 10 (Copy-one-generation) and Retention_Move_mode = 1


Treated as Copy Never content with Retention_Move_mode = 1.

 DTCP_CCI = 00 (Copy-Free) and EPN asserted


This is the case where the Sink device is allowed to permanently store the content. Received content
is protected by the PRM and a PRM entitlement is created with the following values:
recording_flag = 1, cci = 00, image_constraint = Image_Constraint_Token_value, digital_only_token =
1.

 DTCP_CCI = 00 (Copy-free) and EPN not asserted


This is the case where the Sink device is allowed to permanently store the content and to make an
unlimited number of copies. Received content is protected by the PRM and a PRM entitlement is
created with the following values:
recording_flag = 1, cci = 00, image_constraint = Image_Constraint_Token_value, digital_only_token =
1.

Persistent Rights Management


Page 19 of 22
APPENDIX B. USAGE RULES
The following usage rules are supported by PRM.
recording_flag: This is a 1-bit field. Possible values are:
0 Recording is not allowed.
1 Protected recording is allowed.
The default value is 1. This flag does not apply to the review buffer which is governed by other fields.
This applies to whether a persistent copy is allowed (e.g. after the device is shut-down).

original_sub_required: This is a 1-bit field. Possible values are:


0 At playback time, no valid subscription on the channel content has been recorded is needed.
1 At playback time, a valid subscription on the channel content has been recorded is needed.
The default value is 0.

dvr_sub_required: This is a 1-bit field. Possible values are:


0 At recording time, no valid DVR subscription is needed.
1 At recording time, a valid DVR subscription is needed.
The default value is 0.

trans_coding_control: This is a 1-bit field. Possible values are:


0 Trans-coding or re-encoding of content is not allowed.
1 Trans-coding or re-encoding of content is allowed.
The default value is 1.

image_constraint: This is a 1-bit field. Possible values are:


0 Downscaled from HD analog video to SD analog video on the component video interface is not
required.
1 Downscaled from HD analog video to SD analog video on the component video interface is
required.
The default value is 1.

trick_mode_control: This is a 4-bit field. Possible values are:


0000 No restrictions.
0001 No skipping, fast forward and fast backward limited to Speed 1.
0010 No skipping, fast forward and fast backward limited to Speed 2.
0011 No skipping, fast forward and fast backward limited to Speed 3.

1110 No skipping, fast forward and fast backward limited to Speed n.
1111 No skipping/jumping/fast forward/fast backward.
Other values are reserved for future use.

Persistent Rights Management


Page 20 of 22
Speeds 1 to n are those supported by the application on the device. The default value is 0000.

playcount: This is a 4-bit field. This is the maximum number of time playback of content is allowed. If
set to 0, then the number of playback is not limited. Actual playcount value is stored separately. The
default value is 0.

concurrent_viewing: This is a 3-bit field. This is the maximum number of clients a gateway is
allowed to concurrently stream to. Possible values are:
000 Local viewing only
001 Concurrent streaming to a maximum of 1 client is allowed
010 Concurrent streaming to a maximum of 2 clients is allowed
011 Concurrent streaming to a maximum of 3 clients is allowed
100 Concurrent streaming to a maximum of 4 clients is allowed
101 Concurrent streaming to a maximum of 8 clients is allowed
110 Concurrent streaming to a maximum of 12 clients is allowed
111 Concurrent streaming to an unlimited number of clients is allowed
The default value is 110.

digital_only_token: This is a 1-bit field. Possible values are:


0 Output of decrypted content is allowed on Analog Outputs.
1 Output of decrypted content is not allowed on Analog outputs.
The default value is 0.

unprotected_digital_output_token: This is a 1-bit field. Possible values are:


0 Output of decrypted content on Unprotected Digital Outputs is not allowed.
1 Output of decrypted content on Unprotected Digital outputs is allowed.
The default value is 0.

hdcp_token: This is a 1-bit field. Possible values are:


0 Output of content on HDCP is not allowed
1 Output of content on HDCP is allowed.
The default value is 1.

dtcp_token: This is a 1-bit field. Possible values are:


0 Output of content on DTCP is not allowed.
1 Output of content on DTCP is allowed.
The default value is 1.

WMDRM_token: This is a 1-bit field. Possible values are:


0 Output of content on WMDRM is not allowed.

Persistent Rights Management


Page 21 of 22
1 Output of content on WMDRM is allowed.
The default value is 0.

PRM_token: This is a 1-bit field. Possible values are:


0 Output of content on PRM is not allowed.
1 Output of content on PRM is allowed.
The default value is 1.

others_token: This is a 1-bit field. Possible values are:


0 Output of content on any other protection systems is not allowed.
1 Output of content on all other protection systems is allowed.
This token constitutes the output control for any and all other content protection systems other than
HDCP, DTCP, PRM and WMDRM. The default value is 0.

cci: This is a 2-bit filed. Possible values are those defined in DTCP for the same field and are:

00 Copy-control_not_asserted

01 No-more-copies

10 Copy-one-generation

11 Copy-Never

retention_state: This is a 3-bit field. Possible values are those defined in DTCP for the same field and
are:

000 Forever

001 1 week

010 2 days

011 1 day

100 12 hours

101 6 hours

110 3 hours

111 90 minutes
The default value is 111.

Persistent Rights Management


Page 22 of 22