SLIDE 1
Measuring Performance Overhead of Trans-encrypting HTTP Adaptive Streaming
Abe Wiersma BSc. July 4, 2017
University of Amsterdam TNO Media-lab
Introduction
Problem Major leaks of blockbuster titles.
1
Measuring Performance Overhead of Trans-encrypting HTTP Adaptive - - PowerPoint PPT Presentation
Measuring Performance Overhead of Trans-encrypting HTTP Adaptive - - PowerPoint PPT Presentation
Measuring Performance Overhead of Trans-encrypting HTTP Adaptive Streaming Abe Wiersma BSc. July 4, 2017 University of Amsterdam TNO Media-lab Introduction Problem Major leaks of blockbuster titles. 1 Introduction Problem Major leaks of
SLIDE 2
SLIDE 3
Introduction
Problem Major leaks of blockbuster titles.
2
SLIDE 4
Introduction
Problem Major leaks of blockbuster titles.
- Push to better secure DRM pipeline.
3
SLIDE 5
Introduction
Problem Major leaks of blockbuster titles.
- Push to better secure DRM pipeline.
Solution Testing trans-encryption as an alternate form of encryption for the DRM pipeline.
3
SLIDE 6
Research question
- What is the performance overhead of doing a trans-encryption step for HTTP Adaptive
Streaming.
- How can available hardware efficiently be used to trans-encrypt content.
4
SLIDE 7
Background
SLIDE 8
HTTP Adaptive streaming
- Segment(ed/able) video.
- Manifest
- Four flavours:
- Microsoft HTTP Smooth Streaming (HSS)
- Adobe HTTP Dynamic Streaming (HDS)
- Apple HTTP Live Streaming (HLS)
- MPEG Dynamic Adaptive Streaming over HTTP (DASH)
- Traditional HTTP client/server architecture.
5
SLIDE 9
HTTP Adaptive streaming
Server
Diagram showing simplified content preparation for HTTP Adaptive Streaming.
6
SLIDE 10
HTTP Adaptive streaming
Client
time
Low bitrate Medium bitrate High bitrate Network Congestion
Available Bandwidth
Diagram showing simplified adaptive algorithm for HTTP Adaptive Streaming.
7
SLIDE 11
Digital Rights Management
Components
- 1. Common Encryption Scheme (CENC)
- AES-128 Cipher Block Chaining (CBC)
- AES-128 Counter (CTR)
8
SLIDE 12
Digital Rights Management
Components
- 1. Common Encryption Scheme (CENC)
- AES-128 Cipher Block Chaining (CBC)
- AES-128 Counter (CTR)
- 2. Browser
8
SLIDE 13
Digital Rights Management
Components
- 1. Common Encryption Scheme (CENC)
- AES-128 Cipher Block Chaining (CBC)
- AES-128 Counter (CTR)
- 2. Browser
- 3. DRM Systems & License Servers
- Google Widevine
- Microsoft Playready
- Apple Fairplay
- Adobe Primetime
- Others (OSS also)
8
SLIDE 14
Digital Rights Management
Intermission
- 1. Common Encryption Scheme (CENC)
- AES-128 Cipher Block Chaining (CBC)
- AES-128 Counter (CTR)
- 2. Browser
- 3. DRM Systems & License Servers
- Google Widevine
- Microsoft Playready
- Apple Fairplay
- Adobe Primetime
- Other (OSS also)
9
SLIDE 15
Digital Rights Management
Components
- 1. Common Encryption Scheme (CENC)
- AES-128 Cipher Block Chaining (CBC)
- AES-128 Counter (CTR)
- 2. Browser
- 3. DRM Systems & License Servers
- Google Widevine
- Microsoft Playready
- Apple Fairplay
- Adobe Primetime
- Others
- 4. Encrypted Media Extensions (EME)
10
SLIDE 16
Digital Rights Management
Components
- 1. Common Encryption Scheme (CENC)
- AES-128 Cipher Block Chaining (CBC)
- AES-128 Counter (CTR)
- 2. Browser
- 3. DRM Systems & License Servers
- Google Widevine
- Microsoft Playready
- Apple Fairplay
- Adobe Primetime
- Others
- 4. Encrypted Media Extensions (EME)
- 5. Content Decryption Module (CDM)
10
SLIDE 17
Approach
SLIDE 18
Split-key cryptosystem
Theory
11
SLIDE 19
Split-key cryptosystem
Theory
Trans-encryption1
- RSA
- One time path
- LFSR stream cipher
- ElGamal
- Damgard-Jurik
1As per patent: Secure distribution of content.
12
SLIDE 20
Split-key cryptosystem
Theory
Trans-encryption2
- RSA - Widely standardized.
- One time path - Keysize increases with 100% keysize per trans-encryption.
- LFSR stream cipher - A number of insecure applications..
- ElGamal - Similar performance, hangs on discrete log, less standardized.
- Damgard-Jurik - No notable implementations.
2As per patent: Secure distribution of content.
13
SLIDE 21
Split-key cryptosystem
RSA
E(X) = X e (mod n) D(X) = X d (mod n)
14
SLIDE 22
Split-key cryptosystem
Implementation
RSA
- Generate Pair 1 (Public & Private)
- Create Pair 2 (same mod) and Combined pair (Pair 1 × Pair 2)
- Encrypt (Pair 1/Combined)
- Trans-encrypt (Encryption/Decryption 1)
- Client-decrypt (Decryption combined/Decryption 2)
15
SLIDE 23
Split-key cryptosystem
Implementation
RSA-2048
- openssl genrsa
- C rsa create combined
- Python encrypt.py + C rsa encrypt
- C rsa trans/rsa trans dec
- C rsa client decrypt
16
SLIDE 24
HTTP server
Japronto?
Requirements
- Low overhead
- Simple
- Fast
- Free? (Opensourced)
Solution Japronto
17
SLIDE 25
HTTP server
Japronto!
A graph by the author squeaky-pl showing the performance of japronto.
18
SLIDE 26
Experimental Set-up
A diagram showing the experimental set-up.
19
SLIDE 27
Results
SLIDE 28
Results
1 10 100 1000 concurrent connections 0MB/s 1MB/s 10MB/s 100MB/s 1000MB/s Mean throughput MB/s (log scale higher is better) (24.51) (111.47) (75.04) (21.73) (8.83) (33.69) (27.76) (14.5) (0.35) (1.04) (0.65) (0.17) Throughput for HTTP Adaptive Segments
Passthrough MB/s AES re-encryption MB/s RSA trans-encryption (encryption) MB/s RSA trans-encryption (decryption) MB/s
Required throughput for H.264 1080p streams 1Gbit/s - Link Speed 20
SLIDE 29
Conclusion
SLIDE 30
Conclusion
Conclusion Server-side trans-encryption with the public exponent is possible Drawback Client-side decryption will prove tough on the performance
21
SLIDE 31
Future work
SLIDE 32
Future work
Future work Possibly implement a decrypting client.
22
SLIDE 33
Questions?
22
SLIDE 34
A graph showing factorization efforts.3
23