10.1 Introduction

Online access to copyrighted entertainment, instantaneous exchange of private messages and the ability to perform financial transactions online are a few of the notable unimaginable revolutions information technology introduced in the last decade of the 20th century. Although these revolutions help make our lives richer and more convenient , they also provide a wide range of opportunities for compromising security and safety. Headlines are often occupied by stories about viruses, hackers and worms, but silent point security compromises, such as illegal reproduction of material, and leaking of financial information and identifies of individuals, have the more significant impact.

Traditional TV equipment did not provide the capabilities of a computer; although TVs utilized microprocessors for performing their functionality, they did not have sophisticated operating systems and did not implement the IP stack that enabled the revolution and compromise security. The lack of connectivity of TV outside the home or office limited the damage of a security compromise (which was very unlikely ) to be local and manageable.

The introduction of iTV receivers, whether embedded in the TV or packaged as a set-top box, raises the need to address most security issues associated with sophisticated networks of modern computers. This section takes the approach of organizing into threats issues that can be addressed in a similar fashion. These threats act against relationships between individuals and organizations; for example, these threats may compromise trust. As such, each business process is vulnerable at points along paths where data, information or knowledge is exchanged.

Today, securing computers is largely a matter of routine maintenance. Using a variety of strategies, such as strong passwords, installing personal firewalls, and regularly running updated virus software can go a long way toward eliminating security compromises. Nevertheless, although not too often, at some point in time almost every path of communications is compromised to some degree.

Participants in the iTV food chain must give consideration to their individual threat and trust models, as well as the threat and trust models along paths of business processes in which they participate. Consideration must be given to various points of failure assuming that no path is fully secure. There are a variety of approaches to the definition of threat models. This chapter covers a collection of issues simplified for clarity. The security of specific paths through the food chain depend heavily on the security and integrity of its personnel, its operating procedures, and on the administrative enforcement of those procedures. All the factors listed in this section are important to the overall security of a system in general and a specific food chain path in particular. However, mitigating those factors is in most cases outside the scope of technology and in the hands of people.

10.1.1 Threats

When analyzing security one needs to consider vulnerabilities and possible attacks. For each attack, one should consider the likelihood of the attack, the likelihood of its success, and the damage that could be done by the attacker with various degrees of success. The following are some forms of attack that may be applicable in certain scenarios.

• Masquerade : In a masquerade attack, the attacker impersonates a trusted entity. On success, the attacker may gain access to sensitive data and perform privileged operations allowed that only trusted entities could perform. Authentication techniques are commonly used to protect against this threat. User login management could be augmented by other interview-based authentication methods .

• Unauthorized operation : The most common attack of this kind is purging of data. Redundancy of storage and conservative update policies reduce the risk of data loss.

• Repudiation : In a repudiation attack, the attackers succeed in denying access to resources required by an application. This attack is very difficult to prevent. However, once it occurs, it is possible to reduce or eliminate damage by various redundancy techniques. For origin repudiation, the system is compromised not to accept data from a specific location. The damage could be mitigated by simply providing access to data from a large number of replicated locations. For delivery repudiation, information delivery could be blocked. In this case, transmission of data through multiple routes mitigates potential damage.

• Denial of service : This is a special case of repudiation in which attackers may cause a server farm to be flooded with traffic beyond its capability to process this traffic. Redundancy and replication are commonly used to protect against this threat.

• Interception : Sensitive data, such as credit card information, can be intercepted by adversaries without changing its route. As a result, it is not always possible to detect interception. Strong modern encryption is the common method to protect against this threat.

• Modification : In a modification attack, the content is modified during its transport from one entity or organization to another. Successful attacks may inject inappropriate content (e.g., violating distribution contracts) or content that causes damage to receivers. Digital signatures are commonly used to protect against this threat. For example, challenges arise when managing multi-layer signatures combined with large numbers of change requests .

• Mis-routing : Attackers may take control over data switches and servers for purpose of misrouting the data. Damage is derived either through denying data from an intended destination, or providing data to an unintended source. Because modification is often required to achieve mis-routing, digital signatures are effective for protection against this threat.

10.1.2 Cryptography

People and organizations are able to communicate using a few standard languages, English being one of them. Content is considered to be exchanged in the clear using a language which is known and understood by a possibly large group of people and software agents whose members are unknown. To control the group of people and computers that may exchange a piece of content, that content is altered, or encoded at the time of transmission, and altered again, or decoded, at the time of reception , so that only a designated group, whose membership is known and controllable, can decode and utilize that content. The key assumption is that, without the ability to perform decoding back into a publicly understood language, it is not possible to utilize the content.

Altering a piece of content or a message, so that only members of a select group can decode it, is performed through the process of encryption; the steps taken to alter or encrypt a message are known as an encryption algorithm, or cipher. The application of an encryption algorithm to a message results in an encrypted message. Similarly, altering the message to recover the original message in the clear from the encrypted message is performed through decryption; the steps taken to decrypt a message are known as the decryption algorithm.

Encryption and decryption requires the use of a key. The value of encrypting a message relies on the premise that one can control, through controlling the distribution of a decryption key, the group of people and software agents capable of decrypting the encrypted version of message and utilizing its content. Cryptoanalysis is the art and science of figuring out what the original message is without knowing the proper key. The developers of encryption and decryption messages are cryptographers, and those who make it their business undo the fruits of such labor are called cryptoanalysts. Often, both cryptographers and cryptoanalysts study cryptology, which is the branch of mathematics concerned with the mathematical foundations of cryptographic methods.

10.1.2.1 Relationship to Threats and Vulnerabilities

Threats and vulnerabilities are not all directly related to cryptology. Denial of service, for example, denies access to information by means other than encryption. However, most of the just listed threats can be addressed using techniques that, in one way or another, relay somehow on cryptography. As an example, addressing denial of service relies on a dynamically configurable redundant network architecture; knowledge of the specific configuration of that network at every given time enables perpetuating the attack and causing significant damage. Therefore, to mitigate the risk of leak of configuration information, the distribution of configuration information between participants of that network could be protected using cryptographic techniques.

10.1.3 Strategies

Participants in the iTV food chain must give consideration to their individual threat and trust models, as well as the threat and trust models along paths of business processes in which they participate. The security of specific paths through the food chain depends heavily on the security and integrity of its personnel, its operating procedures, and the administrative enforcement of those procedures. This section presents some possible strategies for preventing the compromise of specific paths as well as overall security of the food chain.

10.1.3.1 Know Who to "Trust"

One of the goals of a security framework is to establish trust. As an example, because broadcasters are fully accountable for the content they air, they must know who prepared the content to have some degree of confidence that the terms of the contract with the distributor or producer are met. As content fragments are passed through the food chain, each participant needs to ensure that content was not tampered with and that regulations are complied with.

Digital signatures enable the receiver of content to authenticate the entity sending the content and ensure that content was not tampered with. A digital signature is like a finger print of the content combined with the identity of the responsible sending party.

10.1.3.2 Mind Your Own "Business"

Signatures should apply to a part of a document as well as to the entire document. It should be possible to perform all security services on relevant portions of the content without touching irrelevant portions. For instance, applications may need to sign portions of a form, yet permit editing of other portions without invalidating a previous signature. In another example, applications may need to sign the program content but allow modification of the advertising content. In yet another example, there may be a need to allow modification of specific audio tracks while preventing the modification of the video tracks.

10.1.3.3 Only What is Signed is "Secure"

Signatures over updated content do not secure any information discarded by the update; only what is signed is secure. This means that it is possible to decouple the signature of an envelope document from the signature of the documents the envelope points to. As such, an update to a referenced document only requires resigning the updated document, and does not require accessing the envelope or any other portion of the content. On the flip side, reusing a signed envelope for releasing subsequent versions of the content does not relieve from the responsibility to ensure that the referenced content is indeed secure. In other words, the signing of an envelope does not secure the referenced content.

10.1.3.4 Only What is "Seen" Should be Signed

A signature secures any information introduced by enhancements to content, including both visible and invisible enhancements. Only what is seen and presented to the user via visual or auditory means should be signed. This is especially true in case signing is intended to convey the judgment or consent of a person, in which case it is normally necessary to secure as exactly as practical the information that was presented to that person. This can be accomplished by literally marking and signing only what was presented, resulting in data which is difficult for subsequent manipulation. Instead, one can sign the data along with whatever filters, style sheets, client profiles or other information that affects its presentation, and provide the viewer with a walkthrough presentation as applicable.

10.1.3.5 "See" What is Signed

Just as one should only sign what he or she "sees," persons and automated mechanisms that trust the validity of revised content on the basis of a valid signature should operate only over the content that was updated and signed, not an earlier version of the content. For example, if an XML document includes an embedded style sheet or script, it is the transformed document that should be represented to the user and signed rather than the style sheet or script. To meet this recommendation where a document references an external authoring tool, the content of that external tool should also be signed with a signature reference otherwise the content of that external content might change, altering the result revision without invalidating the signature.

10.1.3.6 Avoid "Unnecessary" Encryption

As with any powerful tool, encryption may easily be overused . For example, an encrypted data file may be archived together with other files, and the entire archive may be encrypted. In this case, a file is encrypted twice. The damage could be minor inefficiency and wasted space, or it could escalate to major failure to access critical data. As a general rule, there should be a single layer of encryption. Before any grouping and archiving of files, one should make sure to decrypt whichever files are encrypted. It is often much easier to track down the reason for decryption failure closer to the time of encryption.

10.1.3.7 Ensure That Updates Are "Secure"

Some applications might operate over the original version of the content, whereas others may operate on temporary versions. One should be extremely careful about potential weaknesses introduced between the original and temporary version of the data. This is a trust decision about the character and meaning of the edits that an application needs to make with caution. For instance, by changing the case of a character one might cause a case sensitive receiver to exhibit an undesired behavior that significantly impairs the viewer's experience. In a more detailed example, some applications may be satisfied with verifying a signature over a cached copy of already modified content. Other applications might require that content be freshly dereferenced and transformed. As a result, every time a file is updated care must be taken that signatures are updated correctly regardless of how the update was produced.

10.1.3.8 Know Who "Has" Which Keys

With public key signatures, any number of parties can hold the public key and verify signatures but only the parties with the private key can create signatures. The number of holders of the private key should be minimized and preferably limited to one. Confidence is obtained by verifying the public key that these holders are using and its binding to the entity or capabilities represented by the corresponding private key. This verification is performed using certificates or keyed hash authentication codes. The latter is based on secret keys, and are typically much more efficient in terms of the computational effort required, but all verifiers need to have possession of the same key as the signer. Thus, with keyed hash authentication codes any verifier can forge signatures.

10.1.3.9 Carefully Manage Algorithms, Key Lengths, Certificates

The strength of a particular signature depends on all links in the security chain. This includes the signature and digest algorithms used, the strength of the key generation and the size of the key, the security of key and certificate authentication and distribution mechanisms, certificate chain validation policy, protection of cryptographic processing from hostile observation and tampering, and so on.

Care must be exercised by applications in executing the various algorithms that may be specified in a signature and in the processing of any executable content that might be provided to such algorithms as parameters, such as XSLT transforms. Obviously, more care may be warranted with application defined algorithms.