Getting to Know ‘Session-based Encryption’
by Leslie Ellis // September 27 2004
Once upon a time, about a year ago, it was a true (if hush-hush) possibility that the hypothetical owner of a digital television could tune into the VOD stream of a hypothetical neighbor, and watch it, free and clear.
This wasn’t such a great possibility, particularly if the hypothetical owner of the digital TV had a child, and the hypothetical neighbor was watching the naughty stuff.
How could this be? The answer, perhaps not surprisingly, contains a few zigs and zags.
Recall that TV manufacturers are required, by law, to include tuners that can interpret and display digital, off-air (broadcast) signals. The rule phases in over four years, starting this year, as part of “the digital transition.”
If you were to think like a TV manufacturer, you’d be thinking along these lines: If we’re going to build in an off-air digital tuner, we might as well include a CableCARD slot. (Zig.) The CableCARD interface itself requires a QAM demodulator/tuner. (Zag.)
Suddenly, devices were poised to enter the market that knew how to “tune the network,” which had previously been closed off to anything but cable-provided gear.
Cable’s technologists saw the gravity of the situation. They knew that their own networks were built so that the above scenario just wouldn’t happen. They also knew they had a small wedge of time: There weren’t that many digital TVs with CableCARD slots in consumer homes last winter.
(Aside: As of last month, less than 1,000 CableCARD devices had shown up in systems, by my envelope scratchings.)
Still. Big projections about digital devices (mostly TVs and HDTVs) with built-in CableCARD slots continue to radiate from the consumer electronics industry. Specifically, 1 million units are projected to enter the retail pipeline by year-end. “In the pipeline” almost certainly doesn’t mean “in homes” — but a million is slightly more daunting than a thousand.
Something had to be done, not only to keep little Joey from accidentally channel-surfing into an adult title, ordered by somebody a few blocks over. Copyright holders needed reassurances, too, that their premium titles weren’t zipping around in the clear — particularly if they’d been tagged as “copy never,” from a copy protection standpoint.
Fast forward to now. As with anything involving encryption and security, resolving the problem meant working closely with incumbent suppliers — Motorola Inc. and Scientific-Atlanta Inc., specifically — to apply corrective action.
The result is the basis of this week’s translation: Session-based encryption, in the case of S-A, and a mixture of pre-encryption and bulk encryption, in the case of Motorola.
Because this topic involves VOD titles, it necessarily involves network gear. Pulling a title off of a remote server is different than pulling a title off of a local digital video recorder (DVR). The distance between Customer Jane and the server that holds what she wants to watch is measured in miles.
The linkage between a set-top, its headend controller, and a VOD server is known as a session. A session happens anytime someone begins, ends, fast forwards, rewinds, or pauses a remotely stored video stream.
Session-based encryption, then, is the scrambling of a session – in this case, a stored title — sometime after it leaves the server, but before it enters the house. In S-A’s case, it happens inside the QAM modulators, at the edge of the network.
Here’s how it works: Customer Jane orders a title. The request travels upstream, to a headend controller — in S-A’s case, the “DNCS,” for “Digital Network Control System.” The DNCS offs it to its “session resource manager,” which goes about the business of locating the title, making sure the server is holding enough copies to play it out to Jane, and mapping a route (including QAMs) for transmission.
The session manager also initiates some rather elaborate cryptographic maneuvers with the QAM in Jane’s path, and with Jane’s set-top. Control words (the keys) are generated roughly every four seconds, inside QAM units; a different key, inside Jane’s set-top, unlocks them. Cryptographic people know this technique as “public/private key exchange.” The short version is, every session is tightly scrambled.
Back at Jane’s house, of course, all of this is happening in the background. Making it work so that Jane didn’t see any performance hits meant upgrading DNCS units with more processing power. That way, things wouldn’t get bogged down with the extra load of encryption and key exchanges.
In Motorola’s case, video streams are scrambled in a separate device, before the QAMs. Some call this a “bulk encryptor” (although Motorola calls it a “smart stream encryption manager.”) Most MSOs and VOD suppliers say they’re working with Motorola’s “SEMs” in the labs now, with launches to follow shortly.
In the interim, some Motorola customers are using a technique called “pre-encryption,” meaning that titles are scrambled before they enter the VOD server. Most of Motorola’s customers are taking the pre-encryption route, particularly for adult content.
Regardless of the technique — session-based encryption, bulk encryption, or pre-encryption — the good news is, technological answers exist to squelch the “little Joey” situation before it becomes just that: A situation.
This column originally appeared in the Broadband Week section of Multichannel News.
IP-Happy Providers Want Your ‘Presence’
by Leslie Ellis // September 13 2004
One of the more curious terms dangling around discussions about advanced communications services is this notion of “presence.”
If you hang out with the people launching voice-over-Internet protocol, or with the people figuring out how to thread services “through the silos” (of video, voice and data bundles), you’ve probably heard someone say it.
If you haven’t, here’s a simple usage example, from a recent batch of notes: “What we need is a network that can do presence, for end-devices that are presence-aware.”
If you had heard that sentence, rather than read it, you might start envisioning a network with gift-wrapped boxes hanging from it. That would be a colorful, if incorrect, mental response.
Making It ‘Instant’
In a broad definition, “presence” is the managing of inbound and outbound communications, on any device, based on your availability, the capabilities of your devices and your preferences.
It’s the “instant” in “instant messaging,” because it lets your people know if you’re attached to the network, so they can ping you live.
In general, presence carries three attributes: Am I on the network? How am I on the network (cell phone, PC, gadget)? Am I available for communications at this time?
In a general sense, “presence” does for your talking life what group calendars do for your working life: It gives more people more information about your availability, as stipulated by you.
Who you are, and where you are — on your laptop, home PC, work PC, blackberry, cell phone, work phone, or TV — gets linked with the technologies of “presence.”
When people talk about presence, they usually start by likening it to instant messaging and buddy lists, except broader, across more devices, with more than just text.
Think video IM here, or “click to talk” telephone.
Or, to switch platforms completely, think IM on TV, video IM on TV, caller ID on TV — that fare.
So, to imagine its potential, it helps to start by daydreaming about a buddy list on steroids. Or an instant messaging service, or any other little box on your computer screen that tells you when people you know are “on.” What started as text messages could expand into a lot more, presence proponents say.
Technically, “presence” is usually within lurking distance of “SIP,” or “Session Initiation Protocol.” SIP is the underbody of services such as Vonage, AT&T’s CallVantage, and other such applications.
(Aside translation: Lately, more and more people seem to be referring to these services, and their ilk, as “over-the-top applications.” In practice, they seem more “parasitic” than over the top, in that they feed, undetected, from the bandwidth of existing cable and digital subscriber line modems. The reality is probably somewhere in the middle.)
In a nutshell, SIP assumes smart end-points, attached to a network that doesn’t need to be so smart (full translations are available in the Feb. 23 and March 8 editions).
Initially, that didn’t bode so well with cable operators, who favor the idea of a smart network serving smart devices.
That’s less of an issue now, as more and more operators work to harmonize SIP-based technologies, including presence, into efforts like PacketCable Multimedia.
‘Simple’ or Not?
Two methods are currently vying to be the oomph of presence: “SIMPLE” and “XMPP.”
SIMPLE stands for SIP for Instant Messaging & Presence Leveraging Extensions. (One proponent of SIMPLE actually calls it “a clearly contrived acronym.”)
XMPP stands for Extensible Messaging and Presence Protocol. Both are vying to be “the one,” from an interoperability perspective.
Generally speaking, both are ways to link “clients” (end devices) and systems to the infrastructure of presence. SIMPLE is an extension of SIP; XMPP is XML-based, and commercialized by Denver-based Jabber Inc. Both groups are housed within the overall Internet Engineering Task Force (IETF). Happily, the matter of who wins is beyond the scope of this translation.
The hard part for operators who may want to offer presence-based services — Comcast talks a lot about it — will be explaining it to consumers.
Try describing “presence” to your parents, or your techno-uninterested friends. I did. It didn’t go well. My efforts got clumped into “fancy phone stuff that I don’t need” and “why would I want anyone to know that much about me?”
Along those lines, one of the most common uses of presence, so far, is “invisibility” — where you continue to receive, but appear to be offline to particular people, or your entire contact list.
Therefore, “presence” will likely need the help of good marketers before it will thrive.
That could mean that “presence” is one of those techniques that grows useful in ways that aren’t immediately apparent. Velcro was a NASA invention, for astronauts to use in anti-gravity situations. Today, it’s a household item. ADSL was invented for interactive television. So was Sun’s Java platform, for that matter.
In the meantime, you can still let your calls go into voice mail. They can’t see you deliberately shunting the call.
This column originally appeared in the Broadband Week section of Multichannel News.