Seattle The good news is that Microsoft Corp. is working with content and service providers to get digital media on the PC. Now for the bad news: On first review, the multipronged effort looks complex and costly, and there's no guarantee any of it will work.
But for programmers and developers on the PC platform, failure is not an option if they are to avoid getting locked out of digital media in the face of competition from set-top boxes, dedicated gateway controllers and other platforms vying for a slice of the pie.
At last week's Windows Hardware Engineering Conference here, Microsoft took the wraps off its technical plans for copyright protection in Longhorn, the next major version of Windows, due late next year. "Impressed is not exactly the word it's more like flabbergasted," was one chip maker's reaction to the three-hour set of WinHEC presentations on pieces of that work.
Overall, chip and system makers said they are glad to see Microsoft fully engaged in getting premium content sorely lacking on the platform to date to the PC. But many in this traditionally freewheeling community are still counting the costs in new silicon, software and development processes as complex licensing deals and legal contracts stack up around digital content.
The problem is that today's PCs have access only to analog TV. They cannot tap into either standard or pay-per-view digital cable or satellite content, and they may not be able to access next-generation high-definition DVD content. In addition, this summer computer makers will no longer be able to sell over-the-air TV tuners for high-definition ATSC signals, because PCs do not yet have a mechanism to check for the broadcast flag mandated by the Federal Communications Commission starting July 1.
Taken together, that's a huge set of impediments to consumer sales, which have been a rare bright spot for the computer industry as its overall sales growth has slowed to single-digit rates. Indeed, Microsoft's living room platform, the Media Center PC, has sold just 2 million units in three years on the market.
"There are technical flags studios could put in their content to prevent it from flowing on the PC," said Pete Levinthal, a manager of software engineering at graphics chip maker ATI Technologies Inc. who works hands-on with Microsoft in its Redmond, Wash., offices. "We have to get premium content to play on the PC so the PC does not get locked out."
Levinthal, who helped to develop the new Windows copy protection approach, is confident PCs will be able to access digital cable, satellite and over-the-air TV services when Longhorn hits. But it will come at "double digit" cost additions per PC, he said.
Those costs will come in additional hardware encryption and processing overhead in graphics, CPU and other chips, as well as in additional verification costs for the crypto features, which have to work perfectly the first time. In addition, the copy protection architecture entails plenty of soft costs for chip and systems makers.
Test "may be the highest cost," Levinthal said, because high-definition video and crypto testers are scarce and expensive, and processes must be more rigorous to handle copy protection for digital media.
"We had to rethink our whole test plan. You can't do Monte Carlo-type testing or techniques to get broader coverage in less time," Levinthal said in one WinHEC presentation.
That's because licenses and contracts with multiple companies are piling up for the chip and system makers responsible for handling digital media on a PC.
"We've taken on more legal costs in copyright protection in the last six to eight months than we have in any previous engagement," Levinthal said. "Each legal contract sets a new precedent, and each new one builds on the previous one. There's a lot of liability in contracts around keys."
In addition, compliance and certification programs with Microsoft, CableLabs and others are yet to be worked out. The relatively slow CableLabs certification process could insert "a bottleneck in the standard engineering process we are accustomed to," Levinthal said.
"The licenses will be a big problem in terms of liability" and intellectual property, said Anthony Wood, chief executive of startup Roku (Palo Alto, Calif.), which makes digital media adapters. Wood took a front-row seat at one WinHEC session.
Microsoft was as clear about the complexity and costs of copy protection as it was about assurances the new techniques would bring high-definition digital content to the 2006 PC. "There are none," said Jan Hofmeyr, a group manager in Microsoft's eHome division working on broadcast issues.
The Longhorn work is based on complex relationships with multiple studios and service providers and on interpretations of often-unspecific published specs for broadcast and DVD copy protection. Beyond the technical work, Microsoft is in discussions with CableLabs to define a way to get PCs certified to use one-way CableCard modules, which will be supported in Longhorn, as well as two-way pay-per-view services, said Hofmeyr.
A representative of the Electronic Frontier Foundation peppered speakers here with challenges at several sessions. The computer industry is not bound to comply with the demands of content owners for security techniques that will always be imperfect, he said at least once to applause from the WinHEC audience.
"I feared I would come off as someone in bed with Hollywood," Dave Marsh, a program manager at Microsoft Research, said after his WinHEC a presentation. "The reality is we push back hard on these requests in an effort to find a balance."
Indeed, some say Microsoft may not be keeping close enough to the content companies. "These concepts have not been presented to Hollywood. They are being offered to the wrong audience first; thus they are unlikely to be accepted," said Richard Doherty, principal of Envisioneering Group (Seaford, N.Y.).
Inside the architecture
Microsoft devoted at least five hourlong sessions to rolling out the pieces of its Longhorn copy protection architecture, each one generating plenty of questions and controversy. Even then, speakers admitted chunks of the architecture are still in development and won't be revealed until next year.
A new crypto application programming interface for TV tuners, the Protected Broadcast Driver Architecture, is one of the first planks in the end-to-end Longhorn architecture. PBDA covers three areas: content sent in the clear with copy rules broadcast in vertical blanking interval (VBI) signals, content with embedded broadcast flags or other tags, and cable and satellite content using conditional access.
Under PBDA, Windows will handle broadcast flags, but tuners would be expected to handle encrypting content and generating Windows digital-rights-management licenses in hardware for content protected by conditional-access mechanisms.
Chips using PBDA would need to build in a random-number generator and XML certificate parser as well as support a host of algorithms, including 1,024-bit RSA, 160-bit SHA-1 and AES-128. They will eventually be expected to handle VBI data in hardware and to generate MPEG-2 transport streams.
Tuner makers such as ATI, Conexant Systems Inc. and Philips are developing the devices, and Microsoft has committed to rolling out the software in Longhorn. The chip work can be handled in firmware and might take as little as two months, said Michael Eskin, a principal engineer at Conexant (San Diego).
"Up until now, there was no release schedule for Microsoft's plans. Now they are ready to go," said Eskin.
Once broadcast or packaged content gets into the PC, Longhorn will surround the content with its Protected Media Path. A primary plank of PMP is the ability to run isolated processes that won't let other processes read or write to their software-protected memory space. The capability already in early builds of the first Longhorn beta, due this summer thwarts rogue programs from snooping on and grabbing protected content when it is decrypted.
"Right now, this facility is only being used for copy protection, but there are a whole bunch of other uses we are looking at," said Darryl Havens, a Windows architect who helped develop the feature.
Microsoft will control the policy engine inside the PMP. It will let third parties write encryption, decode and other parts of the software architecture, but anyone creating software that works in the protected path will have to get a license from Microsoft and obey compliance rules that the company has yet to release.
The PMP has a controversial capability to revoke and renew the privileges of any process in the protected path if it is found to be in violation of protection policies. Details about how the revoke/renew process works and APIs for creating third-party protected path software won't be available until Longhorn hits a second and final beta in the summer of 2006.
Microsoft may use its Windows Update service to handle renewals. The company currently does not plan to implement a secure, anti-rollback clock in Longhorn, but apps could create such a feature.
Ouch in output
The complexity rises when handling the touchy area of output. Microsoft rolled out a protection mechanism in Windows XP SP2 that relies on the application's handling the protection mechanisms. In Longhorn, Windows handles the work under an approach called Protected Video Path-Output Protection Management.
PVP-OPM establishes a chain of trust starting with authentication of the graphics chips by software drivers, via a hardware-function scan created by the chip maker. The operating system authenticates the driver based on a software signature, and the app checks the OS.
A much harder problem comes in protecting content that rides on the peripheral bus, typically PCI Express. "Some content owners have specifically written into their licenses that you cannot send unprotected content over the PCIe bus," said Marsh.
Some graphics chip makers hope content owners can be persuaded they do not need to encrypt data on the PCI Express bus before Longhorn ships.
Meanwhile, Marsh outlined six complex steps for protecting content running to an Express graphics card as part of the PVP-User Accessible Bus architecture.
In addition to authenticating components, the system must generate session keys using Diffie-Hellman and Davis-Meyer crypto techniques. It later generates content keys to encrypt content. It performs other measures to block man-in-the-middle attacks.
Graphics chips must support AES-128 as well as the other algorithms for PVP-UAB. Despite the complexity, graphics chip makers are expected to deliver test boards late this year and chips early next year, Marsh said.
Plenty of corner cases exist. For instance, Microsoft recommends that cards use a Cascade Cipher developed by Intel Corp. if they plan to send bulk uncompressed HD content over the PCI Express bus in cases where low-cost cards rely on system memory. Cards or chips soldered down to a motherboard don't need to support PVP-UAB, but they may need to prove they are soldered down, through an authentication method that would check their wire bonding or BIOS settings.
Music faces many unresolved wrinkles in the Protected User Mode Audio feature coming in Longhorn. It's not clear whether HDMI or other protected outputs will be best for audio, nor is it clear whether audio will face the same issues when riding the PCIe bus.
Separately, Microsoft is starting work on a Protected Audio Path for post-Longhorn Windows. The path may require that audio codecs build in crypto support, a mandate that Microsoft recognizes could have a big cost impact for the devices.
"Traditionally there has been less sensitivity about copying audio than video, but that is changing," said Marsh. "We are pushing back on these audio requests, and we are hopeful of success, but it's not clear how the decision will fall."
Microsoft delayed indefinitely plans to commercialize hardware-based security that it had intended to develop for Longhorn. The Next-Generation Secure Computing Base (NGSCB) program, which stores keys in a protected chip, is an ace in the hole that Microsoft could offer studios in the version of Windows after Longhorn, dubbed Blackcomb, if studios don't like the largely software-based Longhorn architecture.
"It's too far in the future to say whether Blackcomb would use NGSCB," said Marsh. "Hopefully, we have done enough in Longhorn to last awhile maybe forever."