Stefan Lederer, CEO

Paul MacDougall, Solution Architect

How to Provide Protected Content to

Desktop, Mobile,TVs & Streaming Boxes

W5 - DRM Workflows

Agenda ● Who are we?

● Video Problems on the Web

● Content Protection Technologies

● DRM and its variants

● Example implementation

● What’s next?

Global Locations

● US - San Francisco, Chicago,

New York, Seatle

● Europe - Austria, Netherlands

● APAC - Hong Kong

● LATAM - Sao Paulo

Who’s behind us

Privately funded by worldwide leading

venture capital firms:

Business Angel Investors

● Chris Kaiser – former VP

Engineering Netflix

● Edward Kozel – former CTO

Cisco

● David Helgason – founder of

Unity

● Brendan Iribe – founder and

CEO of Oculus

● Dries Buytaert – founder of

Drupal and CTO of Acquia

Track record

Founded in 2013 after co-creating

MPEG-DASH standard

Technology leading Video

Infrastructure for the Web:

Encoding, HTML5 Player, Analytics,

Cloud Storage and Delivery

Integrations

Global customer base: 250

companies, 6 continents

About Bitmovin

Founders Co-created the

MPEG-DASH standard

● Used by Netflix and Youtube

● 50 % U.S. Peak Internet Traffic

● 10 US PTC Patents

● 20+ Papers in Multimedia

● Author of the MPEG DASH

Reference Software

Bitmovers All Around The World

Online Video

Problems

Solution

Full-Stack Video

Infrastructure API

Bitmovin Encoding

● Up to 100x Real-Time

● Massive compute options –

Google, AWS, Kubernetes, etc..

● Massive Parallelization

● 100% customizable

● Unlimited bit rates

● For H.264/AVC, H.265/HEVC

and VP9

● Get to market fast with new video

● Fully Customizable API

● Fully Customizable Profiles

● Many API Clients and Examples

● DRM Support for

DASH/HLS/MP4

● Offline DRM Support

Managed On-Premise

Encoding

HTML5 Player

● Fully configurable startup & seeking behaviour

○ i.e. minimum quality, limit resolution to player

resolution, etc.

● Flexibility to create own adaptation algorithm using

the API

Fastest Video Startup

● Fastest loading player on the

market

● < 300ms until first frame

● 9 patents on adaptive bitrate

adaptation

Premium Video =

$$$*

*If you can:

Sell it or Rent it

Distribute it

Protect it from

unauthorized access

Image idea: treasure chest + pirates (content

gets pirated)

Common Ways to

Lockdown Video

Assets:

Tokenization

Encryption

DRM

Encryption

Encrypts the the

transmission of the video

stream

Why use it?

● Easy to implement

● Good enough for most use cases

● SAMPLE-AES and AES-128

But...

● Software-level key handling lacks of control

over output instances and devices

● For online viewing only

DRM - Digital Rights

Management

Encrypts content and

dictates usage rights for

video playback at SW &

HW levels

Why use it?

● Highest level of protection

● Selectable output control

● Offline viewing possible

But...

● $$$ to implement - licensing and development

● Customer experience negatively impacted

● More places thing can break

● Typically, each device supports just one DRM

Use for

● High value content

● When required by content agreement

Many Providers

How Does DRM

Work?

The video content is

encrypted with a content key

System generates license

files to accompany the

content

System allows playback for

an authenticated user and

device

DRM Technologies

by Provider

Widevine Modular &

Classic

PlayReady

Fairplay

PrimeTime

Widevine Modular

DRM OverviewWidevine Modular (successor to Classic)

● Google’s DRM - Extensive support for Google ecosystem

● Supports DASH with CENC

● Supports Hardware Security (TEE)

● Can limit content quality server-side

● Rights expression/policy enforcement

Widevine ClassicGoogle legacy technology

Only supports .WVM (Google proprietary packaging)

EOLed - provided as-is with no improvements

Rarely used in US

PlayReady DRM

Overview

Microsoft PlayReady

● Microsoft DRM - broad platform support,

including many smart TVs

● Most robust rights management

● Pre-cache licenses (fine grain sunrise and

sunset of keys)

FairPlay DRM

Overview

Apple Fairplay

● No rights expression or policy enforcement

● Needs Key Security Module on Key Server

● Needs code to relay key requests

Adobe PrimeTime

DRM Overview

Adobe Primetime (successor to Access)

● Fine-grained policy management system

(whitelist apps, devices, domains)

● Support for key and license rotation

Premium Video &

Adoption of HTML5

Enables playing premium

video content directly in

the browser. No Plug-ins!

● MPEG-DASH - industry standard for adaptive

streaming

● W3C Media Source Extensions (MSEs) -

“extends HTMLMediaElement to allow

JavaScript to generate media streams for

playback.”

● W3C Encrypted Media Extensions (EMEs) -

“extends HTMLMediaElement providing APIs

to control playback of protected content.”

Proprietary

Ecosystems Will

Disappear

Open Ecosystems

are Winning:

HTML5 MSE/EME,

DASH, etc.

Is it that easy to

build a video player?

DRM Support in

HTML5 Browsers

Source: http://www.ezdrm.com/html/compare-drm.asp

DRM Support in

Mobile Devices

Source: http://www.ezdrm.com/html/compare-drm.asp

DRM Support in

OTT Devices

Source: http://www.ezdrm.com/html/compare-drm.asp

DRM Support in

Connected TVs &

Game Consoles

Source: http://www.ezdrm.com/html/compare-drm.asp

Multi-DRM

Maximum device reach

● Traditional (before DASH) Multi-DRM setups

need to encrypt and package the content for

each DRM separately

● DASH CENC/EME - allows key association

from different DRM’s with the same video

● Except for Apple (FairPlay with HLS on

devices & in Safari)

● Multi-DRM Providers:EZ DRM, ExpressPlay,

Intertrust, Irdeto, Axinom, BuyDRM,

Verimatrix, and others

Hollywood &

UltraViolet

Implement a DRM

accepted by the studios

● Industry wide entitlement locker

● Digital Entertainment Content Ecosystem

(DECE) - consortium of 85 studios, consumer

electronics manufs, retailers, etc.

● UltraViolet - a set of standards for the digital

distribution of premium Hollywood content

● Approved DRMs: Widevine, PlayReady,

PrimeTime, Marlin, OMA, DivXDRM

● But not Apple Fairplay

Implementing a

DRM Workflow

DRM Keyflow

● Identity Management

● Entitlement Management

○ What content can you watch

○ Download

○ Rent time

○ Quality (SD/HD)

● Key exchange

Implementing a

DRM Workflow

End user requests

playback of content Your

Entitlement

Server

License

ServerEnd User

Implementing a

DRM Workflow

License Server checks

with your Entitlement

Server if user is entitled

to watch content

Your

Entitlement

Server

License

ServerEnd User

Implementing a

DRM Workflow

Entitlement Server says

yes Your

Entitlement

Server

License

ServerEnd User

Implementing a

DRM Workflow

Key is given to End User,

playback is permitted Your

Entitlement

Server

License

ServerEnd User

Demonstration

Sample DRM server

response for encoding

files

<EZDRM xmlns="">

<WideVine diffgr:id="WideVine1" msdata:rowOrder="0" diffgr:hasChanges="inserted">

<ContentID>iSWudw/m/0SlDgg7UxkWuA==</ContentID>

<Key>Qab1RE+g2t5cVrsz1I42qw==</Key>

<KeyHEX>41a6f5444fa0dade5c56bb33d48e36ab</KeyHEX>

<KeyID>9Akq2ajvVbOMXEYV63iIpA==</KeyID>

<KeyIDGUID>f4092ad9-a8ef-55b3-8c5c-4615eb7888a4</KeyIDGUID>

<KeyIDHEX>f4092ad9a8ef55b38c5c4615eb7888a4</KeyIDHEX>

<PSSH>

EhD0CSrZqO9Vs4xcRhXreIikGghtb3ZpZG9uZSIQiSWudw/m/0SlDgg7UxkWuEjj3JWbBg==

</PSSH>

<ServerURL>https://widevine-dash.ezdrm.com/proxy?pX=CF1AEB</ServerURL>

<ServerGet>

request = {"policy": "","tracks": [{"type": "SD"}],"content_id": "iSWudw/m/0SlDgg7UxkWuA=="}

</ServerGet>

<ResponseRaw>

{"status": "OK","drm": [{"type": "WIDEVINE","system_id":

"edef8ba979d64acea3c827dcd51d21ed"}],"tracks": [{"type": "SD","key_id":

"9Akq2ajvVbOMXEYV63iIpA==","key": "Qab1RE+g2t5cVrsz1I42qw==","pssh": [{"drm_type":

"WIDEVINE","data":

"EhD0CSrZqO9Vs4xcRhXreIikGghtb3ZpZG9uZSIQiSWudw/m/0SlDgg7UxkWuEjj3JWbBg=="}]}]}

</ResponseRaw>

</WideVine>

<PlayReady diffgr:id="PlayReady1" msdata:rowOrder="0" diffgr:hasChanges="inserted">

<Key>Qab1RE+g2t5cVrsz1I42qw==</Key>

<KeyHEX>41a6f5444fa0dade5c56bb33d48e36ab</KeyHEX>

<KeyIDGUID>f4092ad9-a8ef-55b3-8c5c-4615eb7888a4</KeyIDGUID>

<LAURL>

https://playready.ezdrm.com/cency/preauth.aspx?pX=CFD36D

</LAURL>

<Checksum>ajppWh0L7Wk=</Checksum>

</PlayReady>

</EZDRM>

/paulmacdougall/Streamin

g-Media-East-2017-DRM

Demonstration

DASH Manifest for CENC

DRM protected content

/paulmacdougall/Streamin

g-Media-East-2017-DRM

Testing the DRM

Workflow

● VMs are perilous!

● Chrome needs SSL (https)

● Must have full HDCP signal chain

What’s Next? Widevine Modular offering persistent license support

Intel offering TEE locker in new chipsets

CMAF - New implementation set of existing

standards to simplify content delivery, with fMP4 as

video standard.

CBC vs CTR

Previously required one set of file encrypted with

CBC for FairPlay and one CTR for Widevine and

PlayReady.

Current

M2TS

AVC/h.264

HLS DASH

FairPlayPlayReady,

Widevine, etc.

Apple Users Everyone else

AES-128 CBC AES-128 CTR

fMP4

Separate files on

storage/CDN

CMAF

+ CMAD Media Object Model

compatible with DASH

Data Model

+ Segment formats based on

ISOBMFF

- Different manifest formats

(MPD vs m3u8)

- CENC: AES-128 CBC

(HLS) vs AES-128 CTR (all

others) mode

CMAF

AES-128 CBC

fMP4

AVC/h.264

HLS DASH

FairPlayPlayReady,

Widevine, etc.

Apple Users Everyone else

Only manifests (.m3u8 &

.mpd), small text files, are

replicated on storage and

CDN

www.bitmovin.com