DRM is a necessary evil for premium content providers, but with the recent streaming formats and standards, it gets rather easy to create DRM-protected streaming systems. MPEG-DASH with Common Encryption (CENC), together with HLS and FairPlay, is the state-of-the-art DRM approach to reach the majority of platforms today. This hands-on workshop focuses on the common approaches to content protection in 2017.

1. Stefan Lederer, CEO
Paul MacDougall, Solution Architect
How to Provide Protected Content to
Desktop, Mobile,TVs & Streaming Boxes
W5 - DRM Workflows

2. Agenda ● Who are we?
● Video Problems on the Web
● Content Protection Technologies
● DRM and its variants
● Example implementation
● What’s next?

3. Global Locations
● US - San Francisco, Chicago,
New York, Seatle
● Europe - Austria, Netherlands
● APAC - Hong Kong
● LATAM - Sao Paulo
Who’s behind us
Privately funded by worldwide leading
venture capital firms:
Business Angel Investors
● Chris Kaiser – former VP
Engineering Netflix
● Edward Kozel – former CTO
Cisco
● David Helgason – founder of
Unity
● Brendan Iribe – founder and
CEO of Oculus
● Dries Buytaert – founder of
Drupal and CTO of Acquia
Track record
Founded in 2013 after co-creating
MPEG-DASH standard
Technology leading Video
Infrastructure for the Web:
Encoding, HTML5 Player, Analytics,
Cloud Storage and Delivery
Integrations
Global customer base: 250
companies, 6 continents
About Bitmovin
Founders Co-created the
MPEG-DASH standard
● Used by Netflix and Youtube
● 50 % U.S. Peak Internet Traffic
● 10 US PTC Patents
● 20+ Papers in Multimedia
● Author of the MPEG DASH
Reference Software

4. Bitmovers All Around The World

6. Online Video
Problems

7. Solution
Full-Stack Video
Infrastructure API

8. Bitmovin Encoding
● Up to 100x Real-Time
● Massive compute options –
Google, AWS, Kubernetes, etc..
● Massive Parallelization
● 100% customizable
● Unlimited bit rates
● For H.264/AVC, H.265/HEVC
and VP9
● Get to market fast with new video
● Fully Customizable API
● Fully Customizable Profiles
● Many API Clients and Examples
● DRM Support for
DASH/HLS/MP4
● Offline DRM Support

9. Managed On-Premise
Encoding

10. HTML5 Player
● Fully configurable startup & seeking behaviour
○ i.e. minimum quality, limit resolution to player
resolution, etc.
● Flexibility to create own adaptation algorithm using
the API
Fastest Video Startup
● Fastest loading player on the
market
● < 300ms until first frame
● 9 patents on adaptive bitrate
adaptation

11. Premium Video =
$$$*
*If you can:
Sell it or Rent it
Distribute it
Protect it from
unauthorized access
Image idea: treasure chest + pirates (content
gets pirated)

12. Common Ways to
Lockdown Video
Assets:
Tokenization
Encryption
DRM

13. Encryption
Encrypts the the
transmission of the video
stream
Why use it?
● Easy to implement
● Good enough for most use cases
● SAMPLE-AES and AES-128
But...
● Software-level key handling lacks of control
over output instances and devices
● For online viewing only

14. DRM - Digital Rights
Management
Encrypts content and
dictates usage rights for
video playback at SW &
HW levels
Why use it?
● Highest level of protection
● Selectable output control
● Offline viewing possible
But...
● $$$ to implement - licensing and development
● Customer experience negatively impacted
● More places thing can break
● Typically, each device supports just one DRM
Use for
● High value content
● When required by content agreement

15. Many Providers

16. How Does DRM
Work?
The video content is
encrypted with a content key
System generates license
files to accompany the
content
System allows playback for
an authenticated user and
device

17. DRM Technologies
by Provider
Widevine Modular &
Classic
PlayReady
Fairplay
PrimeTime

18. Widevine Modular
DRM Overview
Widevine Modular (successor to Classic)
● Google’s DRM - Extensive support for Google ecosystem
● Supports DASH with CENC
● Supports Hardware Security (TEE)
● Can limit content quality server-side
● Rights expression/policy enforcement
Widevine Classic
Google legacy technology
Only supports .WVM (Google proprietary packaging)
EOLed - provided as-is with no improvements
Rarely used in US

19. PlayReady DRM
Overview
Microsoft PlayReady
● Microsoft DRM - broad platform support,
including many smart TVs
● Most robust rights management
● Pre-cache licenses (fine grain sunrise and
sunset of keys)

20. FairPlay DRM
Overview
Apple Fairplay
● No rights expression or policy enforcement
● Needs Key Security Module on Key Server
● Needs code to relay key requests

21. Adobe PrimeTime
DRM Overview
Adobe Primetime (successor to Access)
● Fine-grained policy management system
(whitelist apps, devices, domains)
● Support for key and license rotation

22. Premium Video &
Adoption of HTML5
Enables playing premium
video content directly in
the browser. No Plug-ins!
● MPEG-DASH - industry standard for adaptive
streaming
● W3C Media Source Extensions (MSEs) -
“extends HTMLMediaElement to allow
JavaScript to generate media streams for
playback.”
● W3C Encrypted Media Extensions (EMEs) -
“extends HTMLMediaElement providing APIs
to control playback of protected content.”

23. Proprietary
Ecosystems Will
Disappear

24. Open Ecosystems
are Winning:
HTML5 MSE/EME,
DASH, etc.

25. Is it that easy to
build a video player?

26. DRM Support in
HTML5 Browsers
Source: http://www.ezdrm.com/html/compare-drm.asp

27. DRM Support in
Mobile Devices
Source: http://www.ezdrm.com/html/compare-drm.asp

28. DRM Support in
OTT Devices
Source: http://www.ezdrm.com/html/compare-drm.asp

29. DRM Support in
Connected TVs &
Game Consoles
Source: http://www.ezdrm.com/html/compare-drm.asp

30. Multi-DRM
Maximum device reach
● Traditional (before DASH) Multi-DRM setups
need to encrypt and package the content for
each DRM separately
● DASH CENC/EME - allows key association
from different DRM’s with the same video
● Except for Apple (FairPlay with HLS on
devices & in Safari)
● Multi-DRM Providers:EZ DRM, ExpressPlay,
Intertrust, Irdeto, Axinom, BuyDRM,
Verimatrix, and others

31. Hollywood &
UltraViolet
Implement a DRM
accepted by the studios
● Industry wide entitlement locker
● Digital Entertainment Content Ecosystem
(DECE) - consortium of 85 studios, consumer
electronics manufs, retailers, etc.
● UltraViolet - a set of standards for the digital
distribution of premium Hollywood content
● Approved DRMs: Widevine, PlayReady,
PrimeTime, Marlin, OMA, DivXDRM
● But not Apple Fairplay

32. Implementing a
DRM Workflow
DRM Keyflow
● Identity Management
● Entitlement Management
○ What content can you watch
○ Download
○ Rent time
○ Quality (SD/HD)
● Key exchange

33. Implementing a
DRM Workflow
End user requests
playback of content Your
Entitlement
Server
License
Server
End User

34. Implementing a
DRM Workflow
License Server checks
with your Entitlement
Server if user is entitled
to watch content
Your
Entitlement
Server
License
Server
End User

35. Implementing a
DRM Workflow
Entitlement Server says
yes Your
Entitlement
Server
License
Server
End User

36. Implementing a
DRM Workflow
Key is given to End User,
playback is permitted Your
Entitlement
Server
License
Server
End User

37. Demonstration
Sample DRM server
response for encoding
files
<EZDRM xmlns="">
<WideVine diffgr:id="WideVine1" msdata:rowOrder="0" diffgr:hasChanges="inserted">
<ContentID>iSWudw/m/0SlDgg7UxkWuA==</ContentID>
<Key>Qab1RE+g2t5cVrsz1I42qw==</Key>
<KeyHEX>41a6f5444fa0dade5c56bb33d48e36ab</KeyHEX>
<KeyID>9Akq2ajvVbOMXEYV63iIpA==</KeyID>
<KeyIDGUID>f4092ad9-a8ef-55b3-8c5c-4615eb7888a4</KeyIDGUID>
<KeyIDHEX>f4092ad9a8ef55b38c5c4615eb7888a4</KeyIDHEX>
<PSSH>
EhD0CSrZqO9Vs4xcRhXreIikGghtb3ZpZG9uZSIQiSWudw/m/0SlDgg7UxkWuEjj3JWbBg==
</PSSH>
<ServerURL>https://widevine-dash.ezdrm.com/proxy?pX=CF1AEB</ServerURL>
<ServerGet>
request = {"policy": "","tracks": [{"type": "SD"}],"content_id": "iSWudw/m/0SlDgg7UxkWuA=="}
</ServerGet>
<ResponseRaw>
{"status": "OK","drm": [{"type": "WIDEVINE","system_id":
"edef8ba979d64acea3c827dcd51d21ed"}],"tracks": [{"type": "SD","key_id":
"9Akq2ajvVbOMXEYV63iIpA==","key": "Qab1RE+g2t5cVrsz1I42qw==","pssh": [{"drm_type":
"WIDEVINE","data":
"EhD0CSrZqO9Vs4xcRhXreIikGghtb3ZpZG9uZSIQiSWudw/m/0SlDgg7UxkWuEjj3JWbBg=="}]}]}
</ResponseRaw>
</WideVine>
<PlayReady diffgr:id="PlayReady1" msdata:rowOrder="0" diffgr:hasChanges="inserted">
<Key>Qab1RE+g2t5cVrsz1I42qw==</Key>
<KeyHEX>41a6f5444fa0dade5c56bb33d48e36ab</KeyHEX>
<KeyIDGUID>f4092ad9-a8ef-55b3-8c5c-4615eb7888a4</KeyIDGUID>
<LAURL>
https://playready.ezdrm.com/cency/preauth.aspx?pX=CFD36D
</LAURL>
<Checksum>ajppWh0L7Wk=</Checksum>
</PlayReady>
</EZDRM>
/paulmacdougall/Streamin
g-Media-East-2017-DRM

38. Demonstration
DASH Manifest for CENC
DRM protected content
/paulmacdougall/Streamin
g-Media-East-2017-DRM

39. Testing the DRM
Workflow
● VMs are perilous!
● Chrome needs SSL (https)
● Must have full HDCP signal chain

40. What’s Next? Widevine Modular offering persistent license support
Intel offering TEE locker in new chipsets
CMAF - New implementation set of existing
standards to simplify content delivery, with fMP4 as
video standard.
CBC vs CTR
Previously required one set of file encrypted with
CBC for FairPlay and one CTR for Widevine and
PlayReady.

41. Current
M2TS
AVC/h.264
HLS DASH
FairPlay
PlayReady,
Widevine, etc.
Apple Users Everyone else
AES-128 CBC AES-128 CTR
fMP4
Separate files on
storage/CDN

42. CMAF
+ CMAD Media Object Model
compatible with DASH
Data Model
+ Segment formats based on
ISOBMFF
- Different manifest formats
(MPD vs m3u8)
- CENC: AES-128 CBC
(HLS) vs AES-128 CTR (all
others) mode

43. CMAF
AES-128 CBC
fMP4
AVC/h.264
HLS DASH
FairPlay
PlayReady,
Widevine, etc.
Apple Users Everyone else
Only manifests (.m3u8 &
.mpd), small text files, are
replicated on storage and
CDN

44. www.bitmovin.com