Anybody intending to offer an over-the-top (OTT) digital video streaming service, such as live sports, premium movies and Ultra HD (UHD) programming, will need to protect the media assets from unlicensed use and outright theft during content preparation, delivery and storage. This need stems from the fact that Hollywood studios and sports rights holders require strong content protection, represented by digital rights management (DRM), as a condition for licensing the desired programming for pay-TV distribution. The role of pay-TV and OTT security is to manage the content monetization while preventing media piracy and thus safeguarding the associated revenue, which is a critical requirement for both content providers and service operators.
So how can digital assets be protected? DRM technology works by combining content encryption with advanced key management and an associated licensing policy that grants access for end-user devices that meet the criteria required by the policy. Moreover, combining DRM with other tools such as forensic watermarking and anti-piracy services, offers an effective solution to secure content and revenue.
The end result is that seamless modern multi-DRM services have transformed the media landscape – enabling OTT streaming providers to create all-new pay-TV business models – and allowing more viewers to watch content whenever and wherever they want around the world.
Download our free e-book to learn more about securing advanced OTT video delivery with multi-DRM service.
The first step in the process of content protection is to apply encryption to the payload. The content is encrypted during the packaging phase of the content preparation. Typically the content packaging, for example for DASH-CENC or SAMPLE-AES, relies on AES encryption. An AES-128 bit key, known as the content encryption key, is used to encrypt the video and audio tracks. That is, nobody will be able to watch an encrypted file or program unless they also have access to the same key that was used to render the content unwatchable. The reverse process is called decryption, by applying the same key to restore the content to a clear (watchable) state. Secure content delivery is enhanced by “rotating” or changing the key with a predefined period, e.g. 10 seconds, so that even if somebody obtains such a key in the clear, it is only good for one key rotation period. A program usually consists of separate files or streams for video, possibly with different quality levels or resolutions, and multiple audio files (original language and one or more alternative languages).
The content encryption keys need to be transmitted to the receiver in a secure fashion so that only authorized viewers can decrypt and watch the content. This is all part of the management of “pay-TV secrets” and usually referred to as key management. Beyond encryption keys there are several other keys that are used to protect other secrets such as the entitlement management message (EMM), which holds information regarding the channels or programs a viewer may watch, a.k.a. “channel line-up” in multi-channel pay-TV systems. All this is managed by the content security system with its license servers.
Watch our brief What is DRM and how does it work video
Until the late 1950s, the TV industry had a single business model: Sell advertising or product placement to pay for programming and monetize content. With the gradual introduction of pay-TV in the ‘60s, this model began to change.
The basic requirement of pay-TV was (and still is) to be able to manage access control. To control access, pay-TV operators encrypt content so only subscribers can access and watch it. Pay-TV operators adopted conditional access systems (CAS) to manage content security and ensure that they and other rights holders could monetize their assets. Digital CAS technology became the norm with the introduction of the digital video broadcasting (DVB) standard in the mid ‘90s, but non-DVB content protection systems were also created in the United States by companies such as General Instrument (later Motorola). The DVB standard includes a Common Scrambling Algorithm (DVB-CSA), and a standard for connecting one or more CA systems to multiplexers/scramblers called DVB Simulcrypt.
The CAS model is still used to protect DVB pay-TV services transmitted over satellite and terrestrial “one-way” networks, as well as telco IPTV (a.k.a. managed IPTV), although they both have been complemented with digital rights management technology to protect IP-based over-the-top (OTT) streaming services (video transmitted over the internet).
The evolution of content security technology can be divided into four phases:
In short, legacy CAS technology is gradually being superseded by DRM-based content protection as the world moves from traditional broadcasting to hybrid broadcast-OTT solutions, as well as to pure OTT streaming over the internet.
Digital rights management (DRM) refers to the tools, standards and systems that are used to protect and monetize intellectual property and copyrighted materials from misuse or theft in the digital sphere, including Internet Protocol (IP) video pay-TV services transmitted over the internet.
Traditionally, digital content has been protected with encryption. Using a secret key, content is encrypted (and thus made unwatchable) so that only somebody who has the key can decrypt and view it. But because key, like all digital information, is easy to copy and share, on its own it is not sufficient to protect the content.
To bolster key encryption, business rules were added that define when and how the keys can be used. The enforcement of those rules on the client devices that were used to consume the content came next and with it arrived digital rights management (DRM).
DRM consists of two main logical components: 1) data protection, and 2) data governance. Encryption technologies are generally used to provide data (content) protection, while trust management and policy management technologies are used to allow protected information to be distributed and used by trusted entities. This includes DRM license management performed by a DRM license server.
The components of a DRM ecosystem work together and borrow from the basic principles of computer security:
DRM systems are key to achieving secure content delivery for OTT services transmitted over any open network such as the internet. Secure OTT streaming uses adaptive bitrate (ABR) protocols, such as HTTP Live Streaming (HLS) and MPEG-DASH, to deliver multi-screen services to all kinds of video-enabled devices such as iOS and Android smartphones and tablets, PCs and Macs, smart TVs and streaming devices (such as Roku, Fire TV, Apple TV, and Chromecast).
DRM technology can be very flexible and may include business rules for secure download and offline playback, enabling a viewer on-the-go without internet access to enjoy subscribed content.
To learn more about DRM principles, please download our whitepaper What is DRM.
CAS was designed to protect pay-TV content during transport from the digital video processing head-end (a.k.a. network operations center, or NOC) to STBs over various kinds of broadcast or “one-way” networks. DRM, on the other hand, is a broader asset protection mechanism that also safeguards content when at rest in addition to the transport phase, made possible by IP-based “two-way” networks such as the internet.
The first Conditional Access System (CAS) was designed during the mid ‘90s with the emergence of the MPEG-2 and Digital Video Broadcasting (DVB) standards, although there are also non-DVB CAS products from other vendors. DRM technology was developed during the end of the ‘90s although the majority of DRMs only came a decade later with the proliferation of the internet.
The role of a CAS is to provide key management and protect television transmissions over RF-based networks, such as satellite (DVB-S/DVB-S2 standards), terrestrial/over-the-air (DVB-T/T2), and cable (DVB-C/C2). The CAS design had to take into account that the transmission was “one-way” in nature, without any return channel from the STB back to the head-end. Because of the lack of a return channel, it was necessary to find ways to hide the “pay-TV secrets” in the STB, such as subscriber entitlements (“channel line-up”) and various keys used to access/decrypt entitlement management messages (EMM), and entitlement control messages (ECMs), holding the content encryption key required for the STB to decrypt the content. This led to the emergence of so-called smart cards (similar to chip-based credit cards) to store and protect those secrets. Removable smart cards turned out to be costly since they were subject to various forms of piracy, including smart card cloning, and have to be replaced every couple of years, typically at the expense of the pay-TV operator. For U.S. cable networks, CableCARD filled the same role. Later, various software-based CAS were offered, taking advantage of advanced STB system-on-a-chip technology.
Digital rights management (DRM) systems, on the other hand, were designed for IP-based, two-way networks, as exemplified by the internet. DRM technology takes advantage of the two-way nature of communication, which allows the receiver (STBs, mobile devices, PC/Macs, etc.) to request information (keys and licenses) from the head-end. Because of the two-way nature, DRM systems are inherently more flexible. This may include rules for how many times, or for how long time, specific content may be played back, and whether it can be copied to other devices and even downloaded for offline playback, for example during travel.
With the rapid growth of video streamed (transmitted) over the internet using adaptive bitrate protocols such as those used by major OTT operators like Netflix and Hulu, OTT DRM technology has advanced to the forefront. CAS technology is gradually being phased out as broadcasters add on-demand services over IP and thus can take advantage of the two-way nature of IP-based networks. For today’s OTT pay-TV operators, a cloud-based multi-DRM service is the best choice to achieve secure OTT streaming.
Effectively, DRM functionality is a superset of CAS. While CAS is generally limited to broadcast devices and it only applies to video/audio content, DRM protects content on any device with various distribution models (offline, online, with or without return channel), and can also be applied to other types of digital content such as e-books, bytecode, and more.
Two-way IP-based networks have of course also had a major impact on other technologies and services such as video analytics and addressable advertising.
For broadcasters with legacy CAS deployments and an intention to modernize the security infrastructure to support hybrid broadcast-OTT services, read the blog post How DRM-based converged security reduces TCO of Broadcast TV.
When a viewer selects a program to watch, for example a movie that is protected by DRM, the user’s media player will need DRM-specific licensing information in order to prepare the protected content for playback. Such information is managed and dispensed by a DRM license server, and DRM license management is the foundation for secure OTT streaming.
A DRM license is typically a small file that contains the content decryption key (in encrypted form) along with some rules/policies defining how the content may be used. Typical rules set in a license define the output controls (for example HDCP requirements) and/or license validity period. Like the encrypted content, the DRM license can be delivered freely and openly as the key itself is encrypted and the entire file is signed preventing any modifications to the specified rights.
Apart from the DRM license, a secure client is required in the receiving device, such as a smart TV. The secure client is responsible for evaluating the rules/policies contained in the DRM license. The client may be hardened via software and/or hardware against tampering (via white-box cryptography), and it is responsible for ensuring that the content decryption key is released only to trusted playback systems on the device. All major browsers and operating systems ship with a pre-integrated (native) trusted client.
The DRM licensing information sent to a client device equipped with Microsoft PlayReady will be different from what is sent to somebody using Google Widevine. This is one reason why using a proven multi-DRM service is so important – the service is responsible for ensuring that the licensing information sent securely to each DRM system is in the format it expects. Other typical OTT DRMs are Apple Fairplay Streaming, and open-standard Marlin DRM from Intertrust.
Even though the licensing information may differ from one DRM system to another, the core information always consists of several common pieces defining the business rules:
Learn more about multi-DRM client compatibility
The short answer is that Advanced Encryption Standard (AES) is a widely used standard to encrypt data in banking transactions and medical records, as well as digital content such as music and video. AES can be used to encrypt the content by many content packing solutions. The associated encryption key can be delivered to the client by a DRM license acquisition protocol, or in the clear for Clear Key encryption supported by DASH and HLS.
For the purposes of pay-TV security for OTT streaming video services, only a DRM system can provide adequate protection of the content and service revenue. Major studios, whether “Hollywood” or others, will not accept just AES encryption (“Clear Key”) without a DRM for the distribution of their content. DRM technology is the basis for the kind of trust management that content providers require in order to license premium content to OTT operators. Let’s look at why that is the case.
When DASH or HLS protocols are used with Clear Key, the content is packaged and encrypted in a similar way as when a DRM is used. In other words, the single segments / chunks are encrypted with an 128-bit AES key. Although the encryption itself can be considered robust from a cryptographic point of view, the overall system can not. With Clear Key, the encryption key is delivered in the clear to the client, which means that anyone who gets hold of that key can decrypt the content using off-the shelf tools (such as openSSL , Bento4 or a simple Python script).
When DRM is applied, the 128-bit AES key is delivered in a secure fashion. It is usually encrypted with a device public key whose secret part is handled by the DRM client in respect of the trust model rules it is compliant with.
With DRM systems, not only is the content encrypted but also the keys used for content encryption, decryption, and subscriber entitlements are protected. It is also part of the DRM system to support a DRM license management mechanism that ensures the delivery of DRM licenses only to authorized recipients.
This OTT DRM security mechanism extends to each stage of the content lifecycle, providing content protection during transit (as the content is encrypted) as well as while the content is present, or stored on a receiving device and ultimately when it is used by the device. It is important to note that a DRM system is typically agnostic of the means used to deliver the content. By design, a DRM system allows the distribution of protected content and licenses over untrusted and open networks such as the internet.
DRM is the only kind of security mechanism that content providers will recognize, and the use of such a security system is a prerequisite for licensing of premium content. Only a DRM platform will be able to manage the pay-TV and OTT business rules, and it’s DRM license server will instruct the DRM client what it may or may not perform, including secure download and offline playback. In other words, a DRM system is the foundation for secure OTT streaming.
It is perhaps no surprise that the largest software companies went their own ways and developed proprietary OS-specific DRMs for Windows OS, iOS and Android OS. Today’s DRM systems tend to be tied to the client device OS. Even though an OTT operator may need to support all DRMs to reach the broadest range of client devices such as mobile phones and tablets, PC/Mac computing platforms, smartTVs/STBs and games consoles, there are fortunately some commonalities that facilitate such support.
Here are the characteristics of the major DRMs, which incidentally are all supported by Intertrust’s cloud-based ExpressPlay multi-DRM service:
There are two more major DRMs:
Learn more by reading Which Cloud-Based Multi-DRM Service Enables High Performance Content Protection and then check out the multi-DRM client compatibility matrix.
Understanding the future importance of secure and trusted digital content distribution, Intertrust became an early pioneer of digital rights management (DRM) technology in the late ‘90s. Intertrust teamed up with four of the largest consumer electronics (CE) manufacturers in the world: Panasonic, Philips, Samsung, and Sony. Together, they created an open-standard DRM that would not only be used for their own devices, but also could be adopted globally. The result of this unprecedented collaboration was the 2005 release of Marlin, an open-standard DRM.
Since its launch, there have been many collaborations with device manufacturers, streaming services, and content rights holders. As a result, Marlin has become very popular globally. Companies worldwide are involved in Marlin’s membership as partners, adopters, developers, and trusted service providers.
Marlin DRM protects digital assets on a variety of client devices in both online and offline content delivery models. It can also be applied to protect non-audiovisual assets such as e-books, bytecode, etc. For more details, read our quick guide Using Marlin DRM to protect non-audiovisual assets.
Marlin is an open-standard DRM, which means that rather than being a proprietary technology owned and updated by its creators, Marlin is overseen by two organizations: The Marlin Development Community (MDC) and the Marlin Trust Management Organization (MTMO).
The Marlin Development Community drives innovation and development within Marlin through an open community development process.
The Marlin Trust Management Organization is responsible for granting commercial licenses for using Marlin and underpins the key management element of Marlin offerings.
Learn more about Marlin DRM client compatibility
Motion Picture Laboratories, Inc. (“MovieLabs”) is a non-profit research and development joint venture founded by the six major motion picture studios: Paramount Pictures, Sony Pictures Entertainment, Twentieth Century Fox, Universal City Studios, Walt Disney Pictures and Television, and Warner Bros. Entertainment.
Tools for copyright infringement and piracy have advanced significantly over the years and with the introduction of Ultra HD (UHD) and High Dynamic Range (HDR) quality content, it was time to define an enhanced specification for protecting content against unlicensed use. In 2013, MovieLabs published a high-level specification defining the key elements that can serve as the basis for individual studio protection requirements for new content distribution formats and platforms. The “MovieLabs Specification for Enhanced Content Protection” (ECP) was developed in conjunction with the “MovieLabs Specification for Next Generation Video.” The latest version, 1.2, was published in August 2018.
Each member company of MovieLabs shall decide independently the extent to which it will utilize, or require adherence to, these specifications.
No. There is no formal CAS or DRM certification process used by Hollywood or other studios. Despite this fact, some content security vendors may claim that their products are “studio approved.”
Instead, when a pay-TV operator (whether transmitting its services over satellite, cable or terrestrial, or streaming over the internet) approaches a studio or other rights holder to license specific content, the former will generally ask the latter to fill out a questionnaire covering security related aspects. One of the topics will be, loosely formulated: “How do you intend to provide content protection?” The operator will provide the name of the content security vendor and digital rights management (DRM) system it has either already selected or is considering to use. Based on that information, and the answers provided around their anti-piracy strategy, the studio will decide whether to license the content. If the licensing is granted and an agreement signed, the studio provides an“indirect” or defacto approval of the named content security vendor and DRM system.
In the case of Intertrust it can be stated categorically that no operator has been denied licensing of premium content on the grounds of using, or intending to use, Intertrust-provided content security such as the cloud-based ExpressPlay multi-DRM service. Intertrust is a safe choice for licensing of, for example, live sports, early-release movies and other premium content including UHD and HDR quality. Moreover, upon request, Intertrust will assist customers to complete the questionnaire and guide the operator through the pay-TV content licensing process until service launch.
When selecting a multi-DRM solution, the most critical factors to consider (beyond achieving the content protection itself) is to provide the best user experience for the viewers while keeping the cost of the DRM system in check.
In the case of a multi-screen OTT streaming service, the operator will typically need to contract with one or more providers of digital rights management (DRM) solutions. To extend the secure OTT streaming service to as many users and devices as possible, it is usually necessary to commission more than one DRM type since those are typically tied to the client device OS (Android, iOS and Mac, and Windows).
The key investment OTT DRM consideration for the operator is whether to subscribe to a cloud-based multi-DRM service, or install and operate a multi-DRM solution using on-premises hardware and servers. In both cases the goal is fulfill content licensing requirements by laying the ground for secure OTT streaming.
The main financial difference is that a cloud-based service will incur OPEX but little or no CAPEX, while the opposite applies for an on-premise system that will require an upfront CAPEX investment in “bare metal” for the DRM and operating system software, together with a network operations center (NOC) to house the installation, plus ongoing OPEX to run the system (technical staff, cost of facilities and security, etc.).
On-premise installations were the norm until cloud-based services became popular through major cloud operators such as Amazon Web Services (AWS), Microsoft Azure and Google Cloud (and Alibaba in China and elsewhere).
There are several drawbacks with on-premise systems:
On the other hand, a cloud-based multi-DRM service offers several advantages:
Learn about the advantages of secure OTT streaming with cloud-based multi-DRM service in our partner solution brief with AWS Elemental.
What should you consider before deciding whether to buy or build your OTT multi-DRM system? As the worldwide explosion in the internet delivered streaming services intensifies, so does the risk of OTT security failure.
When companies are faced with the irresistible market demand and opportunities, they often have to make key decisions such as whether to buy versus build their multi-DRM solution.
Intertrust has produced a detailed guide that is available for download, Weighing Buy Versus Build Options for Securing Advanced OTT Video Services.
There are also several blog posts covering this topic:
Learn more about multi-DRM service and deployment models.
Digital media and pay-TV piracy comes in various forms, but they are all aimed at accessing and viewing copyrighted content without permission, and sometimes outright stealing the content, which impacts negatively on the rights holders’ content monetization abilities and on the artists. Piracy in general is conducted by criminals, sometimes extensive criminal syndicates, aiming to profit from the theft of intellectual property. The main targets of piracy are live events and premium (new release) movies and TV shows. To obtain a deeper insight, please download our white paper What’s at stake in the battle against live streaming piracy.
Pay-TV piracy initially focussed on hacking smart cards used in legacy conditional access systems (CAS), which could result in cloned cards becoming available for sale via illicit outlets. Sometimes even the STB itself was cloned, manufactured and distributed by pirate organizations.
Later, the same CA systems suffered from something called “control word sharing” or “control word redistribution.” This entailed using a legitimate STB and subscription, but extracting the decryption key (control word in CAS terminology) and using broadband to instantly redistribute this key to “subscribers” that paid a low fee to the pirates rather than paying for a bone fide pay-TV subscription.
One type of piracy is “CAM cording,” often also referred to as the “analog hole.” The user pays for a pay-TV subscription, and then uses an external HD camcorder to record the content as rendered on the TV screen, and then reposts the content for download at a cost lower than if a user would pay for a bone fide subscription.
With the advent of OTT streaming over the internet, the piracy “picture” has changed to focus on illicit content restreaming (or. content redistribution). Today, pirates effectively bypass CAS/DRM systems by restreaming live sporting and other content using various circumventing tactics such as screen recording/capture software, external camera recording, or HDMI capture devices with a high-bandwidth digital content protection (HDCP) “stripper.” The already decrypted content is redistributed in-the-clear to “subscribers” paying a low fee to the pirates rather than a higher-priced bone fide pay-TV subscription. Restreaming has become a major problem for live events, such as live OTT sports (in the pre-Corona virus days).
Screen recording/capture is another form of piracy, prevalent with mobile devices that have been “rooted” (typically Android devices) or “jailbroken” (iOS devices). A utility is used to capture the video and then redistribute it illegally.
Online pirated live sports content is not restricted to illegitimate paid streaming services. In many cases the illicit redistribution link of a sporting event is posted on social media, and often by users who do not understand or respect the copyright aspects.
Credential sharing has recently come to the forefront as another kind of piracy. The perpetrators can be divided into two groups:
The first category is hard to address because with OTT subscriptions offering multiple concurrent streams, it may not always be clear if a user belongs to a subscriber household or not. The second category is obviously of concern to operators since it may put a dent into the revenue stream.
Whichever the form of piracy, it is illegal and is costing content producers and distributors billions of dollars annually. You can learn more in our blog posts A Holistic Look at Content Security, and Content Piracy Is a Big Problem and It’s Hurting Your ROI.
Forensic video watermarking is a technology that is complementary to DRM and CAS. A multi-DRM service provides content protection for transport and storage, together with a license policy to define how the content may be accessed and used. Session-based video watermarking for forensic tracking is used to trace any unauthorized redistribution of premium content and is becoming a critical anti-piracy tool to protect UHD premium content and live events broadcasting.
Forensic watermarking is used to imperceptibly alter video content (a few pixels) to hide a unique ID (forensic evidence, or “payload”). It is a similar concept to invisible ink and paper watermarks. User-specific watermarking is a method to identify the source of piracy by pinpointing the last authorized user and device, or so-called forensic tracking. Session-based watermarking enables the service operator to embed a unique identifier for each playback event, and therefore to identify the actual device that is “leaking” or restreaming the content. This process allows for real-time detection of the source of piracy and real-time shutdown of the illegal redistribution, or the ability to take other actions subject to the service provider’s policy.
Forensic watermarking can be applied either server-side, or on the client device itself. For live OTT services, minimizing latency is essential. Therefore, several issues must be considered when adding a forensic watermark. Server-side technology requires tight integration with the live encoder and edge components. It is computationally very intensive, and may add latency to live event transmissions. An alternative approach is a client-side watermarking technology to battle theft of high-value sports content. This approach leverages a thin client with pre-integration in the video player for different types of streaming devices.
Intertrust has partnered with Content Armor and Friend MTS to embed state-of-art forensic watermarking that remains with the content, regardless of how it might be transcoded or altered. The partner solutions cover both VOD and live streaming services.
Read the blog post A Security Strategy for Combating Piracy of Live Sports Content to learn more.
Live events, especially live sports, have extremely high value during the live event itself, dropping dramatically once the event is over. To maximize content monetization and minimize the effects of piracy it is essential to have an anti-piracy policy and process in place, and video watermarking plays an essential role.
A key requirement for addressing piracy of sports content is the ability to perform a fast payload extraction of the embedded watermark. With server-side technologies, the traditional approach by studios for protecting on-demand content can take up to 15 minutes to detect the watermark identifier once the pirated content has been identified. This is far too long of a delay to effectively protect the revenue of a live event. Additional time is also required to identify the piracy and re-streaming links and for responding to the piracy, which can include shutting down the source once the watermarking ID is extracted. For sporting events watermark detection must be a near real-time process.
Recent advancements in client-side watermarking solutions, especially for live streaming services, are aimed at better protecting the revenue of live sports. Usually, the client-side solution is implemented as a secure software client and integrated with the media player. In order to protect the thin watermarking client, white-box cryptography technology is used to protect the app code and associated secrets, and to securely anchor the client software to the device.
It is important to note that the first step in combating live sports piracy is to detect the pirated service. It is essential to take advantage of monitoring services and web crawling tools, in conjunction with session-based watermarking. Combining digital fingerprinting technology, which is required for automatic content recognition (ACR) applications, with session based forensic watermarking, is the most effective end-to-end anti-piracy service. This combined approach enables monitoring of known piracy sites for pirated streams and ultimately the detection forensics required to prosecute pirates and take action to disrupt the entire value chain from illicit source to consumer.
This is summarized in our blog post A Security Strategy for Combating Piracy of Live Sports Content.
Content protection for video streaming services, usually referred to as digital rights management (DRM), can be accomplished in various ways, but it boils down to two main approaches:
In the past, a content protection solution was based on a single stack, or silo, which provided a fully integrated end-to-end closed system. As time passed by the need for interoperability, along with the need to offer competitive and secure streaming services, resulted in standards-based solutions that combine proprietary DRM schemas, such as Microsoft PlayReady, Google Widevine and Apple FairPlay Streaming, together with standard encryption format and packaging such as MPEG-DASH, HLS, and ultimately the Common Media Application Format (CMAF).
Open standards, such as Marlin DRM, are technically on par with, or superior to, the DRM schemas mentioned earlier. Marlin DRM, as an open standard, allows anyone to contribute to the specification and potentially to implement those as needed.
Also, the DRMs mentioned in this section, whether defined by an open standard such as Marlin or using proprietary technology, all make use of standard ciphers and encryption algorithms such as AES, RSA and ECC. Other industry standards used by OTT DRMs to achieve secure content delivery include:
It is important to note that whether a solution is proprietary or standard-based, it needs to fulfill the MovieLabs requirements to be accepted by studios and thus to be used to protect premium content.
Microsoft PlayReady, Google Widevine , Apple FairPlay Streaming and the open-standard Marlin DRM, all provide MovieLabs compliant implementations suitable for the consumption of UHD content on various devices. These DRMs are also interoperable with standard content packaging such as those mentioned above.
The Common Encryption or CENC standard, defined by MPEG, specifies the type of encryption and metadata for mapping of the encryption keys, and the encrypted streams or tracks within a stream. CENC is supported by multiple DRM systems (Marlin DRM, Google Widevine, Microsoft PlayReady) for the decryption of the media file. The standard defines a common format for the encryption related metadata necessary to package/encrypt and decrypt the protected streams, yet it leaves the details of rights mappings, DRM license acquisition, etc., up to the DRM system supporting the ‘cenc’ scheme.
MPEG CENC are two sets of MPEG standards governing different container formats, ISO Base Media File Format (ISO BMFF) and MPEG-TS. The specifications enable conversion between the encrypted formats and can take place without re-encryption. They define metadata, specific to each format, about which parts of the stream are encrypted and by which content protection scheme. Each scheme may have different methods to retrieve the content encryption key.
The MPEG Common Encryption standard (CENC) allows both AES-CTR and AES-CBC for encrypting video content, as these modes handle encryption differently and are not compatible with one another. The fragmentation is due to the encryption cipher supported by each of the DRM systems. Google Widevine and Microsoft Playready 4.0+ support both modes, whereas Apple FPS supports only AES-CBC. Service providers delivering content to various devices use HLS or DASH streaming formats, which differ in the support of DRM systems. To cater for this fragmentation CENC allows both modes.
Content Protection Information Exchange Format (CPIX) is a standard defined by the DASH Industry Forum (DASH-IF) that specifies the format for exchanging content protection and packaging information among the entities requiring it for preparation of, for example, DASH content.
The information conveyed through the CPIX document allows the mapping between the DRM keys and their use in respect of single protected track , the usage rules, and the crypto periods.
The main advantages of the CPIX standard are:
Secure Packager and Encoder Key Exchange (SPEKE) is a subset of the Content Protection Information Exchange (CPIX) standard that defines specific semantics for requesting the content keys and DRM signalling by a packager from the DRM service. SPEKE is supported by AWS Media Services, such as AWS MediaPackage, AWS MediaConvert, Elemental Delta as well as BitMovin.
SPEKE 1.0 has been adopted by all the major content protection providers and now includes 18 DRM partners. However, it introduced some incompatibilities with the CPIX standard that has continued to evolve and progress. SPEKE 2.0 will bridge the interoperability gaps and comply with the CPIX V2.3 specification.
Read more about Intertrust’s support for the SPEKE API in the blog post Secure content packaging with ExpressPlay DRM and AWS Media Services.
Learn about the advantages of secure OTT streaming with cloud-based multi-DRM service in our partner solution brief with AWS Elemental.
DRM-protected content can be consumed by using an HTML5 media player such as JWPlayer, BitMovin Player, THEOplayer, VisualON player, and more. The player uses the Encrypted Media Extensions (EME) API to enable the playback of the protected content.
The decrypted buffer is then decoded thus allowing the correct rendering by the player and the final visualization via the HTML5 app via the video tag.
Learn more about browser-DRM client compatibility
The Content Decryption Module or CDM is responsible for the implementation of the DRM functionality, for decrypting the media buffer, and to verify and honour all the output obligations and usage rules carried in the DRM license.
A browser can support one or more CDMs. For example, Firefox supports both Widevine and Adobe Access CDMs, Internet Explorer supports PlayReady, Microsoft Edge supports PlayReady on Windows 10 and Widevine CDM, while Chrome only supports Widevine CDM.
Learn more about browser-DRM client compatibility
In a nutshell, the purpose of the Common Media Application Format (CMAF) is to reduce fragmentation and increase compatibility in the media format space.
As of today, for service providers to be able to serve video content to a large user base, they need to create, store and maintain multiple copies of the same content. For example, to address Android and iOS devices and browsers, a service provider will need to have its content prepared in both the DASH and HLS formats where the media segments are likely MPEG4 and MPEG2 with different encryption schemes. These files, representing the same content, nearly double the encoding, packaging and storing requirements compared to a single file format.
CMAF is a standard streaming format across all playback platforms, and it is one step closer to single-approach for encoding, packaging, and storing. So, CMAF makes the job of streaming videos much less exhaustive and complex. In addition, with chunked encoding, CMAF can significantly reduce the end-to-end delivery time or latency. Nonetheless, this requires support by the CDN and the media player on the user’s device.
Although CMAF is gaining more traction in the media landscape by being supported by a vast range of devices, media players and encoders, there is a considerably long-tail of devices that do not support it yet or will not be able to support it.
Two of the many requirements for a device to consume pay-TV Ultra HD content are to support content decryption, decoding and DRM license evaluation in the hardware and the Secure Video Path (SVP). In addition, service providers may be required to support watermarking, however, this may not have any impact on the device.
To meet the UHD security requirements, vendors of CE devices can license the hardware-based technology, or implement the content protection technology relying on the security framework that is available in the chipset used in their case. The latter is what DRM providers such as Intertrust, Google and Microsoft promote and support.
Modern chipsets enable the execution of Trusted Application (TA) in the so-called Trusted Execution Environment (TEE), which guarantees integrity protection and confidentiality for the code and the associated data loaded into it. Within the TEE, a TA that implements the DRM functionality, is able to securely perform all the necessary operations such as license evaluation, content key setting into the descrambler, HDCP engagement, and ultimately to interact with other subsystem a such the hardware descrambler and decoder.
As mentioned above the TEE represents a very suitable environment for handling protected content. A DRM vendor usually provides an SDK that allows the device maker to implement and integrate the DRM stack as part of their platform.
For OTT and pay-TV streaming services, the video stream quality and screen resolution is usually the determining factor, whether software-based pay-TV security is deemed sufficient or a hardware-based security solution will be required. A flexible DRM system should be able to support both kinds. Ultimately, each studio decides on the security level required for each type of content, which will be the basis for content licensing to video service providers. Generally, the higher the video quality (going from SD to HD to Ultra HD), the more stringent the security requirements. The content release window also plays a role. For example, an older movie in HD will not have the same security requirements as an early-release movie with the same resolution.
For the lowest level of video stream quality such as standard definition (SD; 480p), a purely software-based DRM may be acceptable. For high definition content (HD; 720p and up and especially Ultra HD), a hardware-based security system will be required. Beyond hardware-secured DRM, additional security technologies may be specified. For example, the MovieLabs ECP specification calls for video watermarking for the highest content qualities.
Advanced security depends on the use of modern system-on-a-chips (SoC), which will provide protected environments where only DRM processing is permitted. A Trusted Execution Environment (TEE) is provided for the DRM to execute sensitive security processes, and for protecting secret keys and other data such as decrypted video frames. A software-based TEE may also be referred to as a Software Secure Element (SSE) or White-Box Cryptography (WBC).
Some SoCs have a TEE inside the chipset providing a closed-system for all secrets, decryption, and decoding operations. This provides the highest possible level of security, and prevents outside access. To compromise data and code running inside a chip is obviously significantly more difficult compared to a software-based approach.
There are too many considerations to describe here depending on the types of SoCs and receiver type, whether an Ultra HD smart TV or a low-resolution mobile device screen, etc. We invite you to contact our team for a no-obligation consultation to find the right solution for your needs.
Per Widevine, “the Widevine Desktop Browser Content Decryption Module (CDM) includes support for Verified Media Path (VMP). VMP provides a method to verify the authenticity of the browser framework. For browser deployments, this will provide an additional signal to determine if a browser-based implementation is sanctioned by Widevine. All Widevine browser-based integrations (platforms and applications) must support VMP. VMP support is NOT available for Linux platforms.”
Thus VMP support is crucial for a browser-based video player to decrypt Widevine DRM protected content. The W3C Encrypted Media Extension (EME) specification defines the APIs that web apps can use for provisioning the browser’s media stack with the DRM license required to play protected content.
A critical module of EME is a trusted component called the Content Decryption Module (CDM), which evaluates the rules specified in the DRM license to ensure that content keys are handled securely. Once the media has been decrypted by the CDM, it is essential that the browser is able to securely process the so-decrypted media.
When the browser is combined with a native DRM client, and when video playback is about to start, content decryption occurs through a Secure Video Path (SVP), enforcing the rules of the “hardware-based DRM client.” When the browser is not paired with a native DRM client, the CDM is mostly using a “software-based DRM client,” such as Chrome or Firefox browsers running on desktop computers. In these cases, the Widevine desktop browser CDM includes support for VMP, a feature that ensures Widevine has sanctioned the browser-based media processing implementation. For more details, please refer to What is the difference between software-based and hardware-based security?
Over time, Google has deprecated all CDM versions that do not support VMP and today requires VMP for all browser CDM implementations to stay current with the stable Chrome releases. This requirement is intended to make sure that the updates are applied with support for the latest APIs. More recently, Google also adopted a policy of enforcing the VMP requirement strictly, which means Widevine DRM license servers by default will issue licenses only for CDMs that support VMP.
To avoid problems for subscribers, these best practices are crucial with Widevine DRM: