Multimedia Home Platform (MHP)

One of the most important documents on the future of digital television has recently been approved by the DVB Project. The work of the Multimedia Home Platform committee, it sets out a migration path to an open standards future which will allow the market the freedom to develop wide ranging innovative products.

The need for 'backward compatibility' is at the heart of the debate and the DVB Project, based at the EBU headquarters in Geneva, offers the right forum for industry experts to come up with the best technical for the commercial requirement. In the UK, the ITC are proposing to add support for the MHP standards as a requirement to licensees. None of this matters very much to the viewer who, today, just wants to watch television but for an industry beginning to come to grips with the issues of convergence, some quiet satisfaction is in order that they have managed to get the 'route map' in place.

More information from www.dvb.org (opens in new window).

Near Video on Demand

If you are anything like me, the one thing you can bank on is that BBC, ITV, Channel 4 and 5 for that matter, will start their feature films at an inconvenient time (to me). For example, Channel 4 features are a lost cause, because my mum told me most severely before I left home that I must be in bed by eleven. I try to use the video but I either forget to program it or it gets lost with all the others that I failed to label! So, if Saturday night viewing looks awful, we call by the video store on the way home from shopping. Thats good, because we can press the play button when we want to.

Using statistical multiplexing, it is possible to vary the datarate share between channels so that difficult pictures are given more bandwidth instantaneously and easy ones less.

Introduction

Security means different things to different people. To the programme distributor, security concerns the risk of pirating of valuable programme inventory; to the multiplex operator, security is the risk of a rogue application crashing the customer's boxes; to the customer, security is the risk of his or her credit card details being stolen during a transaction; to the merchant and bank, it is the risk of repudiation of a purchase. Security is multifaceted and complex; it is part technical and part legal, and requires commercial judgements to direct the technical aspects.
Security related to downloadable applications

For the downloadable applications, security covers the authentication of applications/data, their integrity and consequent certification. It is necessary to differentiate between the technical aspects and the policy aspects of the security model. In particular, the policy aspects have to address the way to handle authenticated applications vs non-authenticated applications.

• 
  Access to data in the box : some applications might be authorized to access some data while others are not authorized to do so. As an example, there is a possibility for an application to manage some memory space : save data and read data. Access to specific-application data is obviously subject to security policy : it is legitimate to think that only some applications will be authorized to access data owned by another application.
  
• 
  The broadcaster is responsible for the content he provides to the user. This means that when the user is currently watching a given service, It is legitimate that the broadcaster wishes to control what the user can access, without the service being disturbed by content being delivered by another content provider. Further, not being able to control such scenarios might possibly lead to legal issues in the future. The latter case more precisely refers to a secure signalling of application relationships (co-operative applications).
  

Another method for enforcing security is to use legal means, such as copyright laws, contracts between the participants in the broadcast chain, agreement between the broadcaster and the regulator, etc.

Authentication is provided by digitally signing the content. The signature verifies that the content has not been modified after signing it. The signature can be verified by the MHP terminal by using the certificates. The certificates contain a public key that is used for verifying the signature and information about who the signing party is. In order to ensure that the certificate has not been modified, it is again signed by a higher layer Certifying Authority. The topmost certificate in the hierarchy belongs to a so-called Root Certifying Authority. There can be any number of Root Certifying Authorities; however, the certificates of the Root Certifying Authorities need to be stored in the MHP terminal, to allow for verifying that they are valid.

• 
  the Root Certifying Authority only verifies that the information in the certificates about the party signing the content is accurate. This type of Root Certifying Authority does not take any measures of checking the content in any way, it only provides reliable information about who is the source of the content. Additionally, this is all subject to the trust the receiver has for the Root Certifying Authority. If the receiver can't trust the Root Certifying Authority to issue the certificates in the claimed manner, the receiver can not trust this information to be valid. Also, for this type of Root Certifying Authorities, the matter of if the receiver can trust the content source, even if reliably identified, is a totally separate decision.
  
• 
  the Root Certifying Authority verifies also the actual content somehow and issues the certificates only to content providers whose content fulfills some criteria. Different criteria can be e.g. that the content does not violate the end user's privacy and can be allowed to access some private information, or that the content does not make any expensive phone calls and can be allowed to use the return channel modem, etc. Again, this all is subject to the receiver trusting the Root Certifying Authority.
  

The receiver can use the authentication information for determining what kind of privileges are given to the application. The Java environment allows for very fine grained control of this. Possible choices are:

• 
  the application is not allowed to run at all. This is typically used for content that is signed by parties that the receiver considers hostile.
  
• 
  the application is run, but can only access a minimum set of resources and these can not harm the user in any way. This is typically used for content that is not signed at all, or is signed by a party who the receiver does not know whether to trust or not.
  
• 
  the application is run and has access to more resources, e.g. access to user's private information, the return channel, etc. There are many possibilities to define the exact access to individual resources based on the trust the receiver has for the signing party.
  

It should be noted that the authentication is useful only for protecting the receiver and/or the end user from possibly hostile applications; it does not provide technically viable mechanisms for any protection of the content in a unidirectional broadcast environment (this is provided by encryption which is completely separate from authentication).

There is a need to address the security on the return channel. Before to address the technical issues, some scenarios are needed. The main applications involving the return channel are, amongst others e-commerce or telebanking. It is worth noting that the security that we have to address here relates to the security of the content.

• 
  A transaction involves three distinct parties : the end-user, the merchant and the financial institution.
  
• 
  It is subject to a lot of legal aspects
  
• 
  There is a lot of existing protocols and technologies, which are different depending on various factors : Country, Bank consortia ...
  

Debit Card Payment techniques

The user simply communicates its card number and expiration date to the server in the clear. This mechanism is obviously the simplest one. However, it has the following drawbacks :

• 
  The merchant can debit the user with more than was due by the user
  
• 
  The information concerning the card can be eavesdropped.
  
• 
  The merchant has no warranty as to the solvency of the user.
  
• 
  The credit card does not allow for 'micro-payment'
  
• 
  The buyer can revoke the purchase within a certain limit in time.
  

Electronic Purse

To solve the problem of micro-payments, some companies have created systems enabling the user to store money in an Electronic Purse. In a E-Purse transaction, only the merchant server and the end-user are involved. No authentication server is involved here.
There a several technologies of electronic purse, amongst which CEPS (Common Electronic Purse Specifications), EEP (European Electronic Purse) and a lot more.
To reduce fraud risks, the following requirements should be fulfilled.

• 
  Authentication of the buyer
  
• 
  Authentication of the merchant
  
• 
  Integrity of data sent over the network
  
• 
  Security of the data sent across the network
  

Practically, there are two ways to make the transaction secure :

• 
  Encryption of the banking data sent over the network - software security. (the most classical tool - and de facto standard - used across the internet is SSL : Secure Socket Layer).
  
• 
  Use of the smartcard. Harware security. Usually the smartcard takes care itself to authenticate the user (through the PinCode) and the overall security of the on-line transaction mechanisms is subject to an strict agreement by Bank consortia.
  

SET

There are a lot of chip-card technologies specified by different Bank Consortia in the various countries. Examples of these are BO' in France, WG10 or TIBC in Spain. These technologies specify application protocols on top of ISO 7816 for debit transactions, or Electronic Purse Transactions. Data to be sent to the merchant server depend on the chip-card technology.

The aim of this paper is to give a very brief overview of some of the existing technologies, that are sometimes orthogonal to each other. The requirements for secure electronic transactions can be found in the SET specifications. The acceptance of the SET standard is not know yet, nor is known the impact of this technology on STB implementations. SET is not incompatible with the future chip-card international standard EMV. It is not clear however how these technologies will be merged. SSL is a widely-accepted tool enabling to have a 'secure pipe' between a client and a Server. This is at the moment the tool that is the most often used tool for transaction services on Internet.

Introduction

The DVB has prepared a specification for Sl to accompany broadcast DVB signals, intended to assist the receiver/decoder and the viewer to navigate through the array of services offered. (ETSI draft standard prETS 300 468 and associated Guidelines Document ETR 211.)
The data necessary for a receiver/decoder to configure itself automatically to decode the received bitstream is included in the Program Specific Information (PSI) which is specified by the MPEG-2 systems standard (ISO/IEC 13818-1). The DVB-SI specifies additional data which complements the PSI by providing data to aid automatic tuning of receiver/decoders and additional information intended for display to the user.
The DVB-SI describes the technical attributes of each service offered by a broadcaster and delivers information about present and future programme events which can be used to generate a simple ("Level-1") EPG in the receiver/decoder. It is based on a set of four mandatory data tables plus a series of optional tables. Each table contains descriptors outlining the characteristics of the programme services/programme events being described.
The four mandatory Sl tables are:
NIT The Network Information Table describes the delivery system parameters of a multiplex. The NIT for the actual delivery system currently delivering the transport stream is mandatory; it is also possible to send NlTs for other multiplexes and these are optional. In the terrestrial situation, we propose the use of NIT_other in two different ways:

• 
  to give information about other multiplexes transmitted from the same site (NIT_other_local).
  
• 
  to give information about the same multiplex transmitted from other sites, which may be receivable in overlap areas (NIT_other_global).
  

Networks are assigned individual network_id values which serve as unique identification codes for networks. Each NIT_actual must list:

• 
  Network_ID (ie the current network)
  
• 
  Original_Network_ID
  
• 
  Transport_Stream_ID
  
• 
  for I = 1 to n : Service_ID
  

NITs may contain the tuning information that can be used during the set-up of a receiver/decoder, including alternative frequencies for each unique multiplex.

(a) Digital terrestrial television is fundamentally different to satellite in the large number of transmitters in a network. The SI received by the IRD has to take account of widespread overlap area conditions, such that an individual receive aerial installation may well offer a choice of frequencies for a network, which may or may not contain regional variations. It thus seems desirable for the SI for a particular main station to include information about adjoining regions which may be receivable by a particular aerial installation. In the design of the SI system, there is the twin risk of either not providing pointers to available multiplexes, or of pointing to multiplexes which are not available. The only solution is for the IRD to correlate SI information with its own local knowledge of available digital services derived during installation.

In course of preparation.

COFDM

Estimates use a 1km sq grid. The figures quoted are the populations within grid squares where it is predicted that at least 90% of viewers will be served.

To take advantage of OFDMs capability for single frequency networks, the DVB originally defined a system using 8,000 carriers, the so-called 8k system. However, there were concerns about the additional complexity of an 8k system, so DVB allowed the use of 2000 carriers (2k) as an alternative for early implementation and the ITC have specified 2k carriers in their requirements for digital terrestrial in the UK. 2k gives very restricted capability for single frequency networks but, in the UK, the plan is to use 81 of the existing main transmitter sites such that a s.f.n. would not have been appropriate. In the event, it now appears that most STB / receiver implementations will offer 2k / 8k switchable, such that a single implementation can be used across Europe.

Within COFDM transmission, there are a number of parameters that directly affect the datarate of the signal. The method of modulation (QPSK, 16QAM, 64QAM), the code rate and the guard interval can be varied to achieve an optimum compromise between datarate and robustness of signal. QPSK is most robust but achieves datarates only up to 10.6Mb/sec., 16QAM can achieve a maximum of 21Mb/sec and with 64 QAM, over 30Mb/sec can be achieved but with increased liability to interference.

The failure point figures are approx 3db above the theoretical figures given in prETS 300 744 but have still to be confirmed by field trials. The coresponding coverage figures are as follows:

So, moving to 64QAM increases the possible datarate to 24Mb/sec but reduces the predicted service areas by a significant amount. There is concern, too, that the coverage may become patchy and unpredictable with 64QAM, giving problems to retailers at the sharp end of selling receivers.

A word is in order on how population coverage predictions are made and what they mean. The steps in the process are as follows:

Coverage predictions use a standard ITU defined aerial which has a 15dB front-to-back ratio. Thus, whilst signal strength on a set-top aerial will be considerably worse (How much?) it is also possible to install a significantly better aerial (how much) in cases of marginal reception prediction. Digital reception is calculated to be largely interference limited, so a more directional aerial will be of more help than a head-amp.

One of the most difficult issues to deal with in the development of an API for digital television is the provision of a web browser for internet surfing. It is difficult for several reasons:

• 
  The viewing experience is different, with the majority of viewers sitting on the other side of the romm to the screen (the so-called "lean back" environment) and an interlaced scan display. This significantly limits the amount of content that can be displayed on a single screen.
  
• 
  Also, the client software must be tiny by pc standards. A set-top box API normally runs in 2 + 2 (Mbytes of flash and RAM memory). 4 + 4 is a luxury.
  
• 
  Internet protocols are immature. The language is evolving at a stunning rate and to manage that rate of change in a set-top box environment would be unthinkable.
  

Up till now, the approach has been to implement the so-called 'walled garden' environment, where the user logs onto a special ISP (internet service provider), whose server translates requested content on-the-fly to make it suitable for the set-top box. WebTV was the first example of this approach. This solves all three problems in one go - upgrades can be performed on the broadcaster's server without any change to the viewer's box - and it also has the advantage (?) of locking the viewer onto the broadcaster host. However, this is not the only model and many take the view that the set-top box browser should have the same freedoms as the pc. So the quest is on for a micro-browser without the bloatware of pc browsers.