Presentation to HPA Tech Retreat 2014
Accessing Encrypted Assets in Mac OS
Mathew Gilliat-Smith, CEO Fortium Technologies
Content Security
Cost of piracy $$
• Severity of leaks and comment
• Studios don’t like to publicise breaches - privately its a continual battle
• the Tarantino script
• well known series premier leaked one month early from a special effects house
• Comments on social networking and physical leaks are a Post Supervisor’s
worst nightmare – ‘it happened on my watch’
• Concern in being connected to the internet
• Concern in Cloud workflows
• MPAA audits try and ensure facilities are secure & have teams to track
leaked content but…..
• Proxy files in editing & authoring systems present a security vulnerability
• Files reside ‘in the clear’ for anyone on the network to access
• No encryption ‘at rest’
• NBC Universal identified specific risk in professional editing systems and
designed the MediaSeal encrypted video system
Remarks on Social Networks
Reduced Viewing
The Dilemma
• Mac OS does not support modified files types e.g.
encrypted files – security solutions need to be cross
platform
• Why don’t professional editing and authoring systems
build in file security?
• Complexity
• Proprietary systems are not portable - what works for one
system does work for another
• Other security solutions (encrypted drives & delivery
systems)
• Encryption is removed for access & playback
• In the clear once copied
• How to create a reliable end to end encryption system
The Challenge
• To create a compatible encryption system that ticks all
the boxes
• Centrally Managed
• File and application agnostic - transparent to the system it is
running in
• No altering of file
• Handles everything from low end files to high end DPX
sequences
• Suitable for closed network AND for cloud workflows
• Must not cause any delays or complications in the
workflow
• Complementary to existing systems
Solution to create a File System Filter Driver
for MediaSeal video encryption
• Technical description: “An optional driver that adds value to or modifies
the behaviour of a file system”
• Log, observe, modify, or prevent
• Typical applications for filter drivers include antivirus utilities, encryption
programs and hierarchical storage management systems.
• A kernel-mode component that runs as part of the OS
• Filters I/O operations for one or more file systems.
• Modify data that is returned to applications (editing programs) as the file is read
• Method gives full control how the file is processed on the OS
• Ideal for MediaSeal video encryption – not just video files, audio, docs,
images
• Facilitated in Windows OS but it didn’t exist in Mac OS
Collaboration
Where MediaSeal FSFD resides
(File System Filter Driver)
Kernel Level
• Layer between user applications and
hardware
• Removes complexities as it provides
common interface for file operations i.e. open, close, read, seek
• Example of User level is WinZip –
once opened its in the clear
User
Level
USB
Kernel
Level
Kernel Extensions
• Provides much more functionality &
control
• Increase hardware support
• Expands capabilities of kernel
Storage
Blue
Tooth
Extension
FSFD
Playback & Editing in ProTools
How FSFD enables MediaSeal
Behaviour
• During access FSFD recognises if
file is encrypted
• User is prompted for
authentication - by password, iLok
key/soft key and by remote authentication
• Contents of file only decrypted
into the memory buffer associated
with the file read
• File remains encrypted at rest on
disk – ability to revoke later
Media Seal
Not Present
User Application
Kernel + FSFD
Extension
Storage
Incorrect
Credentials
Trusted
Recipient
How MediaSeal Works
1. Database Key
Server
2. Encryption software
• AES encryption - Security tested by NGS Secure
• Change DRM rules after transfer - set viewing criteria –
who & when, sunset sunrise viewing
• For use behind the firewall with no exposure to the
internet
• Recommended for protecting content in the cloud
3. Decryptor
license + iLok key
Step1: Log in to Encryptor & Set Up Job
Step 2: Import Files to Encrypt
Step 3: Key Server
Select Trusted Users, Set DRM, Add Password
Step 4: Encrypt Files in Seconds
Access with Password & Key –
File remains encrypted
Playback & Edit in ProTools
No Unauthorised Playback – Blank Screen
Reporting Analytics
User ID
Sort by Who, What ,
When
Title, Version, User
ID, Code
Date & Time
Granted/Denied
Export to CSV
Case Study
• NBCU Post Production
• Fast & Furious 6
• Box Office Opening Weekend
• $97m US 24 May 2013
• No Leaks prior to release
• Sound mixing, internal & external depts
• Endless Love
Cloud Workflows
• Cloud collaboration tools will give greater efficiency –
faster, quicker, lower cost
• Typical production environments mean many more people
need to work on the same assets, often externally to the
production studios – means more exposure
• Integration into automated asset control
• Files do need to be downloaded to attach local content –
this is the vulnerability – no end point security – files can
be copied
• MediaSeal FSFD means files remain encrypted in the cloud
workflow with cross platform cloud security
The “Anywhere” Solutions
Cloud Based Collaboration
Wrap your media with
MediaSeal Encryptor
Software
Apply encryption locally or in
the cloud after transcoding
Share your encrypted
media safely using any
common file sharing
method
Drop Box, iCloud,
Google Drive,
etc.
Your collaboration team
can access the encrypted
media only when they
have MediaSeal Decryptor
software, have a
registered iLok installed,
and have permissions for
the media.
API Methodology for 3rd Party Solutions
• Encryption systems
• FTP delivery
• Editing Systems
• Authoring Systems
• Scriptable through command line
Further Information
info@fortiumtech.com
www.mediaseal.com
Support of MediaSeal in LA
By Audio Intervisual Design
email: sales@aidinc.com
1155 N. La Brea Avenue, West Hollywood, CA 9003
Tel: 323 845-1155