ISO IEC 23009-4-2013 pdf free download.Information technology — Dynamic adaptive streaming over HTTP (DASH) — Part 4: Segment encryption and authentication.
As most DRM systems employ license-based systems to derive keys, license-based key systems are supported in this standard. In this case, a license is retrieved, and the key URIs are opaque key identifiers. The license-based key system will resolve these ID’s into keys in an unspecified way, and pass the keys to an encryption system.
The latter, having keys provided by the key system and the encryption information (e.g. algorithm specification and IV) provided by the MPD, decrypts the media segment. Additional encryption methods can be signalled using URIs and (possibly) generic encryption-related parameters provided in this part of ISO/IEC 23009This part of ISO/IEC 23009 is format-independent: it does not apply specifically to any type of media segment, and its notion of cryptoperiods is completely divorced from any specific segment type. The baseline encryption system applies to a complete segment. The normative part of this framework provides (a) the MPD interface, and (b) baseline key and encryption systems. These are shown in Figure1 — Baseline Segment Encryption. Note that the implementation shown in this figure is for illustration purposes, and many of the operations can be optimized e.g. by parallelization and pre-fetching.
The Segment Encryption scheme specifies standard encryption and key mapping methods that may be used when segment protection is needed. The scheme operates by applying encryption to segments, which are thus transmitted in a protected fashion. Definitions are provided to identify the segments as encrypted, and to identify the appropriate key(s) and IV(s) from a MPD.
4.2 Segment Authentication
The Segment Authentication framework is a framework allowing use of authenticity tags for all DASH segment types in order to verify the origin and content authenticity. This framework works by calculating a digest or a MAC of an unencrypted segment, and storing the value externally. The MPD interface provides URL templates to retrieve these, using HTTPS or HTTP. The client retrieves the digest/signature, then calculates them locally on the decrypted (sub)segment, and can reject the (sub)segment in case of a mismatch.
If used together with encryption, the mode of operation of this framework is “authenticate, then encrypt”, rather than the more common “encrypt, then authenticate” mode. The former provides an important feature of encryption invariance: if no encryption, or different encryption algorithm or/and parameters were used for encryption of the same media segment for serving it to different clients, the authenticity tag will still stay the same as long as the content itself has not changed.ISO IEC 23009-4 pdf download.