AES stands for Advanced Encryption Standard (also called Rijndael) and was established by the U.S. National Institute of Standards and Technology (NIST) in 2001 to encrypt electronic data. It’s a symmetric-key algorithm where the encryption and decryption are performed using the same key. It has three variants based on the key-length: 128, 192, and 256 bits.
The CDM or Content Decryption Module is a piece of software that is used to
- Create a license request (using the KeyID, device identifier, signing the request, etc.)
- Decrypt and understand the license received from the DRM License Server.
- Perform video decryption, and optionally decoding and rendering. Importantly, the CDM should not leak or expose the decryption key or the decrypted video.
The MPEG developed the [CENC or Common Encryption specification] standard that specifies that videos can be encrypted using either
cenc (AES-128 CTR) or
cbcs (AES-128 CBC). CTR stands for Counter; and CBC stands for Cipher Block Chaining. The implication of CENC is that a content provider needs to encrypt his videos only once and any decryption module can decrypt it. However, this is not true in reality owing to the fragmentation in the DRM space that is dominated by Apple, Google, and Microsoft. For more on this, read here.
DRM or Digital Rights Management is a method for content providers to protect their content by controlling who has the rights to view their content. DRM uses a combination of encryption, right management via licenses, and a secure delivery and content decryption pathway to deter video piracy.
Encryption & Decryption
Encryption is a cryptographic process that uses a “key” to convert input data (referred to as plaintext) into an alternate form called ciphertext. It is almost impossible to convert the ciphertext back to plaintext without the key. Practically speaking, it is hard to prevent unauthorized decryption, but encryption algorithms make the job unimaginably hard in terms of time, money, and computing resources needed.
Encoding and Decoding
Not to be confused with encryption and decryption, encoding and decoding refer to the compression and decompression of video using video codecs such as H.264/AVC, HEVC, VP9, AV1, etc.
The Hitchhiker’s Guide to DRM is sponsored by BuyDRM™, a leading provider of Digital Rights Management and Content Security Services for the entertainment, enterprise, and transportation industries. Click here to get in touch with BuyDRM™.
Key and KeyID
The Key or Content Key is the encryption key that was used to encrypt the asset. The KeyID is an association that is made between the Key and the asset. In summary,
- The encryption key is a “private key” and needs to be securely stored in a database accessible to a license server.
- The KeyID is a “public key.” and can be give to anyone.
- Anyone with the public key (KeyID) can ask the license server for the private key (decryption key). It is up to the DRM provider to authenticate the person asking and then supply or deny the decryption key.
Key Security Module
The Key Security Module (KSM) is a feature of Apple’s FairPlay and it does a couple of essential things.
- It receives & decrypts the request from the player (called the SPC or Server Playback Context).
- It wraps the content key (returned by the key server) into a Content Key Context (CKC) message and sends it back to the player.
Key Store or Key Management System
Key Management System (KMS) is a database that stores the encryption keys (or content keys) and KeyIDs securely. When the player (client) asks for an encryption key, the License Server in-turn asks the KMS for the content key associated for a particular KeyID and the KMS returns it.
In DRM, a License Server holds information required to securely encrypt and decrypt media. It has two main jobs –
- after the packager prepares the media by packaging and encrypting it, information is sent to the license server to help it uniquely identify and associate a license key with the movie.
- during playback, it is the job of the license server to authenticate the request from the player for the license and encryption keys, fetch the decryption key from the key store (database), and respond to the player (or client) with the license and the decryption keys.
Metering and Metering Server
- PlayReady Metering is a feature of PlayReady that counts the number of times a content was played. The count can be generated and stored at the client.
- A PlayReady Metering Server aggregates the counts from all the PlayReady clients and lets the Clients know that they can reset their individual counts.
Offline Playback and Local License Storage
This refers to a situation where, typically, the customer rents a movie and can watch it for a certain period of time. In order to cater to this business model, the license returned by the License Server will specify a time-period for which the movie can be seen. Such a business model also requires that the license and decryption keys be stored securely on the client until they expire based on the license.
Packaging refers to chunking or breaking up a movie into small pieces and describing the location and playback order of these chunks in a text file called a manifest or playlist. To playback the content, the video player needs to use this playlist in order to download the correct segments at the correct time. Packaging is important for ABR video streaming.
In this feature of Apple FairPlay, only samples of your audio packets and video frames are encrypted using AES-128 with Cipher Block Chaining (CBC). You do not have to encrypt the entire video segment and this results in power-savings both for the encryption and decryption process (especially as the video resolution increases).
Trusted Execution Environment
Trusted Execution Environment (TEE) is defined in Wikipedia as
a secure area of a main processor that guarantees code and data loaded inside to be protected with respect to confidentiality and integrity
The Trusted Execution Environment is important to DRM because it provides hardware decryption capabilities, enhances security, and plays a critical role in ensuring that the decryption keys and the decrypted videos are not leaked or stolen.