A Security Solution Made for Hollywood


In today’s digital world, rights management has become a catch-all phrase covering everything from content authorization to signal security.

But digital rights management means different things to different people, and for many cable operators that deal with Hollywood’s content players, the phrase is a little too broad and imprecise.

In the burgeoning digital world, what Hollywood cares about vis á vis cable is protecting its content from hackers anywhere in the cable distribution chain.


But the encryption of single pieces of content — a two-hour movie, for example — throughout cable’s entire physical plant has not been a typical requirement for system operators. Historically, cable encryption technology has been linked to the transport systems of Motorola Inc. and Scientific-Atlanta Inc., and covered the entire cable “channel” lineup.

But given the amount of cable piracy that occurs to this day, and the proliferation of video-on-demand, current security measures are not enough for Hollywood, sources said — especially as cable operators harbor dreams of getting better access windows, or even windows that coincide day-and-date with home video.

It would be relatively easy for someone to hack into a cable Internet-protocol network that is transporting hit Hollywood movies to various VOD servers, sources said.

The answer to the threat, according to executives at Widevine Technologies, is “persistent encryption,” in which the video and audio portions of a MPEG-2 (Moving Picture Experts Group) VOD programming stream are encrypted from server to set-top box, through its Cypher Virtual SmartCard.

Virtual SmartCard is a software-based encryption technology that functions like a physical smart card, said Widevine president and CEO Brian Baker. Under Widevine’s scenario, operators would encrypt valuable content — hit movies — before they’re stored on a VOD server. The movie’s trick-play modes and metadata would remain in the clear, Baker said. Only the actual video and audio from the movie would be encrypted.

If a consumer ordered a movie, a message would be sent out from the cable system’s subscriber-management system to the server, authorizing the movie to be sent. Half of the encryption keys to unlock the movie would be sent to the home within the stream.

The other half of the “keys” would be sent from a separate server in a separate transport stream to the home. “The keys, themselves, are encrypted,” said Baker. The two sets of keys would link up in the set-top box and authorize viewing of the movie.


There are only two problems with that scenario today. First, nearly all cable systems have not decoupled the conditional access security elements in their networks.

There is some movement to open up cable’s networks. Cablevision Systems Corp. is running a separate NDS Group plc conditional-access system in its Sony Corp boxes. And Comcast Corp. has announced the successful completion of a trial with Sony Passage, which would allow a cable system to decouple the conditional access portion of its network from the underlying system.

For Widevine to work, it would require operators to decouple security technology from the network, by using, for instance, Sony’s Passage technology.

“They [the MSOs] need an encryption technology that is agnostic,” said Widevine senior vice president of marketing and sales John Hoskins.

The second hiccup comes from Widevine’s Virtual SmartCard, which is an AES 128-bit encryption data stream. Most of Motorola Inc. or Scientfic-Atlanta Inc.’s 2000-level set-tops couldn’t handle a bit rate that high, Hoskins said.

But more advanced set-top models, like Motorola’s 5000 platform and S-A’s 4200 and 8000 Explorer series, could accommodate such speeds, Baker said.

So Widevine’s sweet spot may be several years in coming, as operators migrate to all-digital networks — or at least to Sony Passage — and also deploy more high-level set-tops for HDTV and DVR.

But armed with $40 million in funding, plus revenues from several Internet-protocol television deployments with overseas telcos, Widevine can afford to be somewhat patient.

At the same time, Baker said there is increasing interest among cable companies about what Widevine can do for them.

Formed five years ago, Widevine has spent most of its time since 1999 meeting with cable operators and Hollywood studios, trying to bridge the gap between the two groups on security issues.

It’s had some help from its venture capital partners, including Constellation Ventures, a Bear Stearns Asset Management venture-capital fund. NBC, Viacom Inc., Sony, Time Warner Cable and Vivendi Universal S.A. are among the companies that have helped to fund either Constellation or other VC funds that have backed Widevine. That’s led to regular meetings with content players over the years, and a better understanding what’s critical to Hollywood as well as MSOs, Baker said.

For instance, MSOs want more timely VOD windows, but until Hollywood is satisfied that adequate security is in place — not to mention marketing might — day-and-date releases remain tough to negotiate.

At the same time, MSOs don’t want to agree to security measures that place content owners in the driver’s seat.

Widevine believes its software can create a bridge between the two groups. “We’re designing a product that meets both their needs,” Baker said.

One benefit of the Virtual SmartCard, Baker said, is that software updates can be pushed from the headend. Physical smart cards, which are used in the DBS space, can be vulnerable to hackers. (Physical smart cards are also the road cable is walking down with its one-way and two-way plug-and-play deals.)

If a system is cracked, DBS suppliers have to produce new smart cards and send them out, a both costly and time-consuming process.

The company also believes it can address the legacy set-top issue by ensuring Hollywood that its “persistent encryption” software would extend to edge quadrature amplitude modulation devices for legacy set-tops, like the DCT 2000 and Explorer 2200 series. That would ensure that movies which flow through the IP backbone would still be “persistently encrypted” down to the QAM, where Widevine software would decrypt the content headed for 2000 and 2200 series boxes. If a movie were ordered from a DCT 5000 or Explorer 8000 box, it would remain encrypted, all the way to the set-top.

Widevine’s software also extends to the content within set-tops, including DVRs. Baker said that prevents someone from sending content from a DVR to the public Internet for file-sharing purposes.