orange cinema series video profiles and security architecturedeals/ocs technical … · the...

ORANGE CINEMA SERIES

Video Profiles and

Security Architecture

Version 1.21.1

Date November 13th, 2008September 2nd, 2009

Contact [email protected]

This document details the security architecture which will be has been implemented at the launch of Orange Cinema Series, with a limited update to introduce a new STB to be released at the end of 2009.

_______________________________

Summary

1. Permitted Devices and Permitted Means ..................................................... 2

2. Programs and Provisioning........................................................................ 4

3. Linear service in Eligible Zone ................................................................... 8

4. Linear service in Non-Eligible Zone .......................................................... 13

5. On Demand service in Eligible Zone ......................................................... 15

6. On Demand service to PC ....................................................................... 17

7. On Demand service in Non Eligible Zone................................................... 20

8. Linear service to PC ............................................................................... 22

9. Sideload............................................................................................... 25

10. Linear and On Demand services to Mobile............................................... 26

Mis en forme : Exposant

© France Telecom 2008-2009 CONFIDENTIAL – UNDER NDA

2

1. Permitted Devices and Permitted Means

France Telecom operates an IPTV closed network (video to TV or video to STB) over its own network infrastructure which targets (i) FTTH customers; (ii) ADSL customers in Eligible Zone, i.e. who have enough downlink bit rate to receive the IPTV streams (EZ customers); (iii) ADSL customers who are Not Eligible to IPTV, and which will be proposed a satellite offer from Summer 2008 on (NEZ customers). Orange TV customers receive a EZ/NEZ Set Top Box and a Viaccess smart card for viewing video services on their TV or HD TV set.

France Telecom also operates video services over the internet (video to PC) and over its own mobile access networks (video to Mobile). Under certain conditions, it is possible to transfer a Program from the PC to a PMP or a Mobile (sideload).

The following diagram recaps the access networks and categorizes the video quality accessible on each device accordingly. Note that access bit rate thresholds are indicative. Video bit rates are detailed in chapter 2.3.

EZEZEZEZ

3G/3G+3G/3G+3G/3G+3G/3G+

2G+2G+2G+2G+

818

Mbps

58

Mbps

0.55

Mbps

100500

kbps

50100

kbps

IPTV

IPTV

IPTV

IPTV

SAT

SAT

SAT

SAT

TV

TV

TVTV

Mob TV

Mob TV

Mob TV

Mob TV

Mob

Mob

Mob

Mob

TV+

TV+

TV+

TV+

EZ

EZ

EZ

EZ VoD

VoD

VoD

VoD

NEZ

NEZ

NEZ

NEZ

VoD

VoD

VoD

VoD

PC

PC

PC

PC VoD

VoD

VoD

VoD

Mob

Mob

Mob

Mob VoD

VoD

VoD

VoD

Web TV

Web TV

Web TV

Web TV

Fixed

Fixed

Fixed

FixedNetworks

Networks

Networks

Networks

Mobile

Mobile

Mobile

Mobile

Networks

Networks

Networks

Networks

FTTxFTTxFTTxFTTx100

Mbps

NEZNEZNEZNEZ

xDSLxDSLxDSLxDSL

EZ HDEZ HDEZ HDEZ HD

LinearLinearLinearLinear

ServicesServicesServicesServices

On On On On DemandDemandDemandDemand


AccessAccessAccessAccess

Bit rateBit rateBit rateBit rate


TechnologyTechnologyTechnologyTechnology

sideload

sideload

sideload

sideload

HD 8 Mbps

and/or SD

SD

1.5 Mbps

basic SD

700 kbps

Mobile

50250 kbps

HD if available

and/or SD

SD or basic SD

at user choice

VideoVideoVideoVideo QualityQualityQualityQuality

EZEZEZEZ

3G/3G+3G/3G+3G/3G+3G/3G+

2G+2G+2G+2G+

818

Mbps

58

Mbps

0.55

Mbps

100500

kbps

50100

kbps

IPTV

IPTV

IPTV

IPTV

SAT

SAT

SAT

SAT

TV

TV

TVTV

Mob TV

Mob TV

Mob TV

Mob TV

Mob

Mob

Mob

Mob

TV+

TV+

TV+

TV+

EZ

EZ

EZ

EZ VoD

VoD

VoD

VoD

NEZ

NEZ

NEZ

NEZ

VoD

VoD

VoD

VoD

PC

PC

PC

PC VoD

VoD

VoD

VoD

Mob

Mob

Mob

Mob VoD

VoD

VoD

VoD

Web TV

Web TV

Web TV

Web TV

Fixed

Fixed

Fixed

FixedNetworks

Networks

Networks

Networks

Mobile

Mobile

Mobile

Mobile

Networks

Networks

Networks

Networks

FTTxFTTxFTTxFTTx100

Mbps

NEZNEZNEZNEZ

xDSLxDSLxDSLxDSL

EZ HDEZ HDEZ HDEZ HD

LinearLinearLinearLinear


On On On On DemandDemandDemandDemand



Bit rateBit rateBit rateBit rate


TechnologyTechnologyTechnologyTechnology

sideload

sideload

sideload

sideload

HD 8 Mbps

and/or SD

SD

1.5 Mbps

basic SD

700 kbps

Mobile

50250 kbps

HD if available

and/or SD

SD or basic SD

at user choice

VideoVideoVideoVideo QualityQualityQualityQuality

In this document, we describe each of the following architectures, as used for Orange Cinema Series:

- Linear EZ / NEZ / PC / Mobile

- On Demand EZ / NEZ / PC / Mobile

- Sideload

NB: throughout the document, we refer to Linear (resp. On Demand) content as Live (resp. SVOD) content.


3

The following table recaps in each case: the network used, the delivery means, and the CAS/DRM technology envisaged at launch:

Permitted Device

Primary Secondary

Linear Architecture On Demand Architecture

EZ STB IPTV Network

Streaming multicast

Viaccess CAS

IPTV Network

Streaming unicast

Viaccess CAS

NEZ STB Satellite

Broadcast

Viaccess CAS

FT IP Networks

Temporary Download

Microsoft WMDRM-PD

FT IP Networks

Streaming unicast

Microsoft WMDRM-PC or Viaccess CAS/PC (under study)

FT IP Networks

Streaming unicast or Temporary Download

Microsoft WMDRM-PC

PMP N/A Transfer from PC

Temporary Download

Microsoft WMDRM-PD

MOBILE N/A Transfer from PC

Temporary Download

Microsoft WMDRM-PD

PC

Home

Networking

Streaming from PC to DMA-TV

Microsoft WMDRM-PC + DTCP-IP

Streaming from PC to DMA-TV

Microsoft WMDRM-PC + DTCP-IP

MOBILE EDGE/UMTS/HSDPA Network

Streaming unicast

Native mobile network and device security

EDGE/UMTS/HSDPA Network

Streaming unicast, no Temporary Download

Native mobile network and device security

Note: in Non Eligible Zone, SAT / Viaccess CAS is used for Linear services, but IP / Microsoft DRM is used for On Demand services, ie the NEZ STB can manage two security systems.

Note2: from the security point of view, the Start-over and Catch-up functionalities will be handled like SVOD.


4

2. Programs and Provisioning

2.1. Full diagram

Any

Studio

Material

37373737 3rd Party

Encoding

Lab

MAM

Live

Streams

TSMUX

Scrambler

TSMUX

Scrambler

Sat TV Head End

ExMg (SAT)

ExMg (IPTV)

IPTV Packager

PC Packager

SVOD

programs

Video

POPs

Pivot Files

to SAT TV

Subscribers

to IPTV

Subscribers

to VOD IPTV Subscribers

to VOD over IP Subscribers

Mobile TV Head End

1

4

6

Service Platforms

& Portals

Live

Metadata

SVOD

Metadata

Materials

Playout

Center

IPTV Head End

5Tape Library

2

Live

Programs3

to VOD Mobile Subscribers

WM Encoder

Web TV Head End

to Web TV

Subscribers

5

DRM

to Mobile TV

Subscribers

Mobile

encoder

3rd Party

Encoding

Lab

7

8

Any

Studio

Material

37373737 3rd Party

Encoding

Lab

MAM

Live

Streams

TSMUX

Scrambler

TSMUX

Scrambler

Sat TV Head End

ExMg (SAT)

ExMg (IPTV)

IPTV Packager

PC Packager

SVOD

programs

Video

POPs

Pivot Files

to SAT TV

Subscribers

to IPTV

Subscribers

to VOD IPTV Subscribers

to VOD over IP Subscribers

Mobile TV Head End

1

4

6

Service Platforms

& Portals

Live

Metadata

SVOD

Metadata

Materials

Playout

Center

IPTV Head End

5Tape Library

2

Live

Programs3

to VOD Mobile Subscribers

WM Encoder

Web TV Head End

to Web TV

Subscribers

5

DRM

to Mobile TV

Subscribers

Mobile

encoder

3rd Party

Encoding

Lab

7

8

France Telecom is going to operate its own Lab to handle Programs during their lifetime, through a dedicated subsidiary.

FT Lab receives either Materials or Pivot Files from the Content Provider, potentially through one of the traditional Encoding Labs used for VOD.

FT Lab stores the Materials in a Tape Library. Materials are digitalized to Pivot Files. Pivot File format is a high quality video file which is vaulted on the MAM (Media Asset Manager) using a two-tier architecture:

- a short term storage place used to store Programs that are currently under exploitation; the Program is accessible to the agents for quality check, editorial check, promotion editing, scheduling, etc

- a long-term vault used to store Programs that are not under current exploitation but will be exploited again later on.

Program files are sent by an automated process from the MAM to the Play-out Center, for automation and broadcasting to the Head Ends. The Programs are sent 5 to 7 days in advance so that the Play-out Center can operate in autonomy.

As for SVOD Programs (and SVOD Only Programs), they will be encoded in a first step by the traditional Encoding Labs used for VOD. Later on, FT Lab is going to encode Programs by itself. The Labs encode the Pivot Files into (i) the MPEG SD or HD files for EZ; (ii) the Windows Media SD files for NEZ and PC; and (iii) a Mobile Pivot File and then bearer-dependent files for Mobiles.


5

2.2. Technical and organizational Security measures

The following security measures apply (numbers refer to the above drawing):

1. Materials are sent by UPS or similar. Electronic files are transferred using FTPS or SmartJog. The traditional Encoding Lab are CMC, Éclair and Cognac-Jay Images.

2. Materials are registered, stored in secure premises with restricted access (the Tape Library), and handled by authorized agent.

3. The MAM is operated in secure premises with restricted access to authorized agents. It is based on Mediagenix’s WHATS’On solution. Pivot files are stored in the long-term vault with admin only access rights. Short-term storage is only accessible from workstations in the local network. The local network is protected against logical intrusion by firewalls.

4. The Play-out Center is operated in secure premises by authorized agents. There is a secure dedicated link between FT Lab and the Play-out Center, as well as between the Play-out Center and the Head End. Post-production and play-out will be operated by Cognac-Jay Images, which is a highly recognized operator.

5. The Head End is operated by Globecast. It comprises the encoders, the MPEG-2 re-multiplexer, Viaccess equipments for ECM/EMM generation, and similar encoding and protection systems for WebTV and Mobile TV, as well as the Mosaic generation equipments.

6. TV- or PC- and Mobile-encoded SVOD Programs are transferred to the relevant packager through a VPN.

7. The TV- and PC-Packager encrypts the SVOD Programs, deletes the clear content and pushes the protected Programs on the filer. The protected programs are then uploaded on the Video POPs.

8. The Mobile Pivot File is packaged into bearer-dependent programs by a subcontractor, AtomiZ, which uploads them on the mobile video streamers. All servers are operated in restricted access area by authorized staff.

2.3. Delivery video profiles

2.3.1. Video to TV profiles

For Video to TV, France Telecom uses MPEG4-AVC codec. The increase in video compression efficiency, first from MPE2 to MPEG4, then from a first generation MPEG4-encoder to a new generation encoder, has led France Telecom to lower the video bit rate to have a better ADSL eligibility. Subjective tests are performed by France Telecom R&D before profile acceptance.

For IPTV, the current bit rate for SD is 2.2 Mbps at MPEG2-TS level, using MPEG4-encoder Tandberg EN8030. It is planned to increase the profile to 2.6 Mbps TS bit rate by Q4/2008 or early 2009.

The target bit rate for HD is 8 Mbps TS, using MPEG4-encoder Tandberg EN8090, which provides a video quality equivalent to 11.8 Mbps TS using first-generation encoder.

The same encoding profile are used for Live and for SVOD. However the encoders are different: Tandberg for Live and ATEME Encoder v1.11 for SVOD.

Higher SD and HD bit rates are targeted for SAT TV; however the bouquet (number of SD/HD channels) to be included in satellite bandwidth have not been finalized yet and definitive figures are not known.


6

(1) video bit rate may increase by ~100 kbps if there are no subtitles (2) AC3 and HE-AAC are also envisaged (3) video + audio + subtitles if any + PAT/PMT + ECM/EMM + stuffing (4) picture size can vary (4/3, 16/9, FF and LB) but is no more than 576 lines for SD

2.3.2. Video to PC profiles

For Video to PC, France Telecom uses WMV9 codec. The standard profile is the SD profile at 1.5 Mbps but a ‘basic SD’ profile at 700 kbps is used when ADSL bandwidth doesn’t allow for more.

A quarter-screen ‘QSD’ profile is introduced for the WebTV interface, see 8.6 below.

For Video to TV in Non Eligible Zone, the SVOD service makes use of the Video to PC profiles. As there is limited flash memory on the NEZ STB to store temporary downloaded programs, a ‘SD2’ profile at 1.3 Mbps has been introduced for movies longer than 2H40.

Note: new VC-1 encoders are arriving on the market which can be used either to have a better quality at the same bit rate, or a lower the bit rate with same quality. We are targeting a new SD profile at 1.2 Mbps with the same quality as the current SD profile, especially to increase eligibility for Live streams.

(4) picture size can vary (4/3, 16/9, FF and LB) but is no more than 576 lines for SD (5) + 128 kbps for dual language programs

MPEG Profiles IPTV SD IPTV HD SAT SD SAT HD

Video codec MPEG4 AVC

Video bit rate (1) 2000 kbps CBR 7100 kbps CBR TBD VBR TBD VBR

Audio codec MPEG1 Layer 2 (2)

Audio bit rate 2x128 kbps 2x192 kbps TBD TBD

Total bit rate (3) 2600 kbps TS 7900 kbps TS 2800 kbps TBD 9000 kbps TBD

Picture size (4) 720x576 1440x1080 720x576 1440x1080

Frame rate 25 fps 25 fps 25 fps 25 fps

WMV Profiles PC SD PC SD2 PC basic SD Live/SVOD

PC QSD

Video codec WMV9

Video bit rate 1350 kbps VBR 1150 kbps VBR 620 kbps CBR 550 kbps CBR

360 kbps CBR

Audio codec WMA9.1 pro WMA9.1

Audio bit rate 128 kbps VBR(5) 128 kbps VBR 64 kbps VBR 32 kbps CBR

Total bit rate 1500 kbps(5) 1300 kbps 700 kbps (Live) 620 kbps (SVOD)

400 kbps

Picture size (4) 720x576 720x576 448x336 384x288 / 320x240

Frame rate 25 fps 25 fps 25 fps 25 fps


7

2.3.3. Video to Mobile profiles

For sideload to Mobile, there are two candidate profiles: a Windows Media profile and a H.264 profile. Bit rates suggested below have been calculated to fit mobile devices capabilities at the launch of the service. Target bit rates have been introduced in the Orange Group Device Requirement (OGDR 7.5, mobiles shipped in 2009 H1).

For over-the-air streaming to mobiles, the mobile profiles depends on the bearer: EGDE, UMTS, HSDPA. The mobile user will be delivered the best profile depending on his geographical location and his handset capability. As of September, 2008, close to 70% are in a HSDPA (and UMTS) area.

Live SVOD Mobile Profiles

EDGE UMTS HSDPA EDGE UMTS HSDPA

Video codec MPEG4 SP CBR MPEG4 SP CBR

Video bit rate 43 kbps 88 kbps 238 kbps 68 kbps 88 kbps 224 kbps

Audio codec AMR 8kHz mono AMR 8kHz mono AAC stereo

Audio bit rate 7 kbps 12 kbps 12 kbps 12 kbps 12 kbps 26 kbps

Total bit rate 50 kbps 100 kbps 250 kbps 80 kbps 100 kbps 250 kbps

Picture size 176x144 176x144 320x240 176x144 176x144 320x240

Frame rate 10 12.5 15 10 12.5 15

2.3.4. Video to PMP profiles

For sideload to PMP, the PC basic SD profile will be used.

Sideload WM Sideload H264 Mobile Profiles

current target current target

Video codec WMV9 MPEG4 SP H.264

Video bit rate 150 kbps 220 to 320 kbps 190 kbps 290 kbps

Audio codec WMA9.1 AMR / AAC HE-AAC

Audio bit rate 32 kbps 32 kbps 64 kbps 32 kbps

Total bit rate 180 kbps 250 to 350 kbps

250 kbps 320 kbps

Picture size 320x240 320x240

Frame rate 15 fps 25 fps 20 fps 20 or 25 fps


8

3. Linear service in Eligible Zone

3.1. Full diagram

STB

France Telecom

modemrouter

France Telecom

IP Backbone

multicast

IPTV

Service Platform

MUX

31

3

2

TV streams are multicasted

STB sets up and retrieves the service plan

STB accesses the TV streams

DSLAM

Backhaul

Network

2

1

STB

France Telecom

modemrouter

France Telecom

IP Backbone

multicast

IPTV

Service Platform

MUX

31

3

2

TV streams are multicasted



DSLAM

Backhaul

Network

2

1

3.2. Technologies

3.2.1. Service Platform

The Service Platform is based on Smartvision by Thomson and additional France Telecom components. It is used to manage subscriber accounts, network topology and STBs, and hosts the SVOD Portal.

The Service Platform is operated in France Telecom premises, according to France Telecom operational security policy. It is protected by firewalls from logical intrusion. Access to the premises is restricted to authorized persons (id check, badges). Remote access to the servers is restricted to authenticated administrators.

3.2.2. Head End

The Head End is hosted and operated by GlobeCast. It receives the linear channels in MPEG2-TS format from the Play-out Center, encrypts them, and delivers the streams to the IP Gateway for multicast on the network.

3.2.3. Networks/Transmission

The encrypted channels are transported through France Telecom IP backbone and backhaul networks (ATM, Giga Ethernet) and then to the Orange TV DSLAM for copper networks or OLT for optical GPON networks.

In order to guarantee the quality of the streamed content, bandwidth is reserved for IPTV flows in the networks and on eligible Orange TV ADSL and FTTH lines.


9

3.2.4. Client side

The Orange TV customer is distributed an 1 or 2 (multi-room subscriber) EZ-STB among the following:

Provider Reference PVR and Hard Drive SD/HD

SAGEM IAD80 = IAD 80-16(*) no SD

SAGEM IAD81 = ITAD 81-FT(*) no SD

SAGEM IHD91 = ITAD 81-17 yes Integrated HDD SD/HD

SAGEM ISD83 = ITAD 83-FT no SD

SAGEM UHD86 (**) yes External HDD SD/HD

THOMSON ISD82 = IP 20-31F no SD

THOMSON IHD84 no SD/HD

(*) no more distributed; not swapped.

(**) to be released by the end of 2009


SAGEM IAD 80-16(*) no SD

SAGEM ITAD 81-FT no SD

SAGEM ITAD 81-17 yes 160Go SD/HD

SAGEM ITAD 83-FT no SD

THOMSON IP 20-31F no SD

(*) no more distributed; not swapped.

(**) as of June 2008

Note: France Telecom has switched from MPEG2 to MPEG4 and has swapped old MPEG2-only STB earlier in 2008.

STB inputs/outputs are:

- 1 SCART analog video RGB + composite / audio output (TV output)

- 1 SCART analog video composite / audio output (VCR output)

- 1 HDMI digital video output (on High End STB only)

- 1 analog stereo audio output

- 1 SP/DIF digital audio output

- 1 Ethernet interface

- 1 antenna in and 1 antenna out (loop-trough)

-1 USB port (not activated – for future use only)

- 1 USB port (on UHD86 only – for DLNA purpose)

- 1 rack with SATA port (on UHD86 only – for External HDD)

SD contents are upscaled to transit on HDMI output.

HD content is not present on analog video outputs.

For HD STBs, SD content is passed on HDMI output, and HD content is downscaled on analog video outputs.

The High End STB has PVR functionality. Only Live TV programs can be recorded; it is not possible to record VOD programs.

For PVR STBs, only Live TV programs can be recorded; it is not possible to record SVOD programs.

Time-shifting is also available on these High End STBs. A Time-shifted Live stream is recorded in a 1H (1H30 on UHD86) circular buffer. The user can || or << or >> within that buffer or come back to the Live stream. When the user zaps, the TS buffer is re-initialized.

Mise en forme : Puces etnuméros

Mis en forme : Avecpuces + Niveau : 1 +Alignement : 0,63 cm +Tabulation après : 2,38 cm+ Retrait : 2,38 cm


10

DLNA functionality on the UHD86 enables the STB to access content from the USB port and view them on the TV set. It does not apply to OCS content.

3.3. Subscriber authentication and Device registration

All STB are managed by the Service Platform which has the knowledge of:

- the Orange TV subscriber (which is provided a login/password to enter in the STB before first use)

- the ADSL line number (provided by the network).

Only 1 STB is allowed to be used with the same credentials, unless the user has subscribed the multi-STB option, in which case 2 STB are allowed.

Only 1 STB is allowed to be connected on a single ADSL line, unless the user has subscribed the multi-STB option, in which case 2 STB are allowed.

At power on, the STB connects to the Service Platform to authenticate itself and to retrieve an IP address in the IPTV private plan. The Service Platform will only allocate an address to STB issuing a request from an eligible Orange TV customerline; as a matter of fact, it can only happen in France.

The STB retrieves from the Service Platform the list of IP addresses of the TV streams. When the user zaps, an IGMP request is sent to the DSLAM to get the TV stream.

3.4. CAS

IPTV content protection relies on Viaccess CAS which implements DVB standards.

The Service Platform synchronizes subscription data with the Head End to insert EMM in the MPEG2-TS. The EMM injector and the ECM generator are co-located with the MUX.

On the end user’s side, the STB incorporates a Viaccess software component, the ACS (Access Control Software) which handles exchanges with the Viaccess smart card and with DVB-CSA hardware.

It is France Telecom policy to distribute the most recent card generation as soon as it is available to continuously increase the level of security. Viaccess smart card generation currently distributed is PC3.0.

TSMUX

DVBCSA Scrambler

TV Head End

CW ECMEMM

Service Platform

Back Office

Subscription data

ECM

generator

EMM

injector

Set Top Box

ACS

Subscriber’s

Smart Card

Viaccess CAS

component

IPTV or SAT

Network

Smart Card distribution

Smart Card/Subscriber pairing

Live stream

unencrypted

TSMUX

DVBCSA Scrambler

TV Head End

CW ECMEMM

Service Platform

Back Office

Subscription data

ECM

generator

EMM

injector

Set Top Box

ACS

Subscriber’s

Smart Card

Viaccess CAS

component

IPTV or SAT

Network

Smart Card distribution

Smart Card/Subscriber pairing

Live stream

unencrypted


11

3.5. Copy protection

3.5.1. Video outputs

France Telecom has planned to activate WSS copyright bits ‘copyright asserted’ / ‘copying not restricted’ on analog outputs of all EZ STB, for Linear Programs.

However, France Telecom has decided to freeze the software of all EZ STB until a new middleware is available, as provided by Soft@Home. The planning of migration is not yet finalized. WSS activation is scheduled for the first application release over this middleware.

WSS capability is currently under deployment in our IPTV system. WSS-capable software has been deployed on all THOMSON STBs, and will start to be deployed on all SAGEM STBs in August 2009. WSS-activation software will be deployed in the November 2009 Portal release. By that time, WSS copyright bits ‘copyright asserted’ / ‘copying not restricted’ will be activated on analog outputs of all EZ STBs, for Linear Programs.

All HD STB activate HDCP unconditionally.

WSS copyright bits ‘copyright asserted’ / ‘copying restricted’ will be activated on PVR output on the new STB UHD86.

Note: on the legacy STB IHD91, it is very difficult to activate analog copy protection on PVR output as the PVR software is a third party software we have put in a frozen state. As of July, 2009, only 3.5% of the EZ subscriber base are concerned.

3.5.2. PVR

On the PVR IHD91 STB, Linear Programs can be recorded on the Integrated Hard Disk Drive, which capacity is 160 GBlocal hard drive. The hard drive is cryptographically paired to the STB and cannot be used on another STB nor on a PC. France Telecom has planned to activate WSS copyright bits ‘copyright asserted’ / ‘copying restricted’, on playing a PVR-recorded content, subject to the remark above about STB middleware.

The UHD86 STB can accept an External Hard Disk Drive. The External HDD is 160 GB. A subscriber is entitled to have 320 GB for a single STB subscription. As state-of-the-art HDD capacity increases in the future, Orange may decide from time to time to offer disks of a greater capacity.

The External HDD is specified and provided by Orange only (although we subcontract its industrialization to SAGEM today). When it is first introduced in a STB, a partition dedicated to PVR-recorded content is created. If the External HDD is put in another STB, it will be reformatted.

STB-HDD communication relies on an Orange proprietary protocol, implemented in the STB and in the HDD chipset, used to unlock the PVR partition. This way, the PVR partition cannot be accessed from a PC and the STB can only accept Orange-compliant HDD.

The PVR function on the STB encrypts contents using AES128-based cryptography, and the CEK is itself encrypted with a STB chipset unique secret, before they are written on the HDD. Content is therefore bound to the STB it was recorded from.

The Time-Shifting buffer may either be stored on a dedicated integrated flash memory, or on the Integrated/External HDD with the same protection level.

The HD STB activates HDCP unconditionally.

Mis en forme : Normal

Mis en forme : Titre 3,Tabulations :Pas à 1,75 cm

Mis en forme : Retrait :Gauche : 0 cm


12

3.6. Mosaic channel

A Mosaic channel with 4x5 thumbnails containing the Live streams is generated by the Head End and distributed on specific channels.

The picture size of each thumbnail is 100x70. It is planned to have a larger 210x170 thumbnail which spans over the firsts 2x2 thumbnails.

The user can “browse” the Mosaic and get information on the selected channel (an Orange Cinema Series channel or another channel). There is no sound on the channel.

An Orange TV subscriber which has not subscribed to Orange Cinema Series may access the thumbnails, which are used for service promotion.

The Mosaic pattern is illustrated below.


13

4. Linear service in Non-Eligible Zone

4.1. Full diagram

DSLAM

STB

France Telecom

modemrouter

SAT

Service Platform

MUX

1

3

2

TV streams are broadcasted



3

1

Backhaul

Network

2

DSLAM

STB

France Telecom

modemrouter

SAT

Service Platform

MUX

1

3

2

TV streams are broadcasted



3

1

Backhaul

Network

2

4.2. Technologies


The Service Platform is based on France Telecom components. There are three main components:

- the STB manager (STB authentication and update)

- the EPG server

- the SVOD Portal

The Service Platform is operated in France Telecom premises, according to France Telecom operational security policy, see 3.2.1.

4.2.2. Head End

The Head End is co-located with the IPTV Head End.

4.2.3. Satellite

France Telecom has reserved bandwidth on Eutelsat Atlantic Bird and Hot Bird.

4.2.4. Client side

The Orange TV customer is distributed a NEZ-STB. There is only one model today.


14


SAMSUNG SMT H61-06 no SD/HD

Note: another STB model (from Opentech) will be distributed at the launch of the SAT TV offer that does not enable access to xVOD services. Orange Cinema Series subscribers will have to switch such STB to the Samsung STB.

STB outputs are:

- 1 SCART analog video RGB + composite / audio output (TV output)

- 1 SCART analog video composite / audio output (VCR output)

- 1 HDMI digital video output

- 1 analog stereo audio output

- 1 SP/DIF digital audio output

- 1 Ethernet interface

- 1 antenna in and 1 antenna out (loop-trough)

There is no PVR and no hard drive on this STB. However, there is a 2 MGB flash memory used for temporary download of SVOD programs, see below. The flash will also be used for Time-shifting (under study).


All STB are managed by the Service Platform which has the knowledge of:

- the STB identifier

- the ADSL line number

- the Orange TV subscriber

Only 1 STB is allowed to be used behind the same line.

At power on, and later on every 24H, the STB connects to the Service Platform to authenticate itself. The Service Platform verifies that the STB is on an Orange internet ADSL line.

The STB retrieves from the Service Platform the list of aerial characteristics of the TV streams and other physical and logical data.

4.4. CAS

Viaccess CAS as used for IPTV (with different master secrets) is used for SAT TV.


France Telecom has planned to activate WSS copyright bits ‘copyright asserted’ / ‘copying not restricted’ on analog outputs of the NEZ STB, for Linear Programs, at the launch of the service.

The NEZ STB activates HDCP unconditionally.

4.6. Mosaic channel

There is no Mosaic channel for Non Eligible customers that includes Live streams, but only still images (1 logo for each channel) as provisioned in the service plan.


15

5. On Demand service in Eligible Zone

5.1. Full diagram

STB

France Telecom

modemrouter

France Telecom

IP Backbone

unicast

IPTV

Service Platform

Video

POP

1

3

2

SVoD ordering and License delivery

Content request

Content streaming to the STB

DSLAM

Backhaul

Network

2

RTSP

21

3

STB

France Telecom

modemrouter

France Telecom

IP Backbone

unicast

IPTV

Service Platform

Video

POP

1

3

2

SVoD ordering and License delivery

Content request

Content streaming to the STB

DSLAM

Backhaul

Network

2

RTSP

21

3

5.2. Technologies


Same as 3.2.1.

5.2.2. Video POP

Video POP are installed across the FT networks and linked to the Service Platform.

There are 13 Video POP, each of which comprising 2 to 4 Video Servers in redundant configuration. They are based on Sapphire software.

5.2.3. Network/Transmission

Same as 3.2.3.

5.2.4. Client side

Same as 3.2.4.

Trick mode is available for SVOD programs using RTSP commands between the STB and the Video POP, proxied by the Service Platform.


Same as 3.3.


16

5.4. CAS

SVOD Programs are encrypted by the Content Packager. One different master key K is used for each Program. The master keys are sent to the Online Right Manager (= the licenser) which stores them.

At subscriber’s request, and after verification by the Service Platform that the subscriber has the necessary rights, the Online Right Manager delivers the license to the Access Control SoftwareSet Top Box, which stores the master key in RAM.

The STB can thereon decrypt the content. The master key is deleted from RAM when the user stops or zaps to another Program.

Video POP

Content

Packager Set Top Box

ACS

IPTV Network

SVOD Program

unencrypted3

1

3

2

The Content Packager encrypts the content

The Online Right Manager delivers a License to authenticated subscribers

The STB deciphers the content

(CW)KECM

ECM

generator

Right

Manager

(KID, K)

Licence(K)

1

2

SVOD portal

Video POP

Content

Packager Set Top Box

ACS

IPTV Network

SVOD Program

unencrypted3

1

3

2

The Content Packager encrypts the content

The Online Right Manager delivers a License to authenticated subscribers

The STB deciphers the content

(CW)KECM

ECM

generator

Right

Manager

(KID, K)

Licence(K)

1

2

SVOD portal


For SVOD Programs, all STB activate Macrovision and on analog outputs (on the pin carrying the composite signal), and HDCP on the HDMI output on High End STB.

France Telecom has planned to activate WSS copyright bits ‘copyright asserted’ / ‘copying restricted’ on the analog output of all EZ STB, for SVOD Programs, subject to the remark in 3.5 about STB middleware.

WSS capability is currently under deployment in our IPTV system, see section 3.5. For SVOD Programs, WSS copyright bits ‘copyright asserted’ / ‘copying restricted’ will be activated on analog outputs of all EZ STBs.

On the High End PVR STBs, SVOD Programs cannot be recorded on the hard drive. integrated PVR.


17

6. On Demand service to PC

6.1. Full diagram

PC

France Telecom

modemrouter

France Telecom

IP Backbone

Streaming or

Download

Service

Platform

Video

POP

1

3

2

SVoD ordering

License delivery

Content streaming or temporary download to the PC

DSLAM

Backhaul

Network

21

3

Licenser

2

Packager

PC

France Telecom

modemrouter

France Telecom

IP Backbone

Streaming or

Download

Service

Platform

Video

POP

1

3

2

SVoD ordering

License delivery

Content streaming or temporary download to the PC

DSLAM

Backhaul

Network

21

3

Licenser

2

Packager

6.2. Technologies


The Service Platform is based on France Telecom components.

The Service Platform is operated in France Telecom premises, according to standard France Telecom operational security policy, see 3.2.1.

6.2.2. Video POP

There is one Video POP today.

Video Servers are Windows Media Servers in redundant configuration.


Portal browsing and video delivery happen on the France Telecom internet infrastructure (broadband access networks, IP backbone).

6.2.4. Client side

The Orange Internet/TV subscriber is distributed a LiveBox (= FT modem-router).

The subscriber can connect several PCs or laptops on the domestic network (not all of them being registered to the service).


18


Access to SVOD on PC is subject to the following restrictions:

- the user is authenticated using his Orange Internet line credentials

- the PC is registered

The user is necessarily on his own Internet/TV line (no nomadism) and therefore located in France. Authentication is managed by France Telecom SSO enabler, which is shared by all the operator’s internet services, including services involving payment on the operator’s bill.

PC registration is implemented through a proprietary ActiveX which calculates locally a PC identifier and sends it back to the Service Platform. The Service Platform compares this value to a list of declared values for this subscriber. A maximum of N values is allowed. If the maximum number of values is reached, the user is prompted to de-register one of the preceding values. Only M de-registration/registration are allowed, each month. Additional de-registration/registration are allowed if the subscribers calls the Customer Care.

- the PC id will be based on the physical hard drive #0 serial number; the choice of this identifier has been motivated by (i) there is a Windows API which returns a unique number, and (ii) the DRM licenses are linked to the hard drive

- the number N of PC allowed will be 2, so that the total number of Permitted Primary Devices does not exceed 5 devices (2 STB max + 1 mobile max + 2 PC max)

- the number M of de-registration/registration will be 1 to allow the user to change his hard drive once a month

6.4. DRM

Content protection is based on WM DRM for PC.

On the Service Platform side, the Packager and the Licenser are based on WM DRM10.1, as integrated and operated by Viaccess.

On the client side, the end user is required to have Windows XP or Vista and WMP10 or WMP11. The DRM component is individualized to the maximum value given the system configuration:

- Security Version = 2.8 for XP SP1, WMP10/WMF10

- Security Version = 3.6 for XP SP2-3, Vista, WMP11/WMF11

WMP10/WMF11 configuration will be individualized to 3.6.

XP SP1 configuration will be allowed for streaming only. Within 1 year after the launch of the service, XP SP1 subscribers will be asked to upgrade, and WMP11/WMF11 will be required for streaming as well as for temporary download.

The License is pre-delivered to the PC. It will include a viewing period finishing (ExpirationDate) the earlier of (i) the end of the current month (per-month subscription) and (ii) the end of the current SVOD/catch-up window for that program (which itself is included in the global contractual window for that program).


Copy protection on video outputs will be detected/activated through a proprietary ActiveX which uses the COPP API to:

- detect if the graphic card has a COPP driver


19

- if the graphic card doesn’t support COPP, no copy protection is required

- if the graphic card supports COPP, the current video output is tested and available copy protection mechanism are activated among the following: Macrovision, CGMS-A “copy never” for analog TV outputs, HDCP for digital output.

- copy protection is activated through a parameter in the DRM license


20

7. On Demand service in Non Eligible Zone

The NEZ STB receives Live signals on-air, but SVOD signals are necessarily received from the ADSL network. We’ve decided to use WM DRM to protect the programs. Hence a WM DRM10-PD agent is implemented on the NEZ STB, and the same Licenser, Packager and Video POP as for SVOD to PC can be re-used.

7.1. Full diagram

PC

France Telecom

modemrouter

France Telecom

IP Backbone

Download

Service

Platform

Video

POP

DSLAM

Backhaul

Network

21

3

Licenser

2

Packager

Component shared

with On demand to PC PC

France Telecom

modemrouter

France Telecom

IP Backbone

Download

Service

Platform

Video

POP

DSLAM

Backhaul

Network

21

3

Licenser

2

Packager

Component shared

with On demand to PC

7.2. Technologies


Same as 4.2.1.

Note that the NEZ SVOD Portal is different from the PC SVOD Portal as it is designed to be accessed from the TV interface with remote control navigation. The SVOD Portal pages will have the same look and feel than for SVOD in Eligible Zone.

7.2.2. Video POP

Same as 6.2.2 (SVOD to PC).

Note that only the standard PC profile is used (1.5 Mbps, 1.3 Mbps for very long movies (longer than 2H40), and that there is only Download, no Streaming.


Same as 6.2.3 (SVOD to PC).


21

Note that the NEZ STB can only access the NEZ SVOD Portal on the Service Platform, which itself is only accessible from authorized NEZ STB (and not from any PC on the internet).

7.2.4. Client side

Same as 4.2.4.


Same as 4.3.

7.4. DRM

The STB implements a WM DRM10-PD agent.

Note that in Non Eligible Zone, bandwidth is limited therefore the content is always temporary downloaded.

The license is the same as for SVOD to PC.

The encrypted content is deleted at license expiry, or when there is no more room available on the flash memory (typically, when a second long movie is downloaded).


For SVOD Programs, the NEZ STB activates Macrovision WSS copyright bits “copyright asserted” / “copying restricted” on SCART output (on the pin carrying the composite signal), and HDCP on the HDMI output.


22

8. Linear service to PC

8.1. Full diagram

PC

France Telecom

modemrouter

France Telecom

IP Backbone

unicast

WebTV Portal

WM

Endoder

3

1

3

2

The subscriber zaps and is delivered a random URL

and a license

The subscriber requests the stream to the Streamer

The Streamer verifies Subscriber’s @IP/random URL

and delivers the encrypted stream

DSLAM

Backhaul

Network

1

2

Streamer

PC

France Telecom

modemrouter

France Telecom

IP Backbone

unicast

WebTV Portal

WM

Endoder

3

1

3

2

The subscriber zaps and is delivered a random URL

and a license


The Streamer verifies Subscriber’s @IP/random URL

and delivers the encrypted stream

DSLAM

Backhaul

Network

1

2

Streamer

8.2. Technologies


The Service Platform is based on France Telecom components.

It comprises a Portal and a Licenser (the Packager being co-located with the encoder at the Head End).


8.2.2. Head End and Video POP

The Head End is hosted and operated by GlobeCast. It receives the linear channels from the Play-out Center, re-encodes and encrypts them, and delivers them to the Video POP.

There is one Video POP today, with streaming servers in redundant configuration.


Same as 6.2.3.

8.2.4. Client side

Same as 6.2.4.


23


The linear stream is accessible to the Orange Cinema Series subscriber under the same requirements as for the SVOD service to PC: authenticated subscriber, no nomadism, registered PC, see 6.3.

8.4. DRM

Content protection is based on Network Access Control and WM DRM for PC.

Once authorized as above, when the subscriber zaps he receives from the Portal a short lived random URL to access the stream. The Streaming server verifies (by a request to the Portal) that the URL is requested by the @IP to which it was allocated. The validity duration of the short lived URL can be parameterized (typically, a few minutes).

The PC Live stream is encrypted by the WM Encoder. Each channel will have its own encryption key. The key will change every 24H. The encrypted stream is passed on to the streaming server.

A 24H license is pre-delivered to the PC following subscriber authentication. The PC configuration will be required as for SVOD, see 6.4.

Note: it is not possible to change the encryption key without stopping the stream, thus it is not desirable to have a key change at every program. Furthermore, as WM DRM cracks (when not patched) work by finding the key in the license store, there is no difference between changing it every 24H and changing it every program. As a matter of fact, the PC stream is on the same security level as WM DRM protected SVOD programs.

There are ongoing studies between Viaccess and France Telecom to define a long term proprietary solution based on Network Access Control to access the unicast stream and a CAS-based ciphering, using a Viaccess proprietary CAS software independent of WM DRM.


Copy protection on video outputs will be detected/activated through the same ActiveX as in 6.5. Available copy protection mechanism are activated among the following, as far as the DRM allows: CGMS-A “copy once” for analog TV outputs, HDCP for digital output.

8.6. WebTV interface

The native Orange WebTV interface looks like the following:


24

On the right side of the image there is a still Mosaic.

On the left side, the window shows the currently selected channel. It is a fixed-size 400x300 window, with image resolution 384x288 or 320x240 and video bit rate 400 kbps (QSD profile).

When the user enters the full screen mode, the program is displayed using the SD or basic SD profile.


25

9. Sideload

At the launch of the service, sideload will be limited to PMP (and very few mobiles) using Microsoft DRM.

The extension of sideload to Mobile using OMA DRM is under study for the beginning of 2009. Our intention is to introduce OMA DRMv1 SD to reach a large set of already deployed mobile handets and then OMA DRMv2 CMLA or Microsoft PlayReady for new mobile handsets.


Sideload can only occur from a PC Permitted Device (authenticated subscriber, no nomadism, registered PC).

The Secondary Device can be a PMP or a mobile, used in sync mode. Secondary Devices are not registered and counted as Primary Devices are, but the user needs to declare his device model in order to get the right video format and license.

9.2. DRM

The DRM is WMDRM10 for Portable Devices (aka Janus).

The DRM Packagers and Licensers are operated by Viaccess.

We use the “allow copy” right in the licenses.

The file that will be transferred is the PC basic SD profile for a PMP, or the current sideload WM profile for a Mobile, see 2.3. When synchronized, there may be (according to Windows Media Transfer Protocol) a resizing of the content format to match the video capabilities of the Secondary Device.

At most three 48H licenses with “copy count = 1” are delivered to the subscriber, at his request, for each content of the SVOD catalogue.


PMP and mobiles usually don’t have video outputs, but some devices are starting to have analog TV outputs (Archos, Nokia N95 for example).

For WM DRM devices, copy protection in “copy never” mode will be activated through appropriate parameters in the license.


26

10. Linear and On Demand services to Mobile

10.1. Full diagram

France Telecom

IP Backbone

unicast

Orange World

Video Portal

SVOD

content

1

2

The subscriber is authenticated through IMSI

He is delivered a protected URL


The Streamer verifies the URL and IP@ and delivers the stream

2G+/3G/3G+

Network

1

2

Streamer

Live

content

Streamer

France Telecom

IP Backbone

unicast

Orange World

Video Portal

SVOD

content

1

2

The subscriber is authenticated through IMSI

He is delivered a protected URL


The Streamer verifies the URL and IP@ and delivers the stream

2G+/3G/3G+

Network

1

2

Streamer

Live

content

Streamer

10.2. Technologies


The Service Platform is based on Alcatel AVSP platform. It relies on some of FT 2G/3G network platform components (e.g. for subscriber authentication and subscription management).


10.2.2. Head End and Video PoP

The Live Head End is hosted and operated by GlobeCast, which encodes the TV flows into the different mobile profiles and delivers them to the stream servers on the Service Platform.

The SVOD contents are populated by AtomiZ on the stream servers which are a component of the Service Platform.


The streams are transported through France Telecom IP backbone and 2G+/3G/3G+ access infrastructure.

In UMA/Wifi mode (a.k.a. GAN in the USA), multi-mode devices can access the service platform using Wifi as if they were 2G+ devices.


27

10.2.4. Client side

The user must have a mobile handset in the TV/Video category.


The Service Platform relies on the 2G/3G mobile network to get the user’s IMSI (Mobile Subscriber Identifier) and verify the OCS subscription.

At the launch of the service, only 1 SIM card is allowed to be registered with a single OCS subscription.

The service platform blocks roaming users from accessing the Live and SVOD streams.

10.4. CAS/DRM

Live and SVOD streams are not encrypted. However they benefit from intrinsic mobile GSM/UMTS network security, which guarantees SIM/USIM card authentication and radio link encryption.

For UMA/Wifi, a protected tunnel (authentication based on GSM or UMTS credential + encryption) is set up between the mobile handset and the UNC-SGW (UMA Network Controller-Security Gateway) in the Mobile Network. This protected tunnel includes the copper/fiber link and the wifi radio link from the network to the mobile handset.

When the mobile requests a content from the Live or SVOD Portal on the Service Platform, he is delivered a unique, random, short-lived, signed URL that is verified by the Streamer to authorize delivery at the right IP address (in the private IP address plan of the mobile network).

France Telecom will study the application of OMA DRMv2 CMLA or Microsoft PlayReady, or any other industry-wide standard to be accepted by the Majors, to protect SVOD and Live streamed content respectively.


Mobiles handsets usually don’t have video outputs, but some devices are starting to have analog TV outputs (Nokia N95 for example), and in general there is no copy protection mechanisms on such output (nor Macrovision, neither WSS capability).

However, the mobile on-air video profiles are limited in screen size (QCIF or QVGA), bit rate (80 to 250 kbps), and frames per second (10 to 15 fps).

France Telecom has asked the mobile handset manufacturers to implement a mechanism in future mobile devices to block TV video outputs if they do not implement relevant copy protection.

orange cinema series video profiles and security architecturedeals/ocs technical … · the...

Documents