We all know you can’t prove a system is secure and you can’t eliminate bugs. What you can do, is implement the Best Current Practice for security in your IP facility. AMWA are working on defining two BCP-003 specifications to help you do just that.
Arne Bönninghoff from Riedel is our man to take us through what these two BCP specifications mean. He sets the scene by explaining the difference between confidentiality and integrity, between authentication and authorisation. BCP-003-01 deals with establishing trust (identification, integrity and authentication) as well as confidentiality. Whereas BCO-003-02 defines the best practices for authorisation.
Taking these in turn, Arne looks at how TLS works (sometimes synonymous with the old SSL technology). He shows how the certificates are exchanged and identified, highlighting the need for DNS which is recommended as part of EBU TR 1001-1. TLS is all about encryption, so we look at the encryption methods available, also known as HTTPS ciphers. Arne makes the point that out of the possibilities there are only 4 ciphers which are widely supported by all vendors. In summary, BCP-003-01 needs certificates, DNS and internet access to connect to certificate authorities.
BCP-003-02 talks to ensuring that only permitted right computers can interface with the system, for instance to use NMOS IS-04 and IS-05. It describes how tokens can be retrieved, used for access and be validated. Also called IS-10, Arne talks us through the information exchanges in the system and explains how OAuth2 + JWT come in to play. Arne cautions about being anything but ardent about implementing security best practice and concludes saying that the IS- specifications are based on IT standards like HTTP and JSON which are widely used across the IT industry.
Head of IP Research,
Riedel Communications GmbH & Co. KG