Security Breaches, Vulnerabilities & Privacy for IPMX

It's the early evening on a beautiful day in Las Vegas. While strolling along the Strip, you're captivated by a truly giant direct-view LED display broadcasting a stunning visual message. As you briefly lose yourself in the spectacle of the presentation, the video abruptly cuts out, jarringly replaced with some truly reprehensible content, which clearly wasn't intended by whomever owns that sign. As the offensive presentation persists, the crowd on the street begins to take notice, and soon, it makes the news in a way that is unique to what can happen when security breaches meet AV-over-IP.

As a bystander, this incident might leave you unnerved. But now, imagine you were the IT security manager responsible for that facility. Your concern would shift dramatically from embarrassment and shock to a rush of technical questions and security reviews. You'd immediately need to consider several key questions, including:

Server Security : Was there a breach in the server where the media files are stored? Could someone have tampered with the files?

Control Layer Breach : Was the system that controls what content gets displayed compromised?

Content Layer Vulnerability : Was there a failure in securing the content layer, allowing someone to intercept and replace the stream?

In real-time, IP media systems like those used in high-value, large-scale displays, the common security concerns found in any IT environment carry additional, unique aspects. That is why interoperable security is a central feature of IPMX, on multiple levels.

>> IPMX Unpacked: The Key Documents Shaping the Future of AV-over-IP

>> IPMX Provides a Framework for Pro AV

>> Do You Know the Difference Between IPMX and SMPTE ST 2110 (and AES67)?

>> IPMX's Strength is its Interoperability

>> IPMX: Media Experience Nirvana?

>> IPMX's Soft Spot

>> Dirty Hands and IPMX

>> For IPMX, It’s About Time

>> IPMX: The Next Great AV Standard?

Within NMOS, and thanks to IS-10 and BCP-003-X , interoperable security specifications provide methods for securing communications within the control plane of IPMX systems. NMOS security leverages well-established protocols like OAuth 2.0, TLS, and JWT, ensuring robust authentication, authorization, and encryption across IP-based media networks.

However, when it comes to the transport layer, IPMX relies on a new protocol called the Privacy Encryption Protocol , or PEP. This protocol enables secure multicast, unicast and bi-directional distribution of digital media and data flows, protecting against unauthorized access or manipulation. It employs AES Counter Mode encryption to ensure that media streams are encrypted and securely managed and includes comprehensive key management capabilities, supporting both static and dynamic key assignments to accommodate varying security needs of media transmissions. Through these features, PEP ensures that IPMX has the security, scalability, and interoperability features required in professional AV environments. In this article, we’ll explore some of PEP’s details, highlighting its major features and some of the unique aspects as we go along.

Privacy Encryption Protocol (PEP)

When the VSF set out to address the need for privacy encryption within the IPMX framework, the first decision was whether to go with an existing protocol like SRTP or to create something new. Opting for the latter, the IPMX activity group created PEP. This decision was primarily driven by the necessity for PEP to coexist with IPMX’s HDCP feature. Unlike SRTP, which encrypts parts of the data that HDCP doesn’t touch, PEP aligns neatly with the strict requirements of the documents that define HDCP 2.3 and how it is used over IP networks, avoiding unnecessary complications and bloated hardware design when both features are present within the same device. PEP also simplifies things significantly by avoiding the key management dance required by SRTP for multicast streams, instead choosing a method that is aligned with how an NMOS-controlled IPMX setup works. In this way and others, PEP is a perfectly tailored fit for the IPMX ecosystem.

Understanding Key Management in PEP

PEP brings benefits beyond efficiency with its robust key management features. To appreciate how PEP enhances security within IPMX, it may be helpful to review some basics about encryption keys. PEP uses pre-shared keys (PSKs) that are securely installed in advance on both the sender and receiver devices. These keys are then used to derive session-specific keys using various features of PEP, including a key derivation function (KDF), which creates a privacy key from the PSK and other parameters that make up the PEP protocol. This suite of features simplifies key management while maintaining security and flexibility across various use cases. Let’s walk through a few scenarios so that we can see how PEP keeps things easy to manage, flexible and secure.

First, let’s consider a corporate campus equipped with IPMX AV-over-IP technology. In the huddle rooms, devices might be configured with a key for general employee access. In the boardroom, however, the setup could include not only the general access key but also additional keys for content that requires higher security levels. Key IDs allow these devices to identify and select the appropriate key based on the content's required access level, ensuring that each stream is accessible only to those with the correct authorization. This system enables seamless distribution of diverse content across various devices, each tailored to different security needs.

Next, let’s look at key reuse and long-running streams. While hacking to illicitly decrypt content in real-time is extremely difficult, it's possible to capture and store the encrypted stream for decryption at a later time. If the same key is used over an extended period, such as months or years, and if that key is eventually cracked through brute force or another method, the entire stream's security is compromised. This could expose past, present, and future content until the key is changed. PEP addresses this vulnerability by using parameters randomly generated whenever the device restarts, as well as with key versioning. With key versioning, keys can be periodically updated without interrupting the stream, significantly reducing the risk of compromise and enhancing the security of long-running streams.

Just as using the same key for long-running flows can pose a security risk, employing a single key across different streams or sub-streams can also compromise security. PEP addresses this concern by requiring the use of distinct encryption parameters for each stream and sub-stream, maintaining maximum security even if multiple streams and sub-streams share the same encryption key. PEP also allows for the customization of security parameters for each stream, providing distinct encryption keys and encryption parameters for each stream. As a result, while some streams might require robust encryption due to sensitive content, others can operate with lighter security measures, optimizing overall system efficiency without sacrificing safety.

Now imagine two people in the system need to communicate without the possibility that anyone else could decrypt their session, not even a system administrator. To stop other devices that have the same PSK from receiving the content, a special key could be created just for them, although that still doesn’t stop an administrator from eavesdropping. Thankfully, PEP offers a more streamlined solution using Elliptic Curve Diffie-Hellman (ECDH) . ECDH is a key agreement protocol that allows each participant to generate a public-private key pair and share their public keys with one another. Without transferring any private keys, both parties can then derive a shared secret based on their own private keys and the other’s public key. In PEP, this shared secret is combined with a pre-shared key in the key derivation function to generate a unique session key that encrypts their communication. This ensures that no one else, not even the system administrator, can access their conversation, simplifying the key management process while significantly enhancing the privacy and security of their communications.

Conclusion

PEP is a significant advancement for AV-over-IP security by offering an efficient and comprehensive method for managing access to data and content streams within the IPMX framework. By integrating robust features like key versioning, sub-streams, and optional support for ECDH, PEP not only simplifies the encryption landscape but also ensures that each stream is uniquely secured against potential breaches, all while coexisting seamlessly with HDCP and NMOS control protocols.

PEP's thoughtful integration into IPMX provides stakeholders—from system integrators to end users—with a reliable, scalable, open, interoperable, and highly secure AV-over-IP solution. Together, IPMX and PEP will play an important role in the evolution of the industry, ensuring that as the complexity and scale of AV deployments grow, security is always part of the picture.

Author’s note: A special thank you to Alain Bouchard, the lead author of TR-10, for not only crafting the specification but also for his assistance with this article.