ISO/IEC 23009-4:2013 pdf download – Information technology — Dynamic adaptive streaming over HTTP (DASH) — Part 4: Segment encryption and authentication.
2 Normative references The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 23009-1 :201 2, Information technology — Dynamic adaptive streaming over HTTP (DASH) — Part 1: Media presentation description and segment formats Advanced Encryption Standard, Federal Information Processing Standards Publication 1 97, FIPS- 1 97, http://www.nist.gov/ Secure Hash Standard, Federal Information Processing Standards Publication 1 80, FIPS 1 80- 3, http://www.nist.gov/ Recommendation of Block Cipher Modes of Operation, NIST, NIST Special Publication 800- 38A, http://www.nist.gov/ Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC, NIST, NIST Special Publication 800-38D, http://www.nist.gov/ IETF RFC 21 04, HMAC: Keyed-Hashing for Message Authentication, H. Krawczyk, M. Bellare, R. Canetti, February 1 997 IETF RFC 261 6, Hypertext Transfer Protocol – HTTP/1.1, June 1 999 IETF RFC 3986, Uniform Resource Identifier (URI): Generic Syntax, January 2005 IETF RFC 5246, The Transport Layer Security (TLS) Protocol, T. Dierks et al, August 2008 IETF RFC 5652/STD 70, Cryptographic Message Syntax (CMS), R. Housley, September 2009
3 Terms, definitions and abbreviated terms 3.1 Terms and definitions For the purposes of this document, the following terms and definitions apply. 3.1.1 additional authenticated data input data to the authenticated encryption function that is authenticated but not encrypted 3.1.2 authentication tag cryptographic checksum on data that is designed to reveal both accidental errors and the intentional modification of the data 3.1.3 authenticated encryption mode of operation in which the plaintext is encrypted into the ciphertext, and an authentication tag is generated on the AAD and the ciphertext 3.1.4 cryptoperiod number of continuous segments for which the same encryption key and the same initialization vector are used 3.1.5 encryption system system used for encryption of Media Segments using keys provided by the Key System 3.1.6 key system system that provides keys necessary for decryption of Media Segments 3.1.7 segment number unique positive integer associated with a Media Segment within a Representation Note 1 to entry: The Media Segment presented (in presentation order) after Media Segment with Segment Number N has Segment Number N+1 .
4 Introduction 4.1 Segment Encryption The content protection framework provided in this part of ISO/IEC 23009 is a framework for out-of-band derivation of parameters needed for successful decryption of media segments. The tools provided are MPD interfaces that allow derivation of key and initialization parameters, baseline encryption and key resolution methods, and, lastly, it provides extensibility points to accommodate different key resolution and encryption algorithms using the same interface. Conceptually, the content protection framework provided in this part of the standard can be viewed as two entities, key system and encryption system. Key system derives keys associated with a segment given the information provided in the MPD, while the encryption system decrypts media segments given the information provided in the MPD and encryption keys provided by the key system. The baseline mandatory system applies AES-CBC encryption to a complete segment and uses HTTP(S) for key transport. In this baseline system the DASH client will be able to recognize uniquely for each segment which key and initialization vector were used for their encryption. The client will then issue a GET request for the key, and will either issue a GET request for the initialization vector or derive it locally. After receiving key and initialization vector, the DASH client can successfully decrypt the media segment and pass it to the media engine. In this description, AES-CBC full-segment encryption is the encryption system, and key retrieval using HTTP(S) is the key system.