DRM is a necessary evil for premium content providers, but with the recent streaming formats and standards, it gets rather easy to create DRM-protected streaming systems. MPEG-DASH with Common Encryption (CENC), together with HLS and FairPlay, is the state-of-the-art DRM approach to reach the majority of platforms today. This hands-on workshop focuses on the common approaches to content protection in 2017.
How to Troubleshoot Apps for the Modern Connected Worker
DRM Workflows: How to Provide Protected Content to Desktop, Mobile, TVs, & Streaming Boxes
1. Stefan Lederer, CEO
Paul MacDougall, Solution Architect
How to Provide Protected Content to
Desktop, Mobile,TVs & Streaming Boxes
W5 - DRM Workflows
2. Agenda ● Who are we?
● Video Problems on the Web
● Content Protection Technologies
● DRM and its variants
● Example implementation
● What’s next?
3. Global Locations
● US - San Francisco, Chicago,
New York, Seatle
● Europe - Austria, Netherlands
● APAC - Hong Kong
● LATAM - Sao Paulo
Who’s behind us
Privately funded by worldwide leading
venture capital firms:
Business Angel Investors
● Chris Kaiser – former VP
Engineering Netflix
● Edward Kozel – former CTO
Cisco
● David Helgason – founder of
Unity
● Brendan Iribe – founder and
CEO of Oculus
● Dries Buytaert – founder of
Drupal and CTO of Acquia
Track record
Founded in 2013 after co-creating
MPEG-DASH standard
Technology leading Video
Infrastructure for the Web:
Encoding, HTML5 Player, Analytics,
Cloud Storage and Delivery
Integrations
Global customer base: 250
companies, 6 continents
About Bitmovin
Founders Co-created the
MPEG-DASH standard
● Used by Netflix and Youtube
● 50 % U.S. Peak Internet Traffic
● 10 US PTC Patents
● 20+ Papers in Multimedia
● Author of the MPEG DASH
Reference Software
8. Bitmovin Encoding
● Up to 100x Real-Time
● Massive compute options –
Google, AWS, Kubernetes, etc..
● Massive Parallelization
● 100% customizable
● Unlimited bit rates
● For H.264/AVC, H.265/HEVC
and VP9
● Get to market fast with new video
● Fully Customizable API
● Fully Customizable Profiles
● Many API Clients and Examples
● DRM Support for
DASH/HLS/MP4
● Offline DRM Support
10. HTML5 Player
● Fully configurable startup & seeking behaviour
○ i.e. minimum quality, limit resolution to player
resolution, etc.
● Flexibility to create own adaptation algorithm using
the API
Fastest Video Startup
● Fastest loading player on the
market
● < 300ms until first frame
● 9 patents on adaptive bitrate
adaptation
11. Premium Video =
$$$*
*If you can:
Sell it or Rent it
Distribute it
Protect it from
unauthorized access
Image idea: treasure chest + pirates (content
gets pirated)
13. Encryption
Encrypts the the
transmission of the video
stream
Why use it?
● Easy to implement
● Good enough for most use cases
● SAMPLE-AES and AES-128
But...
● Software-level key handling lacks of control
over output instances and devices
● For online viewing only
14. DRM - Digital Rights
Management
Encrypts content and
dictates usage rights for
video playback at SW &
HW levels
Why use it?
● Highest level of protection
● Selectable output control
● Offline viewing possible
But...
● $$$ to implement - licensing and development
● Customer experience negatively impacted
● More places thing can break
● Typically, each device supports just one DRM
Use for
● High value content
● When required by content agreement
16. How Does DRM
Work?
The video content is
encrypted with a content key
System generates license
files to accompany the
content
System allows playback for
an authenticated user and
device
18. Widevine Modular
DRM Overview
Widevine Modular (successor to Classic)
● Google’s DRM - Extensive support for Google ecosystem
● Supports DASH with CENC
● Supports Hardware Security (TEE)
● Can limit content quality server-side
● Rights expression/policy enforcement
Widevine Classic
Google legacy technology
Only supports .WVM (Google proprietary packaging)
EOLed - provided as-is with no improvements
Rarely used in US
19. PlayReady DRM
Overview
Microsoft PlayReady
● Microsoft DRM - broad platform support,
including many smart TVs
● Most robust rights management
● Pre-cache licenses (fine grain sunrise and
sunset of keys)
20. FairPlay DRM
Overview
Apple Fairplay
● No rights expression or policy enforcement
● Needs Key Security Module on Key Server
● Needs code to relay key requests
21. Adobe PrimeTime
DRM Overview
Adobe Primetime (successor to Access)
● Fine-grained policy management system
(whitelist apps, devices, domains)
● Support for key and license rotation
22. Premium Video &
Adoption of HTML5
Enables playing premium
video content directly in
the browser. No Plug-ins!
● MPEG-DASH - industry standard for adaptive
streaming
● W3C Media Source Extensions (MSEs) -
“extends HTMLMediaElement to allow
JavaScript to generate media streams for
playback.”
● W3C Encrypted Media Extensions (EMEs) -
“extends HTMLMediaElement providing APIs
to control playback of protected content.”
30. Multi-DRM
Maximum device reach
● Traditional (before DASH) Multi-DRM setups
need to encrypt and package the content for
each DRM separately
● DASH CENC/EME - allows key association
from different DRM’s with the same video
● Except for Apple (FairPlay with HLS on
devices & in Safari)
● Multi-DRM Providers:EZ DRM, ExpressPlay,
Intertrust, Irdeto, Axinom, BuyDRM,
Verimatrix, and others
31. Hollywood &
UltraViolet
Implement a DRM
accepted by the studios
● Industry wide entitlement locker
● Digital Entertainment Content Ecosystem
(DECE) - consortium of 85 studios, consumer
electronics manufs, retailers, etc.
● UltraViolet - a set of standards for the digital
distribution of premium Hollywood content
● Approved DRMs: Widevine, PlayReady,
PrimeTime, Marlin, OMA, DivXDRM
● But not Apple Fairplay
32. Implementing a
DRM Workflow
DRM Keyflow
● Identity Management
● Entitlement Management
○ What content can you watch
○ Download
○ Rent time
○ Quality (SD/HD)
● Key exchange
34. Implementing a
DRM Workflow
License Server checks
with your Entitlement
Server if user is entitled
to watch content
Your
Entitlement
Server
License
Server
End User
39. Testing the DRM
Workflow
● VMs are perilous!
● Chrome needs SSL (https)
● Must have full HDCP signal chain
40. What’s Next? Widevine Modular offering persistent license support
Intel offering TEE locker in new chipsets
CMAF - New implementation set of existing
standards to simplify content delivery, with fMP4 as
video standard.
CBC vs CTR
Previously required one set of file encrypted with
CBC for FairPlay and one CTR for Widevine and
PlayReady.
42. CMAF
+ CMAD Media Object Model
compatible with DASH
Data Model
+ Segment formats based on
ISOBMFF
- Different manifest formats
(MPD vs m3u8)
- CENC: AES-128 CBC
(HLS) vs AES-128 CTR (all
others) mode
From FBI.gov:
“Intellectual property theft involves robbing people or companies of their ideas, inventions, and creative expressions—known as “intellectual property”—which can include everything from trade secrets and proprietary products and parts to movies, music, and software.
It is a growing threat—especially with the rise of digital technologies and Internet file sharing networks. And much of the theft takes place overseas, where laws are often lax and enforcement is more difficult. All told, intellectual property theft costs U.S. businesses billions of dollars a year and robs the nation of jobs and tax revenues.” (https://www.fbi.gov/investigate/white-collar-crime/piracy-ip-theft)
MSEs - enables us to dynamically manage the playback session to respond to changing network conditions.EMEs - enables playback of protected content, and hardware-acceleration on capable platforms
W3C - the World Wide Web Consortium is an international community that develops open standards to ensure the long-term growth of the Web.
Typically, each platform/browser combination supports just a single DRM.
If you want to achieve maximum device reach it’s impossible to use just one DRM.
MPEG-CENC is a huge improvement on the traditional Multi-DRM model as it prevents duplication by avoiding the need to create one output package for each DRM.
Some VMs can play DRM, some can’t, you will run into much frustration if you try to test this way.
CBC = Cipher Block Chaining Mode, first used by Apple for FairPlay, now adopted for CMAF by Google and Microsoft
CTR = Counter Mode, Uses a sequential counter to encrypt, initially used by Google and MSFT
Google added CBC support in October 2016
MSFT added CBC support at NAB in April 2017