search

AOMediaCodec / av1-isobmff

Official specification of the AOM group for the carriage of AV1 in ISOBMFF
https://AOMediaCodec.github.io/av1-isobmff
64 stars 16 forks source link

Subsample encryption of Metadata OBUs #130

Closed podborski closed 2 years ago

podborski commented 3 years ago

Section 4.1 defines general constraints for subsample encryption where one of the constraints allow to encrypt metadata OBUs which could be embedded in-video-stream:

  • Metadata OBUs MAY be protected.

We obviously agree on the fact that there may be sensitive metadata that requires protection. But in such a case, that metadata should probably be handled differently and should flow down a different pipeline then the video data one. The protected video data pipeline has only one exit - the screen. Metadata that’s protected in the same stream as the video data had better be consumed/interpreted in that pipeline, or it can’t be used.

But do we have such metadata which would also require in-stream protection? Rendering related metadata usually does not contain any sensible or private information which would require protection and protecting it would just introduce additional computational overhead. But more importantly is that it could weaken the video protection itself.

Currently, we are adding additional constraints to disallow such a case in derived specifications. For example, in HDR10+ AV1 Metadata Handling Specification we say that such metadata shall not be protected in-stream. And if you look into the CENC specification itself, it has similar constraints as well for MPEG codecs where only video slice data is intended to be encrypted.

But why is it handled differently in AOM? Not sure if this was discussed during the development of AV1 ISOBMFF spec., but I could not find any related discussion about this on GitHub. It seems like this discussion happened before GitHub repository was created.

Proposal

Easiest way to fix this would be to change:

  • Metadata OBUs MAY be protected.

to

  • Metadata OBUs SHALL NOT be protected.

or, more comfortably, to

  • Metadata OBUs MAY be protected, but SHALL NOT be protected in the same stream as video data.

And add the note: All the data that is protected in the video stream is passed into a controlled pipeline for de-protecting and display, and generally there is no other delivery for unprotected data than the display.

cconcolato commented 2 years ago

The group agrees to adopt the first suggestion.