Security for Discovery and Connection Management of ST2110 Media Devices

While the networked media open specifications (NMOS) allow for easy adoption from the broadcast industry, they are fully documented and would easily allow man-in-the-middle attacks to retrieve vital device information, such as IP addresses for accessing control ports. Usage of those control ports by unauthorized personnel could lead to disruptions in the production chain.

AMWA BCP-003 can be used to encrypt all API traffic with TLS to initially prevent man-in-the-middle attacks. As there are many cipher suites to choose from, this paper describes why the current list of suites was chosen to cover both best security and compatibility with legacy broadcast equipment with minimal computing performance. The paper will then explain how a broadcast facility can practically deploy the needed Public Key Infrastructure and how devices that are installed after initial deployment can be added.

Furthermore, we will focus on AMWA IS-10 as a means of specifying authorization mechanisms to secure access to NMOS APIs such as IS-04, -05, or -08. We will also explain the current concept of an authorization server and how it can issue tokens for controllers and nodes. In this way, we can secure NMOS nodes against unwanted access for starting/stopping/configuring media endpoints. The choice of API for finding the server and retrieving tokens is closely linked to other NMOS APIs, in order to allow for fast adoption.

Arne B?nninghoff | Riedel Communications GmbH & Co. KG | Wuppertal, Germany