Device Security Level Management
SSP lets partners define a single minimum securiy level (a.k.a. "minlevel") per piece of content. This piece of content can be defined per OTT asset using the CLM Authorization token or per DVB or OTT live channel using the IMS service. Both mechanisms allow a different minimum security level to be defined per track for OTT content.
1. Definition
The SSP minimum device security level is defined as follows:
Level | Description |
|---|---|
0 | Test or integration devices |
1 | Device uses cryptography secured by software |
2 | Device uses cryptography secured by hardware |
3 | Device uses cryptography and decoding pipe secured by hardware |
4 | Device uses cryptography and decoding pipe secured by hardware and is certified |
2. Usage of the Security Level During License Acquisition
During the license acquisition, the SSP authorization process compares the DRM-specific security level found in the license request message to the minimum device security level defined for the content being accessed. The DRM-specific logic that is implemented is detailed in the following table:
Min level of the content | NAGRA CONNECT | SW-PRM | PlayReady | Widevine | FairPlay Streaming |
|---|---|---|---|---|---|
0 | Granted if level is higher than or equal to 0 | Granted | Denied if level is between 0 and 149 Granted if level is higher than 150 | Granted | Granted |
1 | Denied if level is between 0 and 0x999 Granted if level is higher than or equal to 0x1000 | Denied if device is detected compromised Granted if device is not detected compromised | Denied if level is between 0 and 1999 Granted if level is higher than or equal to 2000 | Granted if the device is using a production certificate with a security level | Granted |
2 | Denied if level is between 0 and 0x1999 Granted if level is higher than or equal to 0x2000 | Denied | Denied if level is between 0 and 1999 Granted if level is higher than or equal to 2000 | Denied if level is 3 Granted if level is 1 or 2 | Granted |
3 | Denied if level is between 0 and 0x2999 Granted if level is higher than or equal to 0x3000 | Denied | Denied if level is between 0 and 2999 Granted if level is higher than or equal to 3000 | Denied if level is 2 or 3 Granted if level is 1 | Granted |
4 | Denied if level is between 0 and 0x3999 Granted if level is higher than or equal to 0x4000 | Denied | Denied | Denied | Denied |
3. Relation between the Security Level and the Secure Media Path
SSP and the NAGRA CONNECT Client let the service provider configure the activation of the secure media path for IPTV broadcast content by using the "secureMediaPath" parameter as defined here. The goal of this configuration is specifically to enable the support of legacy DVR or Home Domain technologies not compatible with secure media path.
For OTT content consumed with the NAGRA CONNECT Client, the behavior can be configured via a specific rule in the PRM usage rule profile; otherwise, it is controlled by the minimum security level defined to consume the content as follows:
Min level of the content | Secure Media Path (SMP) activation |
|---|---|
0 | SMP can be activated |
1 | SMP can be activated |
2 | SMP can be activated |
3 | SMP activated and enforced |
4 | SMP activated and enforced |
The behavior is not configurable for OTT content consumed with PlayReady, Widevine or Fairplay Streaming.