Upload
bitmovin
View
408
Download
1
Embed Size (px)
Citation preview
Stefan Lederer, CEO
Paul MacDougall, Solution Architect
How to Provide Protected Content to
Desktop, Mobile,TVs & Streaming Boxes
W5 - DRM Workflows
Agenda ● Who are we?
● Video Problems on the Web
● Content Protection Technologies
● DRM and its variants
● Example implementation
● What’s next?
Global Locations
● US - San Francisco, Chicago,
New York, Seatle
● Europe - Austria, Netherlands
● APAC - Hong Kong
● LATAM - Sao Paulo
Who’s behind us
Privately funded by worldwide leading
venture capital firms:
Business Angel Investors
● Chris Kaiser – former VP
Engineering Netflix
● Edward Kozel – former CTO
Cisco
● David Helgason – founder of
Unity
● Brendan Iribe – founder and
CEO of Oculus
● Dries Buytaert – founder of
Drupal and CTO of Acquia
Track record
Founded in 2013 after co-creating
MPEG-DASH standard
Technology leading Video
Infrastructure for the Web:
Encoding, HTML5 Player, Analytics,
Cloud Storage and Delivery
Integrations
Global customer base: 250
companies, 6 continents
About Bitmovin
Founders Co-created the
MPEG-DASH standard
● Used by Netflix and Youtube
● 50 % U.S. Peak Internet Traffic
● 10 US PTC Patents
● 20+ Papers in Multimedia
● Author of the MPEG DASH
Reference Software
Bitmovers All Around The World
Online Video
Problems
Solution
Full-Stack Video
Infrastructure API
Bitmovin Encoding
● Up to 100x Real-Time
● Massive compute options –
Google, AWS, Kubernetes, etc..
● Massive Parallelization
● 100% customizable
● Unlimited bit rates
● For H.264/AVC, H.265/HEVC
and VP9
● Get to market fast with new video
● Fully Customizable API
● Fully Customizable Profiles
● Many API Clients and Examples
● DRM Support for
DASH/HLS/MP4
● Offline DRM Support
Managed On-Premise
Encoding
HTML5 Player
● Fully configurable startup & seeking behaviour
○ i.e. minimum quality, limit resolution to player
resolution, etc.
● Flexibility to create own adaptation algorithm using
the API
Fastest Video Startup
● Fastest loading player on the
market
● < 300ms until first frame
● 9 patents on adaptive bitrate
adaptation
Premium Video =
$$$*
*If you can:
Sell it or Rent it
Distribute it
Protect it from
unauthorized access
Image idea: treasure chest + pirates (content
gets pirated)
Common Ways to
Lockdown Video
Assets:
Tokenization
Encryption
DRM
Encryption
Encrypts the the
transmission of the video
stream
Why use it?
● Easy to implement
● Good enough for most use cases
● SAMPLE-AES and AES-128
But...
● Software-level key handling lacks of control
over output instances and devices
● For online viewing only
DRM - Digital Rights
Management
Encrypts content and
dictates usage rights for
video playback at SW &
HW levels
Why use it?
● Highest level of protection
● Selectable output control
● Offline viewing possible
But...
● $$$ to implement - licensing and development
● Customer experience negatively impacted
● More places thing can break
● Typically, each device supports just one DRM
Use for
● High value content
● When required by content agreement
Many Providers
How Does DRM
Work?
The video content is
encrypted with a content key
System generates license
files to accompany the
content
System allows playback for
an authenticated user and
device
DRM Technologies
by Provider
Widevine Modular &
Classic
PlayReady
Fairplay
PrimeTime
Widevine Modular
DRM OverviewWidevine Modular (successor to Classic)
● Google’s DRM - Extensive support for Google ecosystem
● Supports DASH with CENC
● Supports Hardware Security (TEE)
● Can limit content quality server-side
● Rights expression/policy enforcement
Widevine ClassicGoogle legacy technology
Only supports .WVM (Google proprietary packaging)
EOLed - provided as-is with no improvements
Rarely used in US
PlayReady DRM
Overview
Microsoft PlayReady
● Microsoft DRM - broad platform support,
including many smart TVs
● Most robust rights management
● Pre-cache licenses (fine grain sunrise and
sunset of keys)
FairPlay DRM
Overview
Apple Fairplay
● No rights expression or policy enforcement
● Needs Key Security Module on Key Server
● Needs code to relay key requests
Adobe PrimeTime
DRM Overview
Adobe Primetime (successor to Access)
● Fine-grained policy management system
(whitelist apps, devices, domains)
● Support for key and license rotation
Premium Video &
Adoption of HTML5
Enables playing premium
video content directly in
the browser. No Plug-ins!
● MPEG-DASH - industry standard for adaptive
streaming
● W3C Media Source Extensions (MSEs) -
“extends HTMLMediaElement to allow
JavaScript to generate media streams for
playback.”
● W3C Encrypted Media Extensions (EMEs) -
“extends HTMLMediaElement providing APIs
to control playback of protected content.”
Proprietary
Ecosystems Will
Disappear
Open Ecosystems
are Winning:
HTML5 MSE/EME,
DASH, etc.
Is it that easy to
build a video player?
DRM Support in
HTML5 Browsers
Source: http://www.ezdrm.com/html/compare-drm.asp
DRM Support in
Mobile Devices
Source: http://www.ezdrm.com/html/compare-drm.asp
DRM Support in
OTT Devices
Source: http://www.ezdrm.com/html/compare-drm.asp
DRM Support in
Connected TVs &
Game Consoles
Source: http://www.ezdrm.com/html/compare-drm.asp
Multi-DRM
Maximum device reach
● Traditional (before DASH) Multi-DRM setups
need to encrypt and package the content for
each DRM separately
● DASH CENC/EME - allows key association
from different DRM’s with the same video
● Except for Apple (FairPlay with HLS on
devices & in Safari)
● Multi-DRM Providers:EZ DRM, ExpressPlay,
Intertrust, Irdeto, Axinom, BuyDRM,
Verimatrix, and others
Hollywood &
UltraViolet
Implement a DRM
accepted by the studios
● Industry wide entitlement locker
● Digital Entertainment Content Ecosystem
(DECE) - consortium of 85 studios, consumer
electronics manufs, retailers, etc.
● UltraViolet - a set of standards for the digital
distribution of premium Hollywood content
● Approved DRMs: Widevine, PlayReady,
PrimeTime, Marlin, OMA, DivXDRM
● But not Apple Fairplay
Implementing a
DRM Workflow
DRM Keyflow
● Identity Management
● Entitlement Management
○ What content can you watch
○ Download
○ Rent time
○ Quality (SD/HD)
● Key exchange
Implementing a
DRM Workflow
End user requests
playback of content Your
Entitlement
Server
License
ServerEnd User
Implementing a
DRM Workflow
License Server checks
with your Entitlement
Server if user is entitled
to watch content
Your
Entitlement
Server
License
ServerEnd User
Implementing a
DRM Workflow
Entitlement Server says
yes Your
Entitlement
Server
License
ServerEnd User
Implementing a
DRM Workflow
Key is given to End User,
playback is permitted Your
Entitlement
Server
License
ServerEnd User
Demonstration
Sample DRM server
response for encoding
files
<EZDRM xmlns="">
<WideVine diffgr:id="WideVine1" msdata:rowOrder="0" diffgr:hasChanges="inserted">
<ContentID>iSWudw/m/0SlDgg7UxkWuA==</ContentID>
<Key>Qab1RE+g2t5cVrsz1I42qw==</Key>
<KeyHEX>41a6f5444fa0dade5c56bb33d48e36ab</KeyHEX>
<KeyID>9Akq2ajvVbOMXEYV63iIpA==</KeyID>
<KeyIDGUID>f4092ad9-a8ef-55b3-8c5c-4615eb7888a4</KeyIDGUID>
<KeyIDHEX>f4092ad9a8ef55b38c5c4615eb7888a4</KeyIDHEX>
<PSSH>
EhD0CSrZqO9Vs4xcRhXreIikGghtb3ZpZG9uZSIQiSWudw/m/0SlDgg7UxkWuEjj3JWbBg==
</PSSH>
<ServerURL>https://widevine-dash.ezdrm.com/proxy?pX=CF1AEB</ServerURL>
<ServerGet>
request = {"policy": "","tracks": [{"type": "SD"}],"content_id": "iSWudw/m/0SlDgg7UxkWuA=="}
</ServerGet>
<ResponseRaw>
{"status": "OK","drm": [{"type": "WIDEVINE","system_id":
"edef8ba979d64acea3c827dcd51d21ed"}],"tracks": [{"type": "SD","key_id":
"9Akq2ajvVbOMXEYV63iIpA==","key": "Qab1RE+g2t5cVrsz1I42qw==","pssh": [{"drm_type":
"WIDEVINE","data":
"EhD0CSrZqO9Vs4xcRhXreIikGghtb3ZpZG9uZSIQiSWudw/m/0SlDgg7UxkWuEjj3JWbBg=="}]}]}
</ResponseRaw>
</WideVine>
<PlayReady diffgr:id="PlayReady1" msdata:rowOrder="0" diffgr:hasChanges="inserted">
<Key>Qab1RE+g2t5cVrsz1I42qw==</Key>
<KeyHEX>41a6f5444fa0dade5c56bb33d48e36ab</KeyHEX>
<KeyIDGUID>f4092ad9-a8ef-55b3-8c5c-4615eb7888a4</KeyIDGUID>
<LAURL>
https://playready.ezdrm.com/cency/preauth.aspx?pX=CFD36D
</LAURL>
<Checksum>ajppWh0L7Wk=</Checksum>
</PlayReady>
</EZDRM>
/paulmacdougall/Streamin
g-Media-East-2017-DRM
Demonstration
DASH Manifest for CENC
DRM protected content
/paulmacdougall/Streamin
g-Media-East-2017-DRM
Testing the DRM
Workflow
● VMs are perilous!
● Chrome needs SSL (https)
● Must have full HDCP signal chain
What’s Next? Widevine Modular offering persistent license support
Intel offering TEE locker in new chipsets
CMAF - New implementation set of existing
standards to simplify content delivery, with fMP4 as
video standard.
CBC vs CTR
Previously required one set of file encrypted with
CBC for FairPlay and one CTR for Widevine and
PlayReady.
Current
M2TS
AVC/h.264
HLS DASH
FairPlayPlayReady,
Widevine, etc.
Apple Users Everyone else
AES-128 CBC AES-128 CTR
fMP4
Separate files on
storage/CDN
CMAF
+ CMAD Media Object Model
compatible with DASH
Data Model
+ Segment formats based on
ISOBMFF
- Different manifest formats
(MPD vs m3u8)
- CENC: AES-128 CBC
(HLS) vs AES-128 CTR (all
others) mode
CMAF
AES-128 CBC
fMP4
AVC/h.264
HLS DASH
FairPlayPlayReady,
Widevine, etc.
Apple Users Everyone else
Only manifests (.m3u8 &
.mpd), small text files, are
replicated on storage and
CDN
www.bitmovin.com