During its lifetime, a device may need to be updated for a variety of reasons. New network access mechanisms or new types of applications and services may be introduced. This can mean that new device digital identities will need to be installed in already deployed devices to enable such new use cases.
Examples of new digital identities include new DRM or conditional access credentials for new sources of content, IoT device certificates, credentials for a new copy protection interface such as DTCPv1, DTCPv2, HDCP 1.x, HDCP 2.x, etc.
Provisioning of credentials into devices already connected to the Internet and deployed to individual subscriber homes cannot rely on network or perimeter security. Even when devices are in an enterprise network or in a network operator’s domain, it is still prudent to deploy “defense in depth” by providing end-to-end authentication and encryption all the way to the target device, in addition to any perimeter security such as firewalls, IP address filtering and port mapping. Each device and credentials provisioning server need a well-secured root of trust, delivery of credentials should be secured end-to-end and protected against a variety of network-based attacks.
A provisioning system handling different types of credentials has to support a variety of authorization models for different network operators and content providers. Different authorization interfaces are utilized to validate that a legitimate authorized device is being provisioned and that it belongs to a legitimate subscriber authorized for new credentials.
A credentials provisioning system may require a high degree of scalability for large populations of subscribers of premium content or for IoT appliances. Millions of devices may need to be provisioned with new credentials in a relatively short period of time. The worst-case scalability scenario is probably when a DRM or conditional access system is compromised, and every subscriber requires a new set of credentials within a short time period.
This paper describes an architecture of the CommScope credentials provisioning system called Online PKI Update System (OPUS) that has evolved over 10+ years in order to handle a variety of operator specific and DRM-specific requirements with reliability, flexibility and scalability in mind.