A Flexible and Scalable Architecture for Over-the-Air Credentials Provisioning (2020)

By Alexander Medvinsky, Dr. Tat Chan, Dr. Xin Qiu & Jason Pasion, CommScope

During its lifetime, a device may need to be updated for a variety of reasons. New network access mechanisms or new types of applications and services may be introduced. This can mean that new device digital identities will need to be installed in already deployed devices to enable such new use cases.

Examples of new digital identities include new DRM or conditional access credentials for new sources of content, IoT device certificates, credentials for a new copy protection interface such as DTCPv1, DTCPv2, HDCP 1.x, HDCP 2.x, etc.

Provisioning of credentials into devices already connected to the Internet and deployed to individual subscriber homes cannot rely on network or perimeter security. Even when devices are in an enterprise network or in a network operator’s domain, it is still prudent to deploy “defense in depth” by providing end-to-end authentication and encryption all the way to the target device, in addition to any perimeter security such as firewalls, IP address filtering and port mapping. Each device and credentials provisioning server need a well-secured root of trust, delivery of credentials should be secured end-to-end and protected against a variety of network-based attacks.

A provisioning system handling different types of credentials has to support a variety of authorization models for different network operators and content providers. Different authorization interfaces are utilized to validate that a legitimate authorized device is being provisioned and that it belongs to a legitimate subscriber authorized for new credentials.

A credentials provisioning system may require a high degree of scalability for large populations of subscribers of premium content or for IoT appliances. Millions of devices may need to be provisioned with new credentials in a relatively short period of time. The worst-case scalability scenario is probably when a DRM or conditional access system is compromised, and every subscriber requires a new set of credentials within a short time period.

This paper describes an architecture of the CommScope credentials provisioning system called Online PKI Update System (OPUS) that has evolved over 10+ years in order to handle a variety of operator specific and DRM-specific requirements with reliability, flexibility and scalability in mind.

By clicking the "Download Paper" button, you are agreeing to our terms and conditions.

Similar Papers

Dr. Strangeleak Returns
By Ted E. Hartson, Post-Newsweek Cable, Inc.
1990
Cloud-based Dynamic Executable Verification
By Rafie Shamsaasef, Aaron Anderson & Sasha Medvinsky, CommScope
2020
Dr. Strange Leak Or How I Quit Leaking And Learned To Love The Bomb
By Ted Hartson
1985
Cloned Identity Threats In Packetcable
By Alexander Medvinsky, Jay Strater, Motorola Broadband
2002
Signal Leakage And Interference With Over-The-Air Radio Services
By Robert S. Powers, Federal Communications Commission
1977
Growth Architectures: Built to Last, Built to Launch
By Dr. Robert L. Howald, Vice President of Network Architecture, Comcast
2014
Leveraging Legacy Video in Digital Access Architecture Networks
By Wesley Weiss, Anjan Bajwa & Corwin Martens, Shaw Communications Inc
2020
What is 10G – The Technology Foundation
By Dr. Robert Howald, Dr. Sebnem Ozer, Robert Thompson, Saif Rahman, Dr. Richard Prodan & Jorge Salinger, Comcast
2019
An Extensible QoS Architecture For A Heterogeneous Network Infrastructure To Support Business Services
By Srividya Iyer, Dr. Nagesh Nandiraju, Dr. Sebnem Zorlu-Ozer, Motorola – Access Networks
2010
Solving All Our Problems…Sort of…Blockchain Integrity, Security, and Reliability for Cable Use Cases
By Steve Goeringer & Dr. Jason Rupe, CableLabs
2018
More Results >>