Sei sulla pagina 1di 56

Introduction to DRM

Jan Ozer
jozer@mindspring.com
www.streaminglearningcenter.com
#janozer
Questions
For more information, check
out the book
http://bit.ly/Ozer_multi

A beacon of light in a
valley of half-knowledge
Mustafa Isik, on Twitter

Jan Ozer 2014


Agenda
Perspective
Levels of DRM
What is true DRM?
Who are the providers?
How do you choose between them?
Implementing DRM; DIY, SaaS or third party
provider
From plug-ins to EME; a practical look

Jan Ozer 2014


Perspective
DRM is like an iceberg
Very, very deep
We are discussing at
very high level
You will learn
What DRM is
What options are
How to choose among
them
You will not learn deep
technical differences
between technologies

Jan Ozer 2014


Perspective
What DRM is sufficient? Look to UltraViolet
UltraViolet Free, cloud-based digital library used
by DECE (Digital Entertainment Content
Ecosystem)
Common File format (CFF)
CENC Common Encryption system
FMP4 (fragmented MP4 container)
H.264 video/AAC+ (and others)
SMPTE TT captions

Jan Ozer 2014


Perpective
DECE 85 company consortium not including
Disney, Apple, Amazon
CENC (Common Encryption) DRM agnostic
format that can be used with multiple DRMs
UltraViolet supported DRMS
Google Widevine
OMA CMLA-OMA v2 (not discussed)
Microsoft PlayReady
Adobe Primetime DRM
DivX Plus
Jan Ozer 2014
Perspective
One youre in that DRM club, youre deemed
adequately secure and technically sufficient
While the club members can (and should) argue
which is technically superior or more secure, the
major content owners have already ruled
The rest of the analysis relies upon
implementation details

Jan Ozer 2014


Levels of Content Protection
None
Video behind pay wall
Almost DRM
HLS encryption
RTMPe (replaced by Primetime DRM)
SWF verification
True DRM

Jan Ozer 2014


No DRM
Videos easily capturable by stream grabbers
like Download Helper and Jaksta

Jan Ozer 2014


What is SSL (Secure Sockets
Layer)
Standard technology for creating an
encrypted link between server and browser

Jan Ozer 2014


Video Behind Pay Wall
Can use SSL to prevent unauthorized
viewers from directly accessing
Authorized viewers can capture and distribute

Jan Ozer 2014


What is Encryption
Content scrambled via a mathematical
algorithm, so unplayable unless unlocked
Unlocked via a decryption key provided by
content owner
Concepts
AES Advanced Encryption Standard uses 128,
192 and 256-bit encrypt/decrypt keys

Jan Ozer 2014


HLS Encryption
Content encrypted with AES 128; manifest contains link to
decryption key
Distribute decryption key via SSL or other security technique
Defeats Download Helper/Jaksta class of product
Issues:
Anyone with key can play video
Key may be available in buffer for easy capture
Bottom Line:
Great for many uses but not studio approved
Not considered true DRM

Jan Ozer 2014


Levels of HLS Protection
HLS
HLS with encryption
Protected HLS (Primetime RTMPe)
Key decrypted in Primetime player, not browser,
so more secure)
http://bit.ly/DRM_gen1
HLS with PrimeTime DRM
HLS with PlayReady DRM

Jan Ozer 2014


RTMPe (RTMP Encryption)
Content encrypted with well-known stream cipher
encryption algorithm
Wikipedia - Tools which have a copy of the well-known
constants extracted from the Adobe Flash player are able
to capture RTMPE streams, a form of the trusted client
problem. (http://bit.ly/DRM_Flash3)
Defeats Download Helper/Jaksta class of product, but
not more advanced tools
Bottom Line:
Adobe recommends not using this any longer in favor of
Primetime-based technologies
Jan Ozer 2014
SWF Verification
Adobe Media Server verifies that SWF file
requesting content is certified
Disconnects to any other players
Limitations (as standalone technology)
May be able to spoof AMS (http://lkcl.net/rtmp)
No third party license server
Not accepted by most Hollywood content owners
Valuable feature of Primetime (called app white
listing) benefiting from other Primetime features

Jan Ozer 2014


True Digital Rights
Management
Digital rights to manage Separates protect content
Offline playback and license rights
Play n times, play for n License server to
hours/days communicate with client
Side loading, sharing (usually third party hosted
Output protection and managed)

Encryption DRM enabled client


Files unplayable without that can protect keys
decryption key and enforce policies

Jan Ozer 2014


DRM How it Works
(courtesy DRM Today)

Encrypt video (usually during encoding)


Send decryption information to license server (DRMtoday)

Jan Ozer 2014


DRM How it Works

Customer buys video


Its downloaded (or streamed) to his/her device
Unplayable at this point
Jan Ozer 2014
DRM How it Works

Customer tries to play checks license server


License server checks your system (with business rules
and permissions)
Yea or nay. If yes, license key sent for decryption. If not,
error message
Jan Ozer 2014
DRM Application
DRM Utilized Example

High
True DRM Pay TV

Moderate Movies
True DRM Secure Enterprise
Media
Low Primetime News, Music Videos,
HLS/HDS/HLS Corp
Encryption communications
Very low UGC, sales,
None
marketing, etc.
Content Value
Source: Amit Goswami, Blinkx, http://bit.ly/DRM_gen2
Jan Ozer 2014
DRM Components and
Workflow Functions
Packaging function Other servers:
Encrypt Distribution
Can be: distributes content
Static: encrypted when Domain manage
encoded groups that can play
Dynamic: unprotected on video
secure server; encrypted
as during delivery Metering maintains
playback count for
License Server royalties
Communicates with
DRM Compatible
player, issues keys
Player
Jan Ozer 2014
Most Significant Trend

From proprietary plug-ins, To HTML5-based standard


players and apps Encrypted Media Extensions
(EME)
Jan Ozer 2014
Encrypted Media Extensions
(EME)
What is EME
WC3 proposal extending
HTML
Javascript API that
enables browser to use
DRM systems
DRMs available to
browser as Content
Decryption Modules
(CDM)
Triggers license request
like proprietary player
From Fraunhofer website
http://bit.ly/DRM_EME2
Jan Ozer 2014
Key Benefits of EME
Simplifies platform support for DRM companies
(and their licensees)
Should drop per-platform costs dramatically
Because apps are required, some DRM providers
charge $25K 50K for iOS/Android, up to $100K
for Roku/Xbox SDKs
Same package can be used for multiple DRMs
With existing structure, each DRM need separate
packaging
Dramatically increases encoding and storage costs
Jan Ozer 2014
Meet the DRM OEMs
Adobe Primetime DRM
Apple FairPlay
DivX
Google Widevine
Intertrust Marlin
Microsoft PlayReady
Verimatrix VCAS

Jan Ozer 2014


Adobe PrimeTime DRM
Formerly Access Part of Primetime
Full featured DRM Comprehensive multiple
Standalone platform distribution system
Protected HLS Player, DRM, analytics
Studio/DECE approved Mature mobile SDKs
Primary focus is Pay TV Great format support (HLS,
HDS, 2015 - DASH, HEVC)
providers and programmers
Strengths Cons
Desktop/notebook based on Device support trails others
Flash (great penetration) though (though major focus)
requires plugin Mobile support requires
HTML5 DRM on Firefox (looking PrimeTime
to expand) Expensive for small producers
Can protect HLS streams No third-party distribution; either
install direct or SaaS
Jan Ozer 2014
Apple FairPlay
Historically a closed Netflix Tech Blog
technology not licensed June 3, 2014
to third parties Netflix announced EME-
Protected content in iTunes driven playback in Safari
for playback on iOS devices Seems to indicate Apple
and iTunes supported licensed FairPlay to Netflix,
platforms but not explicitly stated
To support EME, Apple bit.ly/DRM_FP1
must choose CDM for Apples licensing policy will
Safari become very high profile
issue as EME rolls out
FairPlay is obvious
leading contender

Jan Ozer 2014


DivX
Overview Strong adaptive streaming
Full featured DRM technology
Studio approved Strong format integration
including HEVC
Strengths Already using CENC
Outstanding CE support with format, so not locked into
device certification proprietary solution
Speeds and simplifies
application support and
Cons
ensures performance Need to download DivX
Part of DivX Ecosystem plugin on desktop/mobile
Single set of encoding Available direct only
presets guaranteed to play
Soup to nuts distribution (if
desired)
Jan Ozer 2014
Google Widevine
Overview Cons
Full featured DRM Desktop/notebook users need
to download plug-in
Studio approved
Plug-in is NPAPI, so wont
Two versions, modular work soon in Chrome
MSE/EME) and classic
Need separate packages for
Strengths classic and modular support
Price free Third party infrastructure
support is limited
Available direct or via third
Works in conjunction with
parties
Flash, so architecturally not as
Good standards support in secure as DRM embedded in
Modular Flash (from Adobe)
Broad platform support,
including CE
Jan Ozer 2014
Intertrust Marlin
Overview Notable users
Open standards community Sony in PlayStation
founded by Intertrust, Philips Net TV
Panasonic, Philips, Actvila webTV portal in
Samsung and Sony Japan
Broad platform support on
computers, mobile and CE Other notes
devices Seems very affordable
Commercialized by multiple Not much traction in US or
vendors, including Intertrust web streaming markets in
(www.expressplaycom) general
service I havent worked with
UltraViolet approved/DECE Intertrust Marlin, so
approved knowledge is limited
Jan Ozer 2014
Microsoft PlayReady
Overview Cons
Full featured DRM Relies on Silverlight for
Studio approved most computers/notebooks,
which has comparatively
Strengths low share
Available direct or via third Plug-in is NPAPI, so wont
parties, and in Azure work soon in Chrome
Very good infrastructure There are workarounds to both,
support; easy to implement but require other downloads
Can work with HLS on many Mobile SDKs are expensive
platforms
Good platforms support,
robust mobile SDKs

Jan Ozer 2014


Verimatrix VCAS
Overview Can also integrate with
Full featured DRM PlayReady to access
PlayReady compatible
Primarily successful in cable, clients
satellite, terrestrial, IPTV and
OTT Cons
Strengths PlayReadys reliance on
Silverlight
Great expertise in
TV/IPTV?OTT markets with Seeming low penetration in
comprehensive DRM offering streaming only space
for computers and mobile (DASH, MSE and EME may
devices, primarily via HLS change this)
I havent worked with
VCAS, so knowledge is
limited
Jan Ozer 2014
Choosing a DRM
Whats the required Support target
level of DRM? platforms
Acceptable to content Provides other
owners required features
Support required Cost
content Accessibility
Support required
business models
Support required
restrictions
Jan Ozer 2014
Whats the Required Level
DRM Utilized Example

High True DRM Pay TV

Movies
Moderate True DRM Secure Enterprise
Media
Primetime News, Music Videos,
Low HLS/HDS/HLS Corp
Encryption communications

Very low UGC, sales,


None
marketing, etc.

Content Value
Jan Ozer 2014
Acceptable to Content Owners
If using third party content, ask which DRM
technologies are acceptable
Encrypted HLS is not acceptable to some content
owners (at least at full resolution)
Will vary from owner to owner
ID technologies that are acceptable to all critical
content owners before you go shopping

Jan Ozer 2014


Supports Required Content
and Formats
Not all technologies support
all formats
If your needs go beyond
video, you may need multiple
technologies
Format support
Will it support existing formats
or will you have to re-encode?

Jan Ozer 2014


Support Required Business
Models
There are many Dynamic pricing (and
models metering)
Purchase And delivery models
Subscription Stream
Pay per view Adaptive stream
Rental Download
Shared Sideload
Gift Domain viewing
Advertising supported

Jan Ozer 2014


Support Required Restrictions
and Other Features
Right to play vs. right
to burn
Output protection for
video

Jan Ozer 2014


Supports Target Platforms
This is a fast-moving target
Not available on websitesdefinitely have to
call and research
For comprehensive platform support, may
have to use multiple DRMs
MSE/EME should help this, but not in the short
term

Jan Ozer 2014


Supported Target Platforms

Jan Ozer 2014


Supports Target Platforms
Before shopping, create a list of:
Required platforms
Required business models (streaming, download)
Required formats (single file, adaptive)
Then identify
Which DRMs support these requirements
Required plug-ins, SDKs, etc
Play in an app or natively?
which plug-in must be downloaded

Jan Ozer 2014


Cost
Significant variability here: Check
Up front licensing cost
Per platform cost (cost for SDK or porting kit for
each target platform)
License key cost
Monthly minimums

Jan Ozer 2014


Accessibility
Is technology available direct or via third-
parties
Is it available via licensing or SaaS (or both)?
How files encrypted?
Can you use your current encoder or encoding
provider to encrypt?
What are hosting requirements?
How are captions handled?

Jan Ozer 2014


Implementing DRM
DIY, SaaS or Third-Party
DIY
Choosing a third-party provider

Jan Ozer 2014


DIY, SaaS or Third-Party
Some technologies only deal
direct
Adobe can DIY or SaaS
DIY
Some technologies require
significant dev burden, CAPEX
and ongoing expense
PlayReady (strongly consider third
party)
Others are more manageable Partial customer list - BuyDRM
(Widevine)
Jan Ozer 2014
Choosing a Third Party
Service Provider
Single or multiple DRMs
If youll need multiple DRMs, choose a multiple
DRM provider
Then consider
Breadth of infrastructure offering
Integration with encoding tools and cloud encoders
Breadth of service offering
SaaS, licensable server, or both?
SDKs for different platforms
Direct encoding support
Jan Ozer 2014
Choosing a Third Party
Service Provider
Evaluate service component
Both installation and ongoing support
Assess service levels and cost and availability of
24/7 support
Pricing
Pricing varies significantly among third party
providers

Jan Ozer 2014


From Plug-ins to EME
Today most DRM is implemented via
plugins or Apps
Browser essentially hands all DRM and playback-
related functions to the player or plug-in

Browser Player/ License


Plug-in Server

Jan Ozer 2014


From Plug-ins to EME
Encrypted Media Extension DRM is baked
into the browser
Browser handles all DRM and playback-related
functions

Browser License
Server

Plug-in
Jan Ozer 2014
EME uses concept of Content
Decryption Modules
Content Decryption Module The DRM
component formerly in the player/plug-in
Baked into browser within CDM interface

Browser

CDM

From Content Decryption Module Interface Spec http://bit.ly/DRM_EME3 Jan Ozer 2014
The Problem Is
All browsers/platforms only support ONE
CDM (guess which)
Unlike plug-ins, you cant add CDMs later (you
have to reinstall the entire browser)

Jan Ozer 2014


Its OK from a File Creation
Standpoint
Using MPEG DASH (a media format) plus
CENC (Common Encryption Scheme), a single
file (or adaptive group of files) can contain
multiple DRM key technologies

PlayReady Widevine Primetime Fairplay

Jan Ozer 2014


But to Achieve Multiple
Platform Support
Youll need to separately support all DRMs on all
platforms that youre hoping to support

Widevine Primetime FairPlay PlayReady FairPlay Widevine

To access the platforms you can access via one


technology today, youll need to support four
Arent standards great?!

Jan Ozer 2014


Resources
The Difference Between Encrypted HLS, PHLS and HLS with DRM, Jens
Loeffler, http://bit.ly/DRM_gen1
EME WTF? An introduction to Encrypted Media Extensions, Sam Dutton,
http://bit.ly/DRM_EME1
DTG Technical Webinar: Encrypted Media Extensions, John Simmons,
Microsoft http://vimeo.com/62269279
HTML5 Video in Safari on OX X Yosemite, (bit.ly/DRM_FP1)
RTMPe/SWF Verification Protect Video Content (Flash Media Server)
http://bit.ly/DRM_Flash1
Streaming Content Securely (Adobe Media Server) -
http://bit.ly/DRM_Flash2
MPEG_2 Stream Encryption Format for HLS Apple Tech Note -
http://bit.ly/HLSe_1

Jan Ozer 2014


Note of Gratitude
Id like to thank the employees of Adobe,
MainConcept/DivX, and BuyDRM who
reviewed this document
All errors, omissions and notable misstatements
are mine alone

Jan Ozer 2014