As discussed in the first article of our series on “How to Trust Your Player,” piracy is a big business, and leverages the same technology advances as legitimate OTT service operations in streaming and other components.
Globally, the volume of global OTT streaming has grown 63% between Q2 2019 and Q2 2020, according to a report from Conviva, a leading supplier of video analytics technology. Similarly, total losses to piracy of streamed content worldwide are skyrocketing, impacting live and on-demand services alike. Digital TV Research projects that by 2022, global losses to online video piracy will reach $51.6 billion — nearly double the amount lost in 2016.
This article will provide an overview of digital rights management (DRM) license acquisition models, and recommended DRM best practices for leveraging a cloud-based DRM service to protect high-value streaming content. These practices are essential to:
Consider that hackers have honed their technical skills to develop and adopt new ways of defeating defenses and responding to detection with new brands and sites. The least technically sophisticated approaches that pirates use to get around the robust protection of sophisticated DRM systems include high-quality camcording from 4K UHD TV displays. Advanced methods, similar to those of professional pirates, include high-bandwidth digital content protection (HDCP) strippers.
Other attacks target the multi-DRM service to extract the content keys, or exploit the DRM license acquisition server to circumnavigate license checking rules and retrieve DRM licenses. Pirates can also capture in-the-clear content from device memory as it awaits playback in the buffering process, in devices that don’t support Trusted Execution Environment (TEE) and Secure Video Path (SVP). In some cases, if the same content keys and licenses are used for different resolutions, pirates will subscribe to the lower-quality content (e.g. SD resolution) and extract the keys to steal and redistribute higher-resolution —such as HD and 4K — variants of the content.
As we discuss and demonstrate DRM best practices in a real-world application (and reveal what a premium service should provide), portions of this article will refer to Intertrust’s ExpressPlay DRM as an example of a cloud-based, multi-DRM service.
An integral part of content packaging is the insertion of DRM signaling in the media, such as the common encryption Protection System Specific Header (PSSH). Because the content packaging and playback workflows need to coordinate the DRM signaling and Content Encryption Keys (CEK), it is critical that the content packaging workflow and the multi-DRM system are tightly integrated. The content packager needs to retrieve the CEK from a multi-DRM service provider that manages these keys securely.
To maintain the security exchange of CEKs, Bitmovin encoders/packagers and Intertrust ExpressPlay DRM have integrated the Secure Packager and Encoder Key Exchange (SPEKE) protocol, which enables secure retrieval of the encryption keys and DRM signaling from the ExpressPlay key store. The content protection industry has broadly adopted the SPEKE protocol. The protocol provides a simple and secure interface for delivery of CEKs and DRM signaling using a standard API that streamlines secure communications between the ExpressPlay DRM and encryptors, which in this case include encoders, packagers, and origin servers.
DRM technology is designed to protect the video content during transport, at rest, and during consumption. Although such technology can involve some very advanced security concepts, OTT streaming service operators still need to pay detailed attention to the overall system architecture that is deployed and avoid loopholes that allow hackers to defeat the purpose of DRM protected content.
In particular, the workflow for DRM license acquisition has to be thoughtfully designed. There are two deployment workflows that are typically used:
Moreover, similar to other professional cloud services, a typical multi-DRM workflow requires some form of authorization, which can be implemented by leveraging a secure token. A secure token enables a robust and secure mechanism to deliver several settings and parameters to the multi-DRM service. Secure token is encrypted to ensure confidentiality and includes digital signature to ensure integrity.
This approach is also commonly referred to as an upfront token authentication workflow. Typically, a secure token is then used by the video player in the target device to perform a DRM license acquisition from the DRM license server. Once the DRM license server receives such a request, it can provide a DRM license that is bound to the requesting client device.
The workflow of this direct license acquisition model involves the following steps:
The main benefits of the direct license acquisition model are:
Since the secure token, also known as the DRM authorization token, is critical for generating and delivering the DRM license to the video player in the target device, a multi-DRM service should prevent attackers from reusing the DRM authorization token when they are not authorized to watch the content. Techniques available to achieving this goal include:
A more advanced deployment DRM license acquisition can be accomplished through a DRM license proxy service, which enables the video player to directly communicate with an endpoint managed by the OTT streaming service provider (DRM license proxy). In this case, the streaming service provider retrieves a DRM license from the multi-DRM cloud service (e.g. ExpressPlay multi-DRM service) and there is no need for the video player to send a token directly to the multi-DRM cloud service for retrieving the license.
The workflow of this proxy license acquisition model involves the following steps:
The main benefits of the proxy license acquisition model are:
When using the proxy license acquisition model, the OTT service provider is responsible for both scaling up the DRM proxy endpoint as the number of video player and device client requests increase, and for designing and implementing such DRM proxy service according to online services security best practices.
On top of the deployment model considerations mentioned above, modern DRM schemes offer a wide range of content protection configurations, policies and restrictions applied to content, whether it is played on devices’ internal screen or on external screens such as through an HDMI cable.
Best practices involve setting different CEKs for audio track as well as for each video resolution (e.g. SD, HD, UHD). This approach enables OTT streaming service providers to grant access to content distributed to different customers/different devices by delivering only the DRM licenses with CEKs for the authorized resolutions based on the consumer’s subscription package.
Also, this allows the streaming service operator to fine-tune the DRM policies for each given resolution or track. For example, audio and SD content may not require enforcement of HDCP over an HDMI connection. However, an HD resolution may require HDCP 1.4 to be enforced, and 4K/UHD may require HDCP 2.2 to be enforced in the DRM license. We will cover additional considerations related to the use of HDCP in article four of the How to Trust Your Player series.
DRM security level is a concept that defines the security tier of the DRM stack that is supported by the target device. Although different DRM schemes have different definitions of their security levels, there are two relevant distinctions in the security levels:
Using the right DRM security level allows OTT streaming service providers to map the required security level for each given resolution or track. For example, audio and SD content may only require a “software-based DRM client,” whereas HD and 4K/UHD may require a “hardware-based DRM client” to be enforced.
In the case of 4K/UHD, there will be additional requirements from the Enhanced Content Protection (ECP) specification by Movielabs (an entity owned by several Hollywood studios). Leveraging the right DRM security level is particularly important because audio codecs are usually implemented in software, and cannot be enforced through “hardware-based DRM clients.”
Another important digital rights management best practice is related to the Verified Media Path (VMP) requirement enforced by Google Widevine DRM. This process is specifically relevant when a browser-based video player is used to decrypt Widevine protected content. The W3C Encrypted Media Extension (EME) specification defines the interfaces that web applications can use for provisioning the browser’s media stack with the DRM license required to play protected content.
A critical module of the EME specification is a trusted component that evaluates the rules specified in the DRM license and ensures the content key is handled securely. This component is known as the Content Decryption Module (CDM). Once the media is decrypted by the CDM, it is essential that the browser securely processes the decrypted media.
When the browser uses a native DRM client, at the start of video playback, decrypting media will be through a Secure Video Path (SVP), and it can enforce “Hardware-based DRM client.” When the browser is not using the native DRM client, the CDM is mostly using “Software-based DRM client.” This is the typical situation for Chrome or Firefox browsers running on desktops computers. In these cases, the Widevine desktop browser CDM includes support for VMP, a feature that ensures Widevine has sanctioned the browser media processing implementation.
In the past few years, Google has deprecated all CDM versions that do not contain VMP functionality and is now mandating VMP for all browser CDM implementations to stay current with the stable Chrome releases. This action ensures that the latest updates are applied and that they support the latest APIs. More recently, Google also adopted a policy of strictly enforcing the VMP requirement which means Widevine license servers by default can only issue licenses for CDMs that support the VMP feature.
These best practices are crucial when using Widevine DRM:
Pirates have continued to evolve their technical skills to develop new methods and are now leveraging the same advances in streaming technology used by legitimate OTT service providers. To combat the increasing number of piracy attacks, streaming service operators must follow DRM best practices to block the loopholes that hackers otherwise may use to defeat the purpose of DRM technology.
When leveraging a cloud-based DRM service, it is essential to follow the correct DRM license acquisition workflow, maintain a secure interface for delivery of content keys, and take advantage of DRM security levels and multiple content encryption keys.
To learn more about How to Trust Your Player, check out the other articles in our series:
Still want to learn more? View for our associated fireside chats:
How To Trust Your Player is a collaborative effort between Bitmovin, Friend MTS and Intertrust. Our goal is to educate media and content providers on the importance of delivering streaming content in the most secure ways possible from the video player to the end-consumer while protecting both their content and revenue.
Friend MTS Limited
Eleven Brindleyplace, 2 Brunswick Square
UK: +44 121 633 5750
US: +1 267 382 4280
© 2020 Friend MTS Limited | All Rights Reserved