In-home authorisation
Summary
DRM systems, such as NAGRA's PRM system, can enable premium content to be distributed around the home by providing a mechanism to secure it.
When using NAGRA PRM, the content must first be captured by an STB that uses NAGRA On-Chip Security (NOCS). This could be a "traditional" PVR STB, or a Gateway STB. The Gateway STB differs from a traditional PVR STB in that it includes a mechanism to make available, distribute, and if needed, transcode content. To do this requires additional hardware, such as additional tuners.
A Gateway STB includes DLNA DMS capabilities, that means its content can be browsed from other DLNA DMP-compatible open devices. This guide does not describe the DLNA specification or how to make use of the DLNA functionality provided by the device.
Three main use cases are available with NAGRA PRM:
- Content stored on external storage hardware recorded on one STB and played on another.
- Content streaming from the gateway to another STB.
- Content streaming from the gateway to an open device.
OpenTV Platform services are required to authorise the requests to retrieve the licenses required to enable these use cases.
Use cases
Playing back content recorded on an external storage device on another STB
PVR or Gateway STBs can provide the ability to record content on an external storage device, such as an external hard disk. This can be beneficial for several reasons:
- Allows the operator to add PVR capability to a device that does not include an internal storage device, thereby reducing initial cost for both operator and customer.
- Allows the customer to increase the storage capacity of their PVR.
- Allows the customer to move content from one device to another. This can be useful if the original PVR develops a fault and the customer wants to move their recordings to a new PVR.
The third use case requires a license to playback the encrypted content on a second device. In this case, recordings are first persisted to disk as usual by the STB. This means decrypting the original broadcast stream, and re-encrypting it back to disk using a content key generated by the STB's PRM DVL (DVR VOD Library) using NOCS. The DVL then generates a PVR Local Content Management (LCM) license that is stored alongside the recording. The LCM license includes the encrypted content key and unencrypted information about the device that made the recordings, including its NUID, CAS and CSADList credentials.
When an external storage device that contains recordings is moved to another device, the LCMs for those recordings are also moved. When the other STB middleware finds these LCMs, it can identify that they were made by another device. To decrypt the LCM license, it needs an LCM Conversion Information license (LCI), which can be provided by NAGRA PRM. To retrieve authorisation and get the license, it must call SDP (which will call PRM after authorising the request).
An LCI contains information that allows the requesting STB to decrypt all content made by the original device. Therefore getting the license is known as "Pairing":
GET http://<server>:<port>/hue-gateway/gateway/http/js/linkedStbService/pairNocsDevices
This API returns the LCI (String), which must be passed to the device's DVL to enable playback.
For an LCI license to be authorised, both devices must be enabled on the same account. An optional SDP feature also allows LCIs to be provided for previously-owned devices. This feature is required for recordings from broken or refurbished STBs to continue to be used.
Streaming from a Gateway to another NOCS STB
This functionality is commonly referred to as "Whole-Home PVR". Distribution of PVR content is likely the only useful use case for streaming between STBs. Live TV and VOD are assumed to be covered by the external STB itself, but it might not have its own PVR functionality. This is a fairly common setup in households, where a single PVR device is used in the main viewing area (for example, a lounge), and another, non-PVR STB is used in another location (for example, master bedroom or second lounge).
The content can then be streamed to the second STB over HTTP as is, as it does not need to be transcoded to be playable by a similar NOCS-based STB. In this case, the PVR LCM described in the previous use case is provided inside the DLNA information retrieved when browsing the data. The target device should then retrieve an LCI as necessary to enable playback, using the same mechanism as described in the previous use case.
Streaming from a Gateway to an open device
Streaming content from a home gateway to open devices can be a desirable feature for several reasons:
Streaming recorded content that might not otherwise be available OTT.
Providing Live and VOD streaming to ensure higher quality video than is available OTT (due to internet reliability, bandwidth, as well as availability of OTT content).
To enable in-home streaming to an open device, the open device should first try to play back the content provided by the Gateway (CDS). The Gateway transcodes the content to a streaming format that the open device can use on the fly, that is, HLS. If the open device does not already have a valid Transformed LCM license, its Secure Player PAK will fire off a "no valid license" error when playback is attempted. The open device must then request a Session LCM from the Gateway. This LCM differs from the PVR LCM as it has a fixed duration. This LCM is valid for a session rather than specific content. After the session expires the client must retrieve another Session LCM.
The open device cannot use the LCM as is. It must first transform the LCM license to a format that it can use.
This API is invoked from the SDP's NMPExtendedService:
GET http://<server>:<port>/hue-gateway/gateway/http/js/NmpExtendedService/transformEntitlements
This API returns the EntitlementsResponse with the entitlements data.
The open device must be enabled in the account and belong to the same account as the gateway device for the request to transform the license to be authorised.
Session LCMs and transformed licenses should be retrieved as needed rather than on application bootup to avoid unnecessary license delivery.