1、 ETSI TR 187 013 V3.1.1 (2011-02)Technical Report Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN);Feasibility study on IPTV Security ArchitectureETSI ETSI TR 187 013 V3.1.1 (2011-02) 2Reference DTR/TISPAN-07033-NGN-R3 Keywords architecture, security
2、ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice Individual copies of the present document can b
3、e downloaded from: http:/www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute, the re
4、ference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documen
5、ts is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: http:/portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be reproduced except as authorized by written permis
6、sion. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2011. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTM, TIPHONTM, the TIPHON logo and the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members
7、. 3GPPTM is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. LTE is a Trade Mark of ETSI currently being registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned
8、 by the GSM Association. ETSI ETSI TR 187 013 V3.1.1 (2011-02) 3Contents Intellectual Property Rights 6g3Foreword . 6g31 Scope 7g32 References 7g32.1 Normative references . 7g32.2 Informative references 7g33 Definitions and abbreviations . 9g33.1 Definitions 9g33.2 Abbreviations . 10g34 Security Req
9、uirements on IPTV Content and Service Protection 12g35 Identification and authentication in IPTV 13g36 Generic stage 2 model for IPTV service protection . 14g36.1 Overview of model . 14g36.2 Detailed model description . 16g36.2.1 URK generation and delivery . 16g36.2.2 SEK generation and delivery 17
10、g36.2.3 TEK generation and delivery 17g37 Candidate Key Hierarchies for Service Protection . 18g37.1 4-Layers Key Hierarchy . 18g37.1.1 Bootstrapping Layer . 19g37.1.2 Key Management Layer 19g37.1.3 Key Stream Layer . 19g37.1.4 Traffic Protection Layer 19g37.2 3-Layers Key Hierarchy . 19g37.2.1 Boot
11、strapping Layer . 20g37.2.2 Key Stream Layer . 20g37.2.3 Traffic Protection Layer 20g38 Candidate Security Models for Service Protection 20g38.1 Mapping of 4-Layers Key Hierarchy to Security Model 20g38.2 Mapping of 3-Layers Key Hierarchy to Security Model 21g39 Candidate Solutions for Service Prote
12、ction 22g39.1 Service Protection Solution One 22g39.1.1 Functional Architecture Overview 23g39.1.2 Reference Points . 23g39.1.2.1 KMF - UE (Kx) . 23g39.1.2.2 KMF - CEF (Ky) . 23g39.1.2.3 CEF - MDF (Kz) . 23g39.1.3 Solution Description . 24g39.1.3.1 Procedures for service protection deployment 24g39.
13、1.3.2 Procedures for key providing 25g39.2 OMA BCAST 1.0 as candidate solution 26g39.2.1 OMA BCAST Functional Architecture and TISPAN IPTV . 27g39.2.2 OMA BCAST Service and Content Protection . 31g39.2.2A OMA BCAST Smart Card Profile adaptation to MPEG-2 TS 35g39.2.3 OMA BCAST DRM-Profile as a candi
14、date solution 38g39.2.3.1 Functional Architecture Overview 39g39.3 Service Protection using DVB Simulcrypt approach . 41g39.3.1 Functional Architecture Overview 42g39.3.2 Solution Description . 42g39.4 MBMS as candidate solution for IPTV Service Protection 42g39.4.1 Summary of MBMS as candidate solu
15、tion . 44g3ETSI ETSI TR 187 013 V3.1.1 (2011-02) 49.5 User Authentication and Service Authorization and any Content Protection (UA, SA and any CP) as candidate solution . 46g39.5.1 Open IPTV Authentication, Content and Service Protection Specification 46g39.5.2 OIPF SAA and CSP solutions integration
16、 into TISPAN NGN . 48g310 Gap Analysis and Selection of Possible Solutions for Service Protection . 50g310.1 TISPAN IPTV Security Requirements . 50g310.1.1 Common IPTV Security Requirements 50g310.1.2 IPTV Service Protection Requirements 53g310.1.3 Non-IMS-based IPTV Security Requirements 54g310.1.4
17、 Availability and DoS Protection Requirements 55g310.1.5 Other Assessment Requirements 55g310.1.5.1 Ability to address legacy IPTV head end and interworking to deployed equipment 55g310.1.5.2 OMA BCAST solution 55g310.1.5.3 UA, SA and any CP 56g310.2 Comparisons between OMA BCAST Smartcard Profile a
18、nd MBMS solutions 56g310.3 Pros and Cons considering DRM and SmartCard Profile . 57g311 Coexistence and Interoperability Analysis . 59g311.1 Coexistence of pre-existing non-TISPAN IPTV protection solutions 59g311.1.1 DVB Simulcrypt . 59g311.1.2 OMA BCAST . 59g311.1.3 UA SA and any CP . 59g311.2 Inte
19、roperability of service protection with content protection 59g311.2.1 MPEG-2 Transport Stream Protection 59g311.2.2 OMA BCAST . 59g311.3 Service Protection Model reusing UPSF/PDBF, BSF and NAFs . 60g312 Recommendations 62g312.1 OMA BCAST . 62g312.2 UA SA and any CP . 62g3Annex A (informative): Servi
20、ce Protection using MBMS Approach . 63g3A.1 Introduction 63g3A.2 Key Architecture 63g3A.2.1 Four-layered key management system . 63g3A.2.2 Root Key and the Layer 1 subscriber management key . 64g3A.2.3 Key architecture within ETSI-TISPAN Security architecture 65g3A.3 MBMS-Architecture . 66g3A.3.1 MB
21、MS and GBA 66g3A.3.1.1 Bootstrapping server function (BSF) 66g3A.3.1.2 Network application function (NAF) 67g3A.3.1.3 Home Subscriber Server (HSS) 67g3A.3.1.4 UE . 67g3A.3.1.5 Bootstrapping architecture and reference points . 67g3A.3.1.5.1 Reference point Ub . 67g3A.3.1.5.2 Reference point Ua 68g3A.
22、3.2 BM-SC as NAF 68g3A.3.3 BM-SC Network Components . 68g3A.3.3.1 Membership function 69g3A.3.3.2 Session and transmission function 69g3A.3.3.3 Proxy and Transport Function 70g3A.3.3.4 Service Announcement Function 70g3A.3.3.5 MBMS Security Function . 70g3A.3.3.6 Protocol stack used by MBMS User Ser
23、vices. 70g3A.4 Service protection of TISPAN IMS-based IPTV using MBMS. 71g3A.4.1 Using MBMS security function for IMS-based IPTV-Service Protection . 71g3A.4.1.1 MBMS and BM-SC scope 71g3A.4.1.2 Functional entities in BM-SC and their matching to ETSI TISPAN 72g3A.4.1.2.1 Key Management Function . 73
24、g3ETSI ETSI TR 187 013 V3.1.1 (2011-02) 5A.4.1.2.2 Session and Transmission Function 73g3A.4.2 Using MBMS as IPTV R3 Protection Mechanism . 74g3A.4.2.1 General Overview . 74g3A.4.2.2 Service Protection Processes for ETSI TISPAN IMS-based IPTV R3 described in detail . 75g3A.5 GBA and ETSI TISPAN NGN
25、Architecture 79g3History 82g3ETSI ETSI TR 187 013 V3.1.1 (2011-02) 6Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-
26、members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http:/webapp.etsi.org/IPR/h
27、ome.asp). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to t
28、he present document. Foreword This Technical Report (TR) has been produced by ETSI Technical Committee Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN). ETSI ETSI TR 187 013 V3.1.1 (2011-02) 71 Scope The present document presents the result of a study
29、 of options for the IPTV security architecture supporting TISPAN NGN Release 3 that satisfies the security requirements for IPTV given in TS 187 001 i.1. The present document offers the results of analysis of the options for security architecture and mechanisms to provide IPTV service protection whe
30、re service protection refers to the protection offered during the period when IPTV media is transmitted in the NGN. A security architecture for a general content protection framework to allow comparison of existing content protection solutions (e.g. DRM systems) is required for the NGN, but is not c
31、overed by the present document. Content protection includes the provision of post-delivery protection of IPTV media and may include controls to ensure that the user can only use the content in accordance with the license it has been granted, e.g. the times of the content can be viewed. NOTE: The fun
32、ctional architecture for IMS based IPTV without security entities conforms to TS 182 027 i.5. The functional architecture for dedicated IPTV subsystem without security entities conforms to TS 182 028 i.6. 2 References References are either specific (identified by date of publication and/or edition n
33、umber or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the reference document (including any amendments) applies. Referenced documents which are not found to be publicly available in the expected location
34、might be found at http:/docbox.etsi.org/Reference. NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee their long term validity. 2.1 Normative references The following referenced documents are necessary for the application of the present doc
35、ument. Not applicable. 2.2 Informative references The following referenced documents are not necessary for the application of the present document but they assist the user with regard to a particular subject area. i.1 ETSI TS 187 001: “Telecommunications and Internet Converged Services and Protocols
36、 for Advanced Networking (TISPAN); NGN SECurity (SEC); Requirements“. i.2 Void. i.3 ETSI TS 181 016: “Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); Service Layer Requirements to integrate NGN Services and IPTV“. i.4 ETSI TS 187 003: “Telecommunica
37、tions and Internet converged Services and Protocols for Advanced Networking (TISPAN); NGN Security; Security Architecture“. i.5 ETSI TS 182 027: “Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); IPTV Architecture; IPTV functions supported by the IMS
38、subsystem“. i.6 ETSI TS 182 028: “Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); NGN integrated IPTV subsystem Architecture“. ETSI ETSI TR 187 013 V3.1.1 (2011-02) 8i.7 ETSI TS 183 063: “Telecommunications and Internet converged Services and Protoc
39、ols for Advanced Networking (TISPAN); IMS-based IPTV stage 3 specification“. i.8 OMA-TS-BCAST-SvcCntProtection - v1-0: “Service and Content Protection for Mobile Broadcast Services“, version 1.0, Open Mobile Alliance. i.9 ETSI TS 103 197: “Digital Video Broadcasting (DVB); Head-end implementation of
40、 DVB SimulCrypt“. i.10 ETSI TS 133 246: “Security of Multimedia Broadcast/Multicast Service (MBMS) Release 8“. i.11 ETSI TS 133 220: “Digital cellular telecommunications system (Phase 2+); Universal Mobile Telecommunications System (UMTS); LTE; Generic Authentication Architecture (GAA); Generic boot
41、strapping architecture (3GPP TS 33.220 Release 8)“. i.12 ETSI TS 123 246: “Universal Mobile Telecommunications System (UMTS); LTE; Multimedia Broadcast/Multicast Service (MBMS); Architecture and functional description (3GPP TS 23.246 Release 8)“. i.13 ETSI TS 126 237: “Universal Mobile Telecommunica
42、tions System (UMTS); LTE; IP Multimedia Subsystem (IMS) based Packet Switch Streaming (PSS) and Multimedia Broadcast/Multicast Service (MBMS) User Service; Protocols (3GPP TS 26.237 Release 8)“. i.14 OMA-AD-BCAST-v1-0: “Open Mobile Alliance: “Mobile Broadcast Services Architecture“. i.15 OIPF Releas
43、e 1 Specification “Authentication, Content Protection and Service Protection“, V1.1, 2009-10-08 (volume 7). i.16 Marlin Developer Community: “Marlin Broadband Transport Stream Specification“, Version 1.0.1, July 2008. i.17 Marlin Developer Community: “Marlin - Broadband Network Service Profile Speci
44、fication“, Version 1.0, July 2008. i.18 Marlin Developer Community: “Marlin - Core System Specification“, Version 1.3, latest Marlin Errata: Marlin Core System v1.3. i.19 Marlin Developer Community: “Marlin - File Formats Specification“, Version 1.1, and latest version of “Marlin Errata: Marlin - Fi
45、le Formats Specification V1.1“. i.20 Marlin Developer Community: “OMArlin Specification“, Version 1.0.1, July 2008. i.21 OASIS: “Assertions and Protocols for the OASIS Security Markup Language (SAML) V2.0“. i.22 OASIS: “Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0“. i.23 IET
46、F RFC 2617: “HTTP Authentication: Basic and Digest Access Authentication“. i.24 IEC 62455: “Internet protocol (IP) and transport stream (TS) based service access“. i.25 ISO/IEC 13818-1:2000/Amd.3:2004: “Generic coding of moving pictures and associated audio information: Systems“. i.26 ISO/IEC 15408-
47、2: “Information technology - Security techniques - Evaluation criteria for IT security - Part 2: Security functional requirements“. i.27 ITU-T Recommendation I.130: “Method for the characterization of telecommunication services supported by an ISDN and network capabilities of an ISDN“. i.28 Making b
48、etter standards. NOTE: See http:/portal.etsi.org/mbs/. i.29 ETSI TS 102 484: “Smart Cards; Secure channel between a UICC and an end-point terminal“. i.30 ETSI TS 133 110: “Universal Mobile Telecommunications System (UMTS); LTE; Key establishment between a UICC and a terminal (3GPP TS 33.110)“. ETSI
49、ETSI TR 187 013 V3.1.1 (2011-02) 9i.31 ETSI TS 133 221: “Digital cellular telecommunications system (Phase 2+); Universal Mobile Telecommunications System (UMTS); LTE; Generic Authentication Architecture (GAA); Support for subscriber certificates (3GPP TS 33.221)“. i.32 IETF RFC 3310: “HTTP Digest Authentication Using AKA“. i.33 ETSI TS 133 102: “Universal Mobile Telecommunications System (UMTS); LTE; 3G security; Security architecture (3GPP TS 33.102)“. i.34 ETSI TS 131 103: “Digital cellular telecomm
