CCAP Encryption Integrating CCAP into the Video Control Plane Kevin Taylor Fellow Comcast July 31, 2014 Topics CCAP in a Nutshell CCAP In a System Context CCAP Encryption Goals CCAP Transition Strategy CCAP Encryption Hardware Requirements CCAP Encryption Options CCAP Encryption Phasing Case Study Special Considerations 2 CCAP in a nutshell • Converged Cable Access Platform • Combines the functions of the CMTS and Edge QAM • Implements all narrowcast and broadcast QAMs CCAP DS Port Assignments IP Video DOCSIS HSD/CDV Exhaust Air Primary 100-Gig-E Ports Secondary 100-Gig-E Ports Broadcast 64 NC QAMs + 96 BC QAMs Primary Switch/Route Engine Secondary Switch/Route Engine US Redundancy US US US US US cDVR 24 Ports/US Card XR2 XR1 DS RF Port 12 Ports/DS Card 32/48/64 Narrowcast QAMs/Port 96 Broadcast QAMs/Port DS Redundancy DS DS DS DS DS VOD MPEG TS Simplify, and eventually eliminate RF Combining Rear View 16U Chassis (Implemented using high density UCH w/ MCX-75 connectors) Power Supply Modules Front View 16U Chassis Narrowcast & Broadcast Digital Services Legacy OOB & QAM CCAP DS US Analog 3 Split Legacy OOB Fan Modules Intake Air CCAP Impact • Engineering: Capacity and efficiency - 50% space savings with 4x capacity - 60% power savings plus less cooling - Improve existing UPS and battery backup performance • Architecture: Simplicity and flexibility - Minimum, simplified combining wiring - Full-spectrum, MPEG/DOCSIS QAMs, easier migration to IPTV - Future proof, single access platform • Purchasing: Cost will quickly become a big driver - Especially DOCSIS QAMs are significantly cheaper • Operations: Reliability and manageability - Fully redundant (N+1 LC & 1+1 Commons) - Configuration change between QAM types vs. equipment swap-out - Much shorter maintenance window (ISSU) - Far less equipment to manage and maintain 4 CCAP in a System Context 5 System Context CCAP Encryption Goals Architecture - Cost Efficiency - Resource Efficiency - Compatibility with Deployed Conditional Access Systems - Scalability - Security - Modern Network Architecture - Reliability and Resiliency Linear - Broadcast - DTA - PPV/IPPV - SDV VOD - Port Mapped (Static) - Session (Dynamic) 6 CCAP Encryption Converged Cable Access Platform Encryption Broadcast SDV & VOD QAM QAM M-CMTS QAM Hardware platform specifications ARRIS MediaCipher Cisco PowerKey DVB Encryption 7 I-CMTS 8 8 Legacy Encryption vs. CCAP Encryption Legacy Encryption EQAM: Proprietary Generation of CW and ECM EQAM: Encryption EQAM: Stream Multiplexing Clear Video EQAM: Output Conversion CWG ECMG MUX IP or QAM Encrypted Video With embedded ECM Encrypt GQAM, MQAM, SEM, APEX, NetCrypt External ECMG CWG CCAP Encryption ECMG: Proprietary Generation of CW and ECMs move to Vendor ECMG device EQAM: Encryption, Multiplexing and output conversion remain in EQAM ECMG CCAP and 3rd Party EQAM MUX Clear Video Encrypt IP or QAM Encrypted Video With embedded ECM CCAP Transition Strategy 9 CCAP Encryption Requirements 10 Decryption Support • Network Decryption (not currently implemented) - AES-128 Encryption Support • MediaCipher / DTA - SCTE-52 (DES-CBC) • PowerKey / DTA - DES-ECB • AES • DVB-CSA/CSA3 (Simulcrypt) CA System Support • PID Routing - CAT - DTA System Information - DTA EMM - DTA User Interface Data - DTA Messaging • PSIP Aggregation - PSIP - EAS CCAP Encryption Options • Option 1 – CCAP with ECMG • Option 2 – CCAP with Bulk Encryption • Option 3 – CCAP with DVB SimulCrypt 11 CCAP Encryption Option 1 - CCAP with ECMG (Load Balancer/HTTP) Authentication CCAP Web Request {AC, ECM/CW} Load Balancer Shared ECMG Pool ECMG . CWG . . ECMG CWG ECMG CWG ECM/CW cache Abbreviations: ECMG – Entitlement Control Message Generator ECM – Entitlement Control Message CW – Control Word CWG – Control Word Generator CAS – Conditional Access System 12 CAS CCAP Encryption Option 1 - CCAP with ECMG (Load Balancer/HTTP) Shared ECMG Pool ECMG ECMG ECMG CWG CWG CWG Secrets Secrets Secrets Settop CAS DTA CAS http[AC, ECM/CW] Load Balancer http[AC, ECM/CW] 13 CCAP Encrypt MPTS/SPTS Video (Clear Content) MPTS/SPTS (Encrypted Content) DTA CAT, SI, EMM, Data, EAS CCAP Encryption Option 1 - CCAP with ECMG (Load Balancer/HTTP) • ECMG is not in the video path • ECMG<>CCAP Interface is resilient to network delays and short outages • Batching of ECMs and CWs • Standard network load balancing is supported • CCAP needs licensed technology from CA vendors • ECMG is stateless 14 Option 2 - CCAP with Bulk Encryptor Settop CAS MPTS/SPTS Video (Clear Content) DTA CAS Bulk Encryptor Secrets Encrypt 15 CCAP Encryption DTA CAT, SI, EMM, Data, EAS MPTS/SPTS (Encrypted Content) Abbreviations: DTA – Digital Terminal Adaptor CAS – Conditional Access System SI – System Information EMM – Entitlement Management Message EAS – Emergency Alert System MPTS – Multi-Program Stream SPTS – Single Program Stream . . . CCAP MPTS/SPTS (Encrypted Content) 16 CCAP Encryption Option 2 - CCAP with Bulk Encryptor • Bulk encryptor is in the video path • Requires appropriate redundancy to be applied at the bulk encryptor and CCAP • Bulk encryptor encapsulates all of the propriety CA vendor information into a single video encryption device • Maybe resilient to network delays and short outages • Efficient encryption method for video architecture with many nodes CCAP Encryption Option 3 CCAP with DVB SimulCrypt DVB SimulCrypt Compliant CA System EIS Simulcrypt EIS<->SCS Abbreviations: ECMG – Entitlement Control Message Generator EIS – Event Information Scheduler SCS – SimulCrypt Synchronizer CW – Control Word CWG – Control Word Generator CAS – Conditional Access System Settop CAS ECMG Secrets Simulcrypt SCS <->ECMG ECMG Secrets . DTA CAS . . Simulcrypt SCS <->ECMG CWG* 17 *Varies by CA vendor CCAP Encrypt* MPTS/SPTS Video (Clear Content) MPTS/SPTS (Encrypted Content) DTA CAT, SI, EMM, Data, EAS 18 CCAP Encryption Option 3 – CCAP with DVB SimulCrypt • ECMG is not in the video path • Standardized DVB Interfaces • Socket based interfaces • Not all CA Systems support a Simulcrypt mode with the CCAP being the Simulcrypt Synchronizer(SCS) • Some CA System have IP or secrets that need to be applied at the Encryptor 19 CCAP Encryption Option Comparison (1) Option Option 1 ECMG Option 2 Bulk Encryptor Option 3 DVB Simulcrypt CAS Operation Single Vendor Single Vendor Multi-Vendor Encryption Location CCAP Bulk Encryptor CCAP Location of Proprietary CA Secrets ECMG Bulk Encryptor ECMG Interface Standards Proprietary Propriety (Licensed to CCAP Vendors) Open Protocol Basis HTTPS Proprietary Socket Interface Authentication Authenticated Per vendor implementation None ECM Batching Y N/A N (Transaction per crypto period) Load Balancing Y N/A Concept of primary, secondary, and priority. Support vendor specific. CCAP Encryption Option Comparison (2) Option Option 1 ECMG Option 2 Bulk Encryptor Option 3 DVB Simulcrypt Video Path Redundancy CCAP Responsibility Bulk Encryptor and CCAP share redundancy responsibility CCAP Responsibility Network Load Resilient to short network outages Resilient to short network outages Resilient to short network outages State Stateless Stateful Stateful Cloud Readiness Auto-scaling, load balancing, and failure resiliency are part of architecture None Concept of Primary / Secondary ECMG Hitless Upgrades Y – ECMG Pool provides redundancy N Maybe – requires 1:1 redundancy Horizontal Scalability Y N Concept of Primary / Secondary ECMG ECM Stretching Vendor specific Vendor specific Vendor specific Future Current Current 20 Support CCAP Encryption Phasing Case Study – ARRIS Network Function VOD Encryption Privacy Mode VPME Linear Linear + OneController MediaCipher Session Based Encryption MediaCipher MediaCipher MediaCipher (CTCP) (ODCP) (CTCP, ODCP) (CTCP, ODCP) Common Tier Encryption Linear Encryption Mode VOD Session Setup Port mapping Port mapping Components CCAP Y Y ECMG n/a Y VOD Back Office N N Updates DAC N Y CASMR N Y BVSM n/a n/a (OneController) Interfaces (Req’d) CableLabs RMI n/a n/a CCAP-ECMG n/a Y CAMS-SM n/a n/a 21 Session MediaCipher, MediaCipher, MediaCipher MediaCipher DTA DTA Port or Session Port or Session Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y n/a n/a Y Y Y n/a n/a Y n/a Y Y Y 22 CCAP Encryption Phasing Case Study – Cisco Network Function VOD Encryption Linear Encryption Mode VOD Session Setup Embedded PowerKey VOD PowerKey VOD on ECMG PowerKey PowerKey Session Linear with Simulcrypt Linear with OneController PowerKey, SCP/SCC PowerKey, SCP/SCC DNCS BVSM Session Linear Session Setup Components CCAP ECMG (PCG) VOD Back Office DNCS/EC ECS BVSM (OneController) DTACS Interfaces (Req’d) CableLabs RMI PEACH (ECMG) CAMS-SM Simulcrypt N n/a Y Y Y Y (Simulcrypt) Y Y Y Y N Y Y Y n/a n/a Y Y n/a n/a Y Y n/a Y Y Y Y Y N N N N Y Y Y N N N N Y Y Y Y N Special Considerations • CCAP Broadcast Replication • Adult Content - Special Requirements - Combinations of Encryption Approaches 23 Summary • CCAP Architecture enables several mechanisms for the cable operator to enable video encryption • The cable operator will need to decide which approach is best for their system architecture, service type, and network 24 Comcast IConfidential Questions? Comcast IConfidential 25