- Quick Introduction: How to build an end-to-end Marlin system in 30 minutes.
- Marlin Organization Overview
- Marlin Technology Primer
- Content Packaging and Distribution Technology
- Marlin Server Side Technology
- Marlin Client Side Technology
- Implementation Security
- Q&A
- Packaging clear-text content into a protected format
- Implementing a Marlin MS3 Streaming-only Server Solution
- Implementing a Marlin Broadband DRM Server Solution
- Implementing an HbbTV application content playback functionality
Founded in 2005 by five companies: Intertrust, Panasonic, Philips, Samsung and Sony
- Marlin Developer Community (MDC)
- Marlin Partner Program (MPP)
- Marlin Trust Management Organization (MTMO)
- Marlin Organization Relationships
- Additional Information
- Marlin Partner Program is a forum for solutions providers
- Over 35 partner companies provide expertise across the value chain
- Includes Technology Solutions Providers and System Integrator’s
- MPP membership includes non-commercial access to SDKs


- Platform Technology Overview
- Delivery Systems Overview
- Service Protocols
The NEMO framework provides the trusted "plumbing" between the various functional components in a system. NEMO combines SOAP web services with SAML authorizations to provide end-to-end message integrity and confidentiality protection, entity authentication, and role-based service authorization.
Fundamentally the framework defines:
Octopus is a general-purpose DRM architecture that can be applied to any system requiring distributed governance and control of information.
Fundamentally Octopus DRM is composed of:
The Marlin Core System Specification defines a common infrastructure for all Marlin Delivery Systems to build upon. Fundamentally the goal of MCS is to enable interoperation among disparate implementations of Marlin technology.
Key aspects of MCS include:




Content Identification (program-based or service-based):
cid:marlin#P||serviceBaseCID||"@"||hex(program_CID_extension) cid:marlin#S||serviceBaseCID||"@"||hex(service_CID_extension)
Example:
cid:marlin#Purn:marlin:organization:example:video:1234@00000001
The content id (CID) is composed of a services namespace identifier and content item specific 32-bit hex-encoded value.
serviceBaseCID = urn:marlin:organization:hms:bbts service_CID_extension = 0a0b0c0d
Content Key (128-bit value):
000102030405060708090a0b0c0d0e0f
Ts2Encrypt --key cid:marlin#Purn:marlin:organization:hms:bbts@0a0b0c0d::000102030405060708090a0b0c0d0e0f --rights-issuer http://example.com bigbucksbunny-trailer.ts bigbucksbunny-trailer.bbts
Ts2Decrypt --key cid:marlin#Purn:marlin:organization:hms:bbts@0a0b0c0d::000102030405060708090a0b0c0d0e0f bigbucksbunny-trailer.bbts bigbucksbunny-trailer.ts
Download the clear-text bigbucksbunny-trailer.ts
Ts2Info bigbucksbunny-trailer.bbts Marlin Protected file: Marlin content id is cid:marlin#Purn:marlin:organization:hms:bbts@0a0b0c0d::000102030405060708090a0b0c0d0e0f Rights issuer url is http://example.com
mp4dcfpackager --method CBC --content-type audio/mp3 --content-id urn:marlin:organization:example:01234 --rights-issuer http://example.com --key 00112233445566778899aabbccddeeff:00000000000000000000000000000000 song.mp3 song.mra
mp4decrypt --key 1:00112233445566778899aabbccddeeff song.mra song-clear.odf
NB: resulting file is still in DCF format (cleartext). Use mp4extract to extract ‘odda’ box and cut first 8 bytes
MP4 files packaged as PDCF content can have individual tracks encrypted with the same or different keys. For each protected track, a unique content id must be chosen.
Content Identification
audio: urn:marlin:organization:hms:8puslic:00000000010f510070000000000000007f00000000000100 video: urn:marlin:organization:hms:8puslic:00000000010f510070000000000000007f00000000000101
Content Key
000102030405060708090a0b0c0d0e0f
Cryptographic Algorithm and Initialization Vector
OMA-PDCF-CTR 0000000000000000
mp4encrypt --method OMA-PDCF-CTR --key 1:000102030405060708090a0b0c0d0e0f:0000000000000000 --key 2:000102030405060708090a0b0c0d0e0f:0000000000000000 --property 1:ContentId:urn:marlin:organization:hms:8puslic:00000000010f510070000000000000007f00000000000100 --property 2:ContentId:urn:marlin:organization:hms:8puslic:00000000010f510070000000000000007f00000000000101 bigbucksbunny-trailer.mp4 bigbucksbunny-trailer.mlv
mp4decrypt --key 1:000102030405060708090a0b0c0d0e0f:0000000000000000 --key 2:000102030405060708090a0b0c0d0e0f:0000000000000000 bigbucksbunny-trailer.mlv bigbucksbunny-trailer.mp4
Download the clear-text bigbucksbunny-trailer.mp4

draft-pantos-http-live-streaming-07
Segments encrypted with BBTS or Bulk
Bulk:
- METHOD=AES-128 (MANDATORY) as specified in [HLS], §3.2.3
- IV (OPTIONAL) as specified in [HLS]
- CID="<ContentId>" (MANDATORY) content identifier
BBTS:
- METHOD=MARLIN-BBTS (MANDATORY)
- CID="<ContentId>" (MANDATORY) content identifier





Set up an account
Review the REST API
Integrate DRM support into the content store interface
Package the content
device simulators
Sign up for the service at https://www.hostedmarlin.com/
HMS provides a simple REST API to issue rights to content
Marlin Broadband Action Token
HMS Rest API documentation and tutorial are available at: https://www.hostedmarlin.com/help.
HMS operates by issuing transaction tokens to service providers that are then redeemed, by a media aware client application, to a DRM object such as a license for a particular content item.
HMS supports three types of transaction tokens:
- MS3 License
- Marlin Broadband License
- Marlin Broadband Registration
customerAuthenticator
The Customer Authenticator that was provided on the CMI web site.
contentId
For single content id the syntax is contentId=. For multiple contentIds the syntax is contentId.N=.
contentKey
For single content key the syntax is contentKey=. For multiple contentKeys the syntax is contentKey.N=. The value of N must correspond with the contentId having the same value.
contentURL
This is the URL where the protected content can be downloaded. It will be embedded in the transaction token (a URL for MS3 Licenses).
Given the following parameters:
customer authenticator: FOOBAR content id: cid:marlin#Purn:marlin:organization:hms:bbts@0a0b0c0d content key: 000102030405060708090a0b0c0d0e0f
A request for a transaction token could be acquired using curl:
curl 'https://eval.hostedmarlin.com/hms/ms3/token? &customerAuthenticator=FOOBAR &contentId=cid:marlin%23Purn:marlin:organization:hms:bbts@0a0b0c0d &contentKey=000102030405060708090a0b0c0d0e0f &contentURL=http://example.com/bigbucksbunny' > ms3_compound_uri.txt
In the above example, an errorFormat parameter was not specified so the default of HTML will be used. Alternatively errorFormat=json could have been added to the query string.
Assuming the Marlin client has already been personalized (e.g. with WasabiSushiPersonalize) then the transaction token (i.e., a MS3CompoundURI) can be redeemed for an MS3 Stream Access Statement.
Ms3SampleClient `cat ms3_compound_uri.txt` --- MS3 Client 1.0 --- Retrieving URL https://eval.hostedmarlin.com:8443/hms/ms3/rights/?... SAS: Key 1: Content ID: f3b4309701e2ed67ff75a069df70f6f73ce202af Key Value: 000102030405060708090a0b0c0d0e0f Authenticator: Flags: (none) Output Control: (0,0 hex) [No Extensions] Content URL: http://example.com/bigbucksbunny
Using the content id and content key the BBTS file can be decrypted and played:
Ts2Decrypt --key cid:marlin\#Purn:marlin:organization:hms:bbts@0a0b0c0d::000102030405060708090a0b0c0d0e0f bigbucksbunny-trailer.bbts decrypted.ts
For BBTS we can also use WasabiCopyMedia by providing the SAS directly:
WasabiCopyMedia -t video/MP2T `cat ms3_compound_uri.txt` decrypted.ts
And finally playback can by invoked with ffplay:
ffplay decrypted.ts
customerAuthenticator
The Customer Authenticator that was provided on the CMI web site.
actionTokenType
This value should be 1 for Broadband License Transaction Token.
contentId
The syntax is contentId= or contentId.N= for multiple contentIds.
contentKey
The syntax is contentKey= or contentKey.N= for multiple contentKeys.
rightsType
This value is either BuyToOwn or Rental. Rental requires the rental.periodEndTime and rental.playDuration parameters.
Given the following parameters:
customer authenticator: FOOBAR audio content id: urn:marlin:organization:hms:8puslic:00000000010f510070000000000000007f00000000000100 content key: 000102030405060708090a0b0c0d0e0f video: content id: urn:marlin:organization:hms:8puslic:00000000010f510070000000000000007f00000000000101 content key: 000102030405060708090a0b0c0d0e0f
A request for a transaction token could be acquired using curl:
curl 'https://eval.hostedmarlin.com/hms/bb/token?actionTokenType=1 &customerAuthenticator=FOOBAR &contentId.0=urn:marlin:organization:hms:8puslic:00000000010f510070000000000000007f00000000000100 &contentKey.0=000102030405060708090a0b0c0d0e0f &contentId.1=urn:marlin:organization:hms:8puslic:00000000010f510070000000000000007f00000000000101 &contentKey.1=000102030405060708090a0b0c0d0e0f &rightsType=BuyToOwn' > bb_license_action_token.xml
Assuming the Marlin client has already been personalized (e.g. with WasabiSushiPersonalize) then the transaction token (i.e., an ActionToken) can be redeemed for an MBB License.
WasabiSushiProcessToken --save-license license_device_bound.xml bb_license_action_token.xml ==== Sushi Token Processor V1.0 ======================================= SDK API Version: 0.1.1.6 SDK IMP Version: 1040000 SDK IMP Build: 7157 SDK IMP Details: (c) 2005-2010 Intertrust Technologies / Revision 7157 OnEvent - > BEGIN [SHI_TRANSACTION_TYPE_SERVICE_TOKEN_PROCESSING] OnEvent - > PROGRESS: 0 of 3 OnEvent - > PROGRESS: 1 of 3 OnEvent - >> BEGIN [SHI_TRANSACTION_TYPE_LICENSE_ACQUISITION] OnEvent - >> PROGRESS: 0 of 2 OnEvent - >> PROGRESS: 1 of 2 OnEvent - >> EVENT: event type 9 OnEvent - >> PROGRESS: 2 of 2 OnEvent - >> END: code=0, message='' OnEvent - > PROGRESS: 2 of 3 OnEvent - > PROGRESS: 3 of 3 OnEvent - > END: code=0, message='' OnEvent - DONE ======================================================================
The redemption of the Action Token resulted in receiving a file license_device_bound.xml. To interrogate the license supply the relevant contentIds to WasabiSushiAction:
WasabiSushiAction Perform Play license_device_bound.xml urn:marlin:organization:hms:8puslic:00000000010f510070000000000000007f00000000000100 urn:marlin:organization:hms:8puslic:00000000010f510070000000000000007f00000000000101 ==== Sushi Action V1.0 ============================================= SDK API Version: 0.1.1.6 SDK IMP Version: 1040000 SDK IMP Build: 7157 SDK IMP Details: (c) 2005-2010 Intertrust Technologies / Revision 7157 Action Result: GRANTED Action Result Info Flag(s): KEY 0 = 000102030405060708090a0b0c0d0e0f KEY 1 = 000102030405060708090a0b0c0d0e0f ======================================================================
Using the content id and content key the BBTS file can be decrypted and played:
mp4decrypt --key 1:000102030405060708090a0b0c0d0e0f --key 2:000102030405060708090a0b0c0d0e0f bigbucksbunny-trailer.mlv decrypted.mp4
And finally playback can by invoked with ffplay:
ffplay decrypted.mp4
customerAuthenticator
The Customer Authenticator that was provided on the CMI web site.
actionTokenType
This value should be 0 for Broadband Registration Action Token.
userId
The user id to associate with this user.
userKey
The user key to associate with this user.
Given the following parameters:
userId 12345678 userKey 000102030405060708090a0b0c0d0e0f
Request the token using curl:
curl 'https://eval.hostedmarlin.com/hms/bb/token?actionTokenType=0 &customerAuthenticator=FOOBAR &userId=12345678 &userKey=000102030405060708090a0b0c0d0e0f' > bb_registration_token.xml
Assuming the Marlin client has already been personalized (e.g. with WasabiSushiPersonalize) then the transaction token (i.e., an ActionToken) can be redeemed for an MBB License.
WasabiSushiProcessToken bb_registration_token.xml ==== Sushi Token Processor V1.0 ============================================= SDK API Version: 0.1.1.6 SDK IMP Version: 1040000 SDK IMP Build: 7157 SDK IMP Details: (c) 2005-2010 Intertrust Technologies / Revision 7157 OnEvent - > BEGIN [SHI_TRANSACTION_TYPE_SERVICE_TOKEN_PROCESSING] OnEvent - > PROGRESS: ... OnEvent - >> BEGIN [SHI_TRANSACTION_TYPE_USER_REGISTRATION] OnEvent - >> PROGRESS: ... OnEvent - >> END: code=0, message='' OnEvent - > PROGRESS: 2 of 4 OnEvent - >> BEGIN [SHI_TRANSACTION_TYPE_LINK_ACQUISITION] OnEvent - >> PROGRESS: ... OnEvent - >> END: code=0, message='' OnEvent - > PROGRESS: ... OnEvent - > END: code=0, message='' OnEvent - DONE ======================================================================
To request an Action Token for a user bound license you provide the same parameters for a device bound license plus the user specific information supplied for registration.
The requisite parameters are:
customerAuthenticator, actionTokenType, contentId, contentKey, rightsType, userId, userKey
The command line request:
curl 'https://eval.hostedmarlin.com/hms/bb/token?actionTokenType=1 &customerAuthenticator=FOOBAR &contentId.0=urn:marlin:organization:hms:8puslic:00000000010f510070000000000000007f00000000000100 &contentKey.0=000102030405060708090a0b0c0d0e0f &contentId.1=urn:marlin:organization:hms:8puslic:00000000010f510070000000000000007f00000000000101 &contentKey.1=000102030405060708090a0b0c0d0e0f &rightsType=BuyToOwn &userId=12345678 &userKey=000102030405060708090a0b0c0d0e0f' > bb_user_bound_license_action_token.xml
Assuming the Marlin client has already been personalized (e.g. with WasabiSushiPersonalize) then the transaction token (i.e., an ActionToken) can be redeemed for an MBB License.
WasabiSushiProcessToken --save-license license_user_bound.xml bb_user_bound_license_action_token.xml ==== Sushi Token Processor V1.0 ============================================= SDK API Version: 0.1.1.6 SDK IMP Version: 1040000 SDK IMP Build: 7157 SDK IMP Details: (c) 2005-2010 Intertrust Technologies / Revision 7157 OnEvent - > BEGIN [SHI_TRANSACTION_TYPE_SERVICE_TOKEN_PROCESSING] OnEvent - > PROGRESS: ... OnEvent - >> BEGIN [SHI_TRANSACTION_TYPE_LICENSE_ACQUISITION] OnEvent - >> PROGRESS: ... OnEvent - >> EVENT: event type 9 OnEvent - >> PROGRESS: ... OnEvent - >> END: code=0, message='' OnEvent - > PROGRESS: ... OnEvent - > END: code=0, message='' OnEvent - DONE ======================================================================
The redemption of the Action Token resulted in receiving a file bb_user_bound_license_action_token.xml.
To interrogate the license supply the relevant contentIds to WasabiSushiAction:
WasabiSushiAction Perform Play license_user_bound.xml urn:marlin:organization:hms:8puslic:00000000010f510070000000000000007f00000000000100 urn:marlin:organization:hms:8puslic:00000000010f510070000000000000007f00000000000101 ==== Sushi Action V1.0 ============================================= SDK API Version: 0.1.1.6 SDK IMP Version: 1040000 SDK IMP Build: 7157 SDK IMP Details: (c) 2005-2010 Intertrust Technologies / Revision 7157 Action Result: GRANTED Action Result Info Flag(s): KEY 0 = 000102030405060708090a0b0c0d0e0f KEY 1 = 000102030405060708090a0b0c0d0e0f ======================================================================







// create and start the proxy WSB_PlaylistProxy* proxy = NULL; WSB_PlaylistProxy_Create(&proxy); WSB_PlaylistProxy_Start(proxy); // get a proxy URL to feed the native player const char* proxy_url; WSB_PlaylistProxy_MakeUrl(proxy, ms3_url, WSB_PPMST_SINGLE_FILE, NULL, &proxy_url); // now feed the proxy_url to the player (iOS specific code) MPMoviePlayerControlller* player = NULL; player = [[MPMoviePlayerController alloc] initWithContentURL:proxy_url]; [player play]; ... // cleanup after content is done [player release]; WSB_PlaylistProxy_Stop(proxy); WSB_PlaylistProxy_Destroy(proxy);
// create a license manager object class LicenseRetriever { public: // forwarding method static void OnEvent_(SHI_EngineListener self, SHI_EngineEventType type, const SHI_EngineEvent* event) { ((LicenseRetriever*)self.instance)->OnEvent(type, event); } // constructor LicenseRetriever() : m_DrmEngine(NULL), m_LicenseStore(NULL) { // create a drm engine with ourselves as a listener SHI_EngineConfig config; const SHI_EngineListenerInterface iface = { OnEvent_ }; config.flags = 0; config.listener.iface = &iface; config.listener.instance = (SHI_EngineListenerInstance*)this; SHI_Engine_Create(&config, &m_DrmEngine); WSB_LicenseStore_Open(&m_LicenseStore); }; ...
void OnEvent(SHI_EngineEventType type, const SHI_EngineEvent* event) { switch(type) { case SHI_ENGINE_EVENT_LICENSE_DATA_RECEIVED: { SHI_LicenseDataReceivedEvent* lic_event = NULL; lic_Event = (SHI_LicenseDataReceivedEvent*)event; WSB_LicenseStore_AddLicense(store, lic_event->data, lic_event->size, NULL, NULL); break; } ... } WSB_Result ProcessToken(const char* lic_token) { return SHI_Engine_ProcessServiceToken(lic_token); } private: // members SHI_Engine* m_DrmEngine; WSB_LicenseStore* m_LicenseStore; }; // using our object LicenseRetriever* retriever = new LicenseRetriever; retriever->ProcessToken(my_license_token);
Using Wasabi with a Hardware DeMux

The Wasabi Player API (WSB_Player) allows you to do the following
You Build your own player and content service using HTML5, JavaScript and CSS 3.
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8" /> <title>MS3 Video Player Example</title> </head> <body> <video controls width="480" height="320" id="video"> <source src="https://hms-test.intertrust.com:8443/hms/ms3..."> </video> </body> </html>
- Secure Key Box (aka Sockeye)
- How to get keys from Seacert
- Provisioning keys
- Factory
- Seacert Online Provisioning Service
- Custom
- Trust Management for OTT Ecosystems



![SKB_Transform [SKB_TRANSFORM_TYPE_SIGN]](./images/Sockeye/SKB-sign.png)
![SKB_Transform [SKB_TRANSFORM_TYPE_VERIFY]](./images/Sockeye/SKB-verify.png)
![SKB_Transform [SKB_TRANSFORM_TYPE_DIGEST]](./images/Sockeye/SKB-digest.png)





Independent entities:
- Content providers
- Commerce Service providers
- On line retailers
- Device providers
- Software client providers
All need to cooperate under well-defined protocols and policies
To provide the framework for cooperation with three main functions:
Trust Authority Contractually:
Certification Authority Technically:
Trust Authority and Certificate Authority need to be highly reliable or immune from faults

Implementation technology is available from Intertrust.
The Wasabi Marlin Client SDK, Bluewhale Marlin Broadband Server and packaging tools are available for evaluation :
http://www.intertrust.com/agreements/code_eval
Information regarding the Intertrust's Hosted Marlin Service HMS may be found at:
The media packaging tools are available from Bento4.com
| Table of Contents | t |
|---|---|
| Exposé | ESC |
| Full screen slides | e |
| Presenter View | p |
| Source Files | s |
| Slide Numbers | n |
| Toggle screen blanking | b |
| Show/hide slide context | c |
| Notes | 2 |
| Help | h |