How to Protect Content with DRM Video Streaming
Tech Talk
As more and more streaming video platforms offer premium content over the internet, DRM video has become a business necessity. Furthermore, as data security becomes an increasing priority, many enterprises are seeking solutions to control access to sensitive materials.
If you’re creating, delivering, and distributing content online, you need to ensure you have the necessary protection in place.
What is DRM?
Digital Rights Management (DRM) is a process that secures digital content such as video to prevent unauthorized use and piracy of copyrighted material. Accessing the content requires authentication of both the user and the period of time requested.
How Does DRM Work?
DRM protected videos are encrypted and packaged using multiple DRM schemes for compatibility with various devices.
When a user attempts to play the content, the video player requests a decryption key from a license server, which verifies the user and device’s authorization. Once verified, the server issues a license response with a decryption key, allowing the player to decrypt and play the content.
Various platforms usually have a DRM mechanism embedded in the hardware or the operating system, but DRM software can also be created by a third-party vendor.
Here’s a rough idea of how DRM works:
- Digital assets are encrypted (part of the “packaging” process) and can only be unlocked by a secret encryption key.
- The encryption key is bundled with a digital license containing rules about content usage.
- When a user requests to view the content (e.g., clicks on a show to watch), the DRM client checks the license.
- If satisfied, the user receives a token of validation.
- The validation token tells the receiving device it’s allowed to decrypt the content.
Packaging Content
To prevent copying or unauthorized playback, DRM requires content to be encrypted and packaged in a compatible format, generally MPEG-DASH or HLS. This can be done as part of the transcoding process, or assets can be encrypted and packaged after the fact.
Some platforms and CDNs, like Brightcove, also support just-in-time encryption and packaging of assets as they are requested by players. This way, the content can be protected as needed without re-transcoding.
Widevine and PlayReady both support Common Encryption (CENC) and MPEG-DASH, which means you can encrypt and package your content once and decrypt those assets. FairPlay uses SAMPLE-AES encryption and HLS packaging, so you’ll need to encrypt and package your content twice if you need to support all three systems.
Brightcove Zencoder allows you to transcode and transmux content to both MPEG-DASH with CENC encryption and HLS with SAMPLE-AES encryption, all in one operation.
For each DRM video, you’ll need to generate an encryption key, an asset ID, and a key ID. Both CENC and FairPlay use an AES 128-bit key to encrypt content. For FairPlay, you’ll also generate and provide an Initialization Vector (IV). You can generate these keys and IDs yourself or use the tools provided by your license server to generate them automatically.
You’ll ingest the keys and IDs into your license server so they can be sent to the player, which will use them to decrypt the content. It’s important to also store this key securely within your platform as a backup. You’ll need access to these keys if you move to a different license server in the future.
Playing Protected Content
Brightcove supports the following technologies to deliver DRM protected content to the widest possible variety of browsers and devices.
- MPEG-DASH with Native/EME-supported CENC DRMs
- HLS with FairPlay, Widevine, and PlayReady
Additionally, content creators and owners may want to protect their content with DRM and force HDCP for specific hardware setups. For devices that don't support HDCP, Brightcove can provide a fallback experience, allowing playback with lower quality SD renditions.
Why Do I Need DRM Video Protection?
Though some streaming protocols offer encryption (HLSe), this alone isn’t enough to protect video content. Circumventing DRM, however, is much more difficult because it not only encrypts the content, it uses a secret encryption key.
To be clear, DRM protection isn’t essential for all business models. But there are clear reasons why many businesses use it for their digital media.
- Revenue. Video piracy remains a constant threat for subscription-based services and those who rely on pay-per-view transactions from live events. But it can also deter brands from diversifying into those various business models, who might otherwise benefit from these monetization options.
- Compliance. Particularly with OTT video assets, content licenses may require DRM streaming capabilities. Without it, businesses could be limiting their content catalogs, or worse, violating copyright laws.
- Control. Many media companies limit the number of devices that can access content to inhibit account sharing. Others also restrict access to select items in their catalogs as “exclusive content” to create more perceived value.
How to Implement DRM
Introducing DRM video requires changes to at least three components of your streaming workflow.
- Content. Your assets must be transcoded, encrypted, and packaged in formats compatible with the DRM technologies you need to support.
- Player. Your video player must be able to request a key from a license server and decrypt the video. This may require different players on different platforms.
- License server. Your video player will request decryption keys from a license server every time a piece of content is requested. The license server authenticates and responds to these requests.
Though there are many systems available to protect video content, the top three support most of the popular web browsers, devices, and set-top boxes.
- Google’s Widevine. Widevine-protected content can be played in Chrome and Firefox web browsers, as well as on Android and Chromecast devices.
- Apple’s FairPlay. FairPlay-protected content can be played in Safari on macOS, as well as iPhones, iPads, and AppleTVs.
- Microsoft's PlayReady. PlayReady-protected content can be played in IE11 and Edge browsers, Windows Phone, Xbox, and other platforms via SDKs.
The following compatibility chart shows a sample of popular platforms and their compatibility with these DRM systems.
Platform | Widevine Modular | FairPlay | PlayReady |
---|---|---|---|
Chrome | ☑️ | ||
FireFox | ☑️ | ||
Internet Explorer 11 | ☑️ | ||
Microsoft Edge (Windows) | ☑️ | ||
Microsoft Edge (Windows, MacOS, Android) | ☑️ | ||
Safari | ☑️ | ||
Android | ☑️ | ||
iOS | ☑️ | ||
Chromecast / AndroidTV | ☑️ | ☑️ | |
Roku | ☑️ | ☑️ | |
AppleTV | ☑️ | ||
Fire TV | ☑️ | ☑️ | |
PlayStation | ☑️ | ||
Xbox One | ☑️ | ||
Samsung Smart TV (2015 older) | ☑️ | ||
Samsung Smart TV (2016+) | ☑️ | ☑️ |
If you are using a full-featured online video platform (OVP) like Brightcove, enabling DRM may be as simple as upgrading your account and configuration.
Challenges with Video DRM
Before researching platform options and DRM integrations, be sure to understand and assess some of the potential drawbacks that come from enabling this technology.
- Viewer Experience. Increasing security unsurprisingly adds more points of failure in the chain of playback. For example, license requests could take longer than usual or time out, potentially causing latency or even video abandonment.
- Compatibility. There isn’t one schema that works across every device, platform, or browser, so DRM videos have to be transcoded with multiple schemas. Though the top systems cover a wide margin of the digital landscape, some lower-resolution devices may still not be able to play the content.
Other Security Layers to Protect Content
Security is about layers, and Brightcove provides different solutions to protect your content as much as possible.
- Encryption. Brightcove offers full DRM or AES-128 (HLSe) protection.
- License Key Protection. With LKP, decryption keys are protected from unauthorized access. This could be for DRM or AES-128 protected content.
- Limiting the content quality per platform. With Dynamic Delivery Rules, it is possible to define what renditions to deliver by device type, and limit quality for devices that can’t meet the output protection requirements.
- Fallback HDCP. Each rendition has its own decryption key with its own security configuration, letting players select the renditions that the client is able to play and ignore those that it cannot. For example, a user on a device unable to support Widevine Level 1 will see playback at SD quality, with the HDCP-protected HD renditions unplayed.
- Forensic watermarking. This feature embeds an invisible watermark into the video, helping content owners quickly identify the source of content leaks. In fact, because of Brightcove’s forensic watermarking, “The Academy Awards can continue to deliver content to our members, while strengthening security measures to maintain confidentiality, and protect artists and intellectual property” (Bev Kite, Chief Information Officer, Academy of Motion Picture Arts and Sciences).
Brightcove’s commitment to video security means our customers can be assured that we’re taking every precaution to support their growth and success.
This blog was written in 2018 by JD Russell and has been updated for accuracy and comprehensiveness.