Google Widevine DRM – How Does It Work?

In this edition of the Hitchhiker’s Guide to DRM, we take an in-depth look at Google’s Widevine DRM solution. Widevine is a popular DRM solution with extensive support over the web and mobile ecosystems.

Widevine DRM

Widevine DRM is a DRM solution owned by Google (which acquired Widevine in 2010).

As we’ve learned in previous articles on DRM, most commercial DRM solutions deal strictly with rights management and content encryption/decryption. They do not deal with user authentication, and Google’s Widevine is no different.

Widevine is a popular DRM solution and has support for the Android operating system, several SmartTVs, browsers, etc. It also supports MPEG-DASH, HLS, MSS streaming along with CENC and CMAF.

In this article, let’s understand the building blocks of Widevine and how it works. Shall we?

History & Versions of Widevine

Let’s look at the history of Widevine and its support. There are two versions of Widevine – Classic & Modular.

Widevine Classic

Widevine Classic is supported only in legacy devices and it required the media to be packaged into a proprietary .WVM format. It had support in old Android (3.1 ~ 5.1) versions, legacy SmartTVs, Google TV, etc. and is not used anymore.

Widevine Modular

Widevine Modular is the current version of Widevine and has support for MPEG-DASH, HLS, MSS streaming protocols. It also has support for CMAF, CENC, and HTML5 standards such as EME & MSE.

Building Blocks of Widevine DRM.

The main building blocks of Widevine are –

  1. CENC, CDM, EME, MSE – we looked at these in the DRM building blocks article and won’t be repeating the explanation here.
  2. Widevine License Server
    Widevine provides a License Server that holds information needed for encrypting and decrypting media securely. It has two main jobs –
    • after the packager prepares the media by packaging and encrypting it, information is sent to the license server that helps it uniquely identify and associate a license key with the movie.
    • during playback, it is the job of the license server to authenticate the request from the player for the license and encryption keys, fetch the decryption key from the key store (database), and respond to the player (or client) with the license and the decryption keys. The communication between the packager, License Server, and the player are all encrypted and sent over HTTPS.
  3. Shaka Packager
    Widevine provides a complete open-source MPEG-DASH packaging software called the Shaka Packager that
    • converts all your video files to the fMP4 format (we are talking about ABR here).
    • splits each file into equal-sized segments
    • encrypts each file with CENC using license information obtained from the Widevine License Server.
    • creates an mpd file or a Manifest file with all the information describing the DASH-packaged media. You can also insert CENC pssh (Protection System Specific Header) to identify the DRM system used.

Here is an example of what the mpd looks like when you use Widevine DRM.

<ContentProtection schemeIdUri="urn:mpeg:dash:mp4protection:2011" value="cenc" cenc:default_KID="eb676abb-cb34-5e96-bbcf-616630f1a3da" xmlns:cenc="urn:mpeg:cenc:2013"/>
<ContentProtection schemeIdUri="urn:uuid:edef8ba9-79d6-4ace-a3c8-27dcd51d21ed">
    <cenc:pssh xmlns:cenc="urn:mpeg:cenc:2013">AAAAW3Bzc2gAAAAA7e+LqXnWSs6jyCfc1R0h7QAAADsIARIQ62dqu8s0Xpa7z2FmMPGj2hoNd2lkZXZpbmVfdGVzdCIQZmtqM2xqYVNkZmFsa3IzaioCSEQyAA==</cenc:pssh>
</ContentProtection>

Here it’s clear that CENC (Common Encryption) is being used. You can also see the pssh value and the KeyID (KID). These unique pieces of information are essential for the player to request the license server for the correct movie’s license.

  1. OEMCrypto Module
    The OEMCrypto Module decrypts the content using information from the Player (and the License Server). The OEMCrypto Module is in the Trusted Layer tied to the device hardware. It uses the encrypted license information to decrypt the media, and the media sent to the video stack.

How does Widevine DRM Work?

In this section, let us understand how Widevine works.

Step 1: The first step begins when the user presses “Play,” The application downloads the mpd from the CDN. After parsing the mpd, it is easy to determine that the video is encrypted using Widevine. The Browser extracts the initialization data (InitData) from the content and sends it to the player as an event.

Note: we assume that the user has been authenticated at this point. Widevine does not do this, and the application has to handle it by itself.

Step 2: The player cannot decrypt the content and needs the help of specialized software for decryption. And, so it sends the InitData to the Content Decryption Module (remember this? we talked about it in detail in the building blocks of DRM article.)

Step 3: The CDM (Content Decryption Module) receives the InitData from the player and creates a “license request” and sends this back to the player.

Step 4: After the player receives the license request, it sends it to the Widevine License Server via a proxy. The license request is also encrypted so that nobody can access and crack it in transit.

Step 5: The License Server receives the request sent by the player. It then

  • Decrypts the request, extracts the InitData and uses it to find the license from its database.
  • After finding the license, it encrypts it and sends it back to the player.
  • The encrypted message contains the key to decrypt the content and also information about the license (expiry time, etc.)

Step 6: The player receives the license from the License Server and passes it to the CDM (via the EME). Since the message is encrypted, the player and any other software cannot read it and misuse it.

Step 7: Because the CDM is not in the Trusted Layer of the device, it must pass the information to the OEMCrypto Module, which does reside in the Trusted layer of the device. The actual decryption takes place in the OEMCrypto Module. In some implementations, the decoding takes place there also. The Browser does the actual parsing of the container.

Step 8: Once the content is demultiplexed, decrypted, and decoded, it is sent to the screen in small chunks and is not stored anywhere on the device.

Here is a flow diagram from Widevine that demonstrates what we’ve just learned.

google widevine drm

The Hitchhiker’s Guide to DRM is sponsored by BuyDRM™, a leading provider of Digital Rights Management and Content Security Services for the entertainment, enterprise, and transportation industries. Click here to get in touch with BuyDRM™.

Widevine Security Levels – L1, L2, L3

The interesting part about Widevine is that they have three levels of security – L1, L2, and L3.

But we move on to the security levels, let’s learn about the Trusted Execution Environment (TEE). This is defined in Wikipedia as

“a secure area of a main processor that guarantees code and data loaded inside to be protected with respect to confidentiality and integrity”

The Trusted Execution Environment is critical to DRM because it enhances security greatly and plays a critical role in ensuring that the decryption keys and the decrypted videos are not leaked or stolen.

With that understanding, let’s see the differences between Widevine L1, L2, and L3.

L1 or Security Level 1

  • L1 is the highest level of security in Widevine and provides hardware-level decryption (safer than software)
  • Content decryption, media decoding, and rendering are all done within the TEE.
  • If you want to stream HD content from content providers, your device will need to be certified to meet L1 specifications.

L2 or Security Level 2

  • In L2, only the media decryption is performed within the TEE.
  • The decrypted video is sent to the application for decoding and rendering.

L3 or Security Level 3

  • L3 is the least secure and is used in low-end hardware without a TEE.
  • The decryption is performed in a software-CDM (like the ones inside the browser).
  • Content providers block encrypted HD video playback in devices with L3 security.
google widevine drm

Business Rules

Below is a snippet of the payload that signifies the business rules and license rules that can be inserted in Widevine. It is quite explicit in explaining the rental, playback, renewal, and license durations for a certain asset. A content provider can use this to create complex rules to suit their business models.

{
   "payload":"<license challenge>",
   "content_id":"<content id>",
   "provider":"<provider>",
   "allowed_track_types":"<types>",
   "content_key_specs":[
      {
         "track_type":"<track type 1>"
      },
      {
         "track_type":"<track type 2>"
      },
      "..."
   ],
   "policy_overrides":{
      "can_play":"<can play>",
      "can persist":"<can persist>",
      "can_renew":"<can renew>",
      "rental_duration_seconds":"<rental duration>",
      "playback_duration_seconds":"<playback duration>",
      "license_duration_seconds":"<license duration>",
      "renewal_recovery_duration_seconds":"<renewal recovery duration>",
      "renewal_server_url":"<renewal server url>",
      "renewal_delay_seconds":"<renewal delay>",
      "renewal_retry_interval_seconds":"<renewal retry interval>",
      "renew_with_usage":"<renew with usage>"
   }
}

Where is Widevine Supported?

Widevine Modular or simply, Widevine is supported on several platforms such as –

  • Android (4.4+)
  • Android TVs
  • Amazon Fire TV
  • Chromecast
  • Smart TVs
  • Browsers such as Chrome, Firefox, Edge.

If a hardware vendor wants to support Widevine, they can get in touch with Google to sign a contract and get the required support (such as the Content Decryption Module, test vectors, etc.)

Conclusion

I hope by now, you have a good understanding of how Google’s Widevine DRM works. There is a lot of information online (code samples, players, and SDKs) to help you go deeper into Widevine.

So, until next time, take care and see you soon!

The Hitchhiker’s Guide to DRM is sponsored by BuyDRM™

BuyDRM™ is a leading provider of Digital Rights Management and Content Security Services for the entertainment, enterprise and transportation industries. Since the turn of the century, BuyDRM™ has amassed substantial success stories for many of today’s largest brands.

OTT operators, television networks, movie studios, gaming sites and premium content distributors use the BuyDRM™ award-winning KeyOS Multi-DRM Platform to provide robust content security for their streaming and downloadable video.

Customers include the Academy of Motion Picture Sciences and Arts (AMPAS), ABC (Australian Broadcasting Corporation), BBC iPlayer, BBC Sounds, Blizzard, EPIX, FuboTV, Rakuten Viki, Sony New Media Solutions, Sony Pictures, SBS Belgium, Showtime and Zee5.

For more information, please visit BuyDRM™.

About The Author

I’m Dr. Krishna Rao Vijayanagar, and I am the Founder and Editor of OTTVerse.com. I've spent several years working hands-on with Video Codecs (AVC, HEVC, MultiView Plus Depth), ABR streaming, and Video Analytics (QoE, Content & Audience, and Ad). I hope to use my experience and love for video streaming to bring you information and insights into the OTT universe. Please use the Contact Page to get in touch with me.

2 thoughts on “Google Widevine DRM – How Does It Work?”

  1. Pingback: Google Widevine DRM – T's Streaming Media Reference

  2. Pingback: EME, CDM, AES, CENC, and Keys - The Essential Building Blocks of DRM - OTTVerse

Leave a Reply