A Flexible and Scalable Architecture for Over-the-Air Credentials Provisioning (2020)

By Alexander Medvinsky, Dr. Tat Chan, Dr. Xin Qiu & Jason Pasion, CommScope

During its lifetime, a device may need to be updated for a variety of reasons. New network access mechanisms or new types of applications and services may be introduced. This can mean that new device digital identities will need to be installed in already deployed devices to enable such new use cases.

Examples of new digital identities include new DRM or conditional access credentials for new sources of content, IoT device certificates, credentials for a new copy protection interface such as DTCPv1, DTCPv2, HDCP 1.x, HDCP 2.x, etc.

Provisioning of credentials into devices already connected to the Internet and deployed to individual subscriber homes cannot rely on network or perimeter security. Even when devices are in an enterprise network or in a network operator’s domain, it is still prudent to deploy “defense in depth” by providing end-to-end authentication and encryption all the way to the target device, in addition to any perimeter security such as firewalls, IP address filtering and port mapping. Each device and credentials provisioning server need a well-secured root of trust, delivery of credentials should be secured end-to-end and protected against a variety of network-based attacks.

A provisioning system handling different types of credentials has to support a variety of authorization models for different network operators and content providers. Different authorization interfaces are utilized to validate that a legitimate authorized device is being provisioned and that it belongs to a legitimate subscriber authorized for new credentials.

A credentials provisioning system may require a high degree of scalability for large populations of subscribers of premium content or for IoT appliances. Millions of devices may need to be provisioned with new credentials in a relatively short period of time. The worst-case scalability scenario is probably when a DRM or conditional access system is compromised, and every subscriber requires a new set of credentials within a short time period.

This paper describes an architecture of the CommScope credentials provisioning system called Online PKI Update System (OPUS) that has evolved over 10+ years in order to handle a variety of operator specific and DRM-specific requirements with reliability, flexibility and scalability in mind.

By clicking the "Download Paper" button, you are agreeing to our terms and conditions.

Similar Papers

Dr. Strangeleak Returns
By Ted E. Hartson, Post-Newsweek Cable, Inc.
Cloud-based Dynamic Executable Verification
By Rafie Shamsaasef, Aaron Anderson & Sasha Medvinsky, CommScope
Flexible MAC Architecture in the Cloud: Architectures for a Virtual World
By Douglas Johnson & Jeremy Thompson, Vecima Networks, Inc.
Dr. Strange Leak Or How I Quit Leaking And Learned To Love The Bomb
By Ted Hartson
Cloned Identity Threats In Packetcable
By Alexander Medvinsky, Jay Strater, Motorola Broadband
Signal Leakage And Interference With Over-The-Air Radio Services
By Robert S. Powers, Federal Communications Commission
Growth Architectures: Built to Last, Built to Launch
By Dr. Robert L. Howald, Vice President of Network Architecture, Comcast
The Operational Impacts of Supporting a Disaggregated, Distributed, Cloud-based Network Architecture
By Aliraza Bhimani, Comcast Cable; Idris Jafarov, DriveNets
Broadening the Reach of Broadband, Powered by Distributed Access Architecture
By Katherine Aiello, Robert Howald, Frank Eichenlaub, Jason Combs; Comcast
Distributed Access Architecture Is Now Widely Distributed
By Dr. Robert Howald, Frank Eichenlaub & Adi Bonen, Comcast; Tobias Peck, EnerSys
More Results >>