In real-time, AVoIP media systems, the common security concerns found in any IT environment carry additional, unique aspects. That is why interoperable security is a central feature of IPMX, on multiple levels.
Within NMOS, and thanks to IS-10 and BCP-003-X, interoperable security specifications provide methods for securing communications within the control plane of IPMX systems. NMOS security leverages well-established protocols like OAuth 2.0, TLS, and JWT, ensuring robust authentication, authorization, and encryption across IP-based media networks.
However, when it comes to the transport layer, IPMX relies on a new protocol called the Privacy Encryption Protocol, or PEP. This protocol enables secure multicast, unicast and bi-directional distribution of digital media and data flows, protecting against unauthorized access or manipulation. It employs AES Counter Mode encryption to ensure that media streams are encrypted and securely managed and includes comprehensive key management capabilities, supporting both static and dynamic key assignments to accommodate varying security needs of media transmissions. Let’s explore some of PEP’s details.
When the VSF set out to address the need for privacy encryption within the IPMX framework, the first decision was whether to go with an existing protocol like SRTP or create something new. Opting for the latter, the IPMX activity group created PEP. This decision was primarily driven by the necessity for PEP to coexist with IPMX’s HDCP feature. Unlike SRTP, which encrypts parts of the data that HDCP doesn’t touch, PEP aligns neatly with the strict requirements of the documents that define HDCP 2.3 and how it is used over IP networks, avoiding unnecessary complications and bloated hardware design when both features are present within the same device. PEP also avoids the key management dance required by SRTP for multicast streams, instead choosing a method that is aligned with how an NMOS-controlled IPMX setup works. PEP is a perfectly tailored fit for the IPMX ecosystem.
PEP brings benefits beyond efficiency with its robust key management features. To appreciate how PEP enhances security within IPMX, it’s helpful to review some basics about encryption keys. PEP uses pre-shared keys (PSKs) that are securely installed in advance on both the sender and receiver devices. These keys are then used to derive session-specific keys using various features of PEP, including a key derivation function (KDF), which creates a privacy key from the PSK and other parameters that make up the PEP protocol. This suite of features simplifies key management while maintaining security and flexibility.
Consider a corporate campus equipped with IPMX AVoIP technology. In the huddle rooms, devices might be configured with a key for general employee access. In the boardroom, the setup could include not only the general access key but also additional keys for content that requires higher security levels. Key IDs allow these devices to identify and select the appropriate key based on the content’s required access level, ensuring that each stream is accessible only to those with authorization. This system enables seamless distribution of diverse content across various devices, each with different security needs.
Next, let’s look at key reuse and long-running streams. While hacking to illicitly decrypt content in real-time is extremely difficult, it’s possible to capture and store the encrypted stream for decryption at a later time. If the same key is used over an extended period, if that key is eventually cracked, the entire stream’s security is compromised. This could expose past, present, and future content until the key is changed. PEP addresses this vulnerability by using parameters randomly generated whenever the device restarts, as well as with key versioning. With key versioning, keys can be periodically updated without interrupting the stream, significantly reducing the risk of compromise of long-running streams.
Likewise, employing a single key across different streams or sub-streams can also compromise security. PEP addresses this concern by requiring the use of distinct encryption parameters for each stream and sub-stream, maintaining maximum security even if multiple streams and sub-streams share the same encryption key. PEP also allows for the customization of security parameters for each stream, providing distinct encryption keys and encryption parameters for each stream. As a result, while some streams might require robust encryption due to sensitive content, others can operate with lighter security measures, optimizing overall system efficiency without sacrificing safety.
Now imagine two people in the system need to communicate without the possibility that anyone else could decrypt their session, not even a system administrator. To stop other devices that have the same PSK from receiving the content, a special key could be created just for them, although that still doesn’t stop an administrator from eavesdropping. Thankfully, PEP offers a more streamlined solution using Elliptic Curve Diffie-Hellman (ECDH). ECDH is a key agreement protocol that allows each participant to generate a public-private key pair and share their public keys with one another. Without transferring any private keys, both parties can then derive a shared secret based on their own private keys and the other’s public key. In PEP, this shared secret is combined with a pre-shared key in the key derivation function to generate a unique session key that encrypts their communication. This ensures that no one else, not even the system administrator, can access their conversation.
PEP is a significant advancement for AV-over-IP security as an efficient and comprehensive method for managing access to data and content streams within the IPMX framework. By integrating robust features like key versioning, sub-streams, and optional support for ECDH, PEP simplifies the encryption landscape and ensures that each stream is uniquely secured against potential breaches, all while coexisting seamlessly with HDCP and NMOS control protocols.